Attacks on SSL/TLS protocols

Penetration Testing Wiki


CRIME (2012)

CRIME is a compression side-channel attack against HTTPS.

BREACH (2013)

BREACH: Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext is a security exploit against HTTPS when using HTTP compression. Exploits the use of gzip or DEFLATE data compression algorithms.

Mitigation: Do not use HTTP compression (gzip, DEFLATE).

POODLE (2014)

POODLE: “Padding Oracle On Downgraded Legacy Encryption” is a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0.

CVSS 4.3

Mitigation: Do not use SSL 3.0


Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension.

CVSS 5.0

Mitigation: Use OpenSSL version > 1.0.1g

Impact: Read server memory, compromising private keys, user passwords, etc.

DROWN (2015)

Drown stands for Decrypting RSA with Obsolete and Weakened eNcryption and is yet another SSLv2 vulnerability.

CVSS 4.3

Mitigation: Do not use SSL 2

SWEET32 (2016)

SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN (CVE-2016-2183 and CVE-2016-6329)

Mitigation: Do not use a block size of 64-bit, choose 128-bit instead (like AES).


LUCKY13 (CVE-2013-0169)

Potentially VULNERABLE when uses cipher block chaining (CBC) ciphers with TLS

BEAST (CVE-2011-3389)

The Browser Exploit Against SSL/TLS attack was published in September 2011 and affects SSL 3.0 and TLS 1.0. An attacker can “decrypt” data exchanged between two parties by taking advantage of a vulnerability in the implementation of the Cipher Block Chaining (CBC) mode in TLS 1.0 which allows them to perform chosen plaintext attack.

As the name implies, this attack is performed client-side (browser) using the Man-in-The-Middle technique. Using MiTM, an attacker can inject packets into the TLS stream. This allows an attacker to guess the Initialization Vector used in XORing with the message they injected, and then simply compare the results to the ones of the block they want to “decrypt”.




Some notes on TLS 1.3


  • Supports downgrade protection
  • No renegotation
  • All algorithms support PFS (Perfect Forward Secrecy)

TLS 1.3 renegotiation_info extension:

renegotiation_info extension prevents renegotiation attacks (from another source). To prevent that the flag TLS_EMPTY_RENEGOTIATION_INFO_SCSV is triggered.

Tools to pentest SSL/TLS

Direct connection to the server

openssl s_client -connect $IP:443
openssl s_client -debug -connect $IP:443


python -m sslyze --regular "[2607:f8b0:400a:807::2004]:443"

Build Windows executable:

python.exe build_exe

Very detailed and accurate: https://$IP --openssl=/usr/bin/openssl $IP:443

Shows PFS (Perfect Forward Secrecy) supported algorithms: --openssl=/usr/bin/openssl -f $IP:443

Local tools

Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Shows installed certificates:

certutil -dump