Contact us:

Hardening SSL/TLS: Common Certificate Issues

Published: 04 July 2023    Last Updated: 05 July 2023

I recently wrote a quick start guide to hardening SSL/TLS configurations, to help people to better understand all the different aspects of securing their transport layer security configuration – however, during that article I skipped over a big section: SSL Certificates.

In this article, we’ll focus on the certificates themselves and the impact of common certificate issues. It’s also worth noting that whilst they’re commonly called “SSL Certificates”, we learned in the last article that of course all version of SSL should be disabled, since we know SSL was deprecated in 2015 and is “comprehensively broken”.

Therefore, if you prefer the term “TLS Certificate”, or even the technically more accurate “X.509 Certificate” then that’s great – but you’ll rarely see the latter term used outside of technical documentation, it seems “SSL Certificate” has stuck as the common term.


Hardening SSL/TLS: Common SSL Security Issues

Published: 03 July 2023    Last Updated: 05 July 2023

Secure Sockets Layer (SSL) was a protocol designed to protect network traffic in transit, however it was superseded by Transport Layer Security (TLS) in 1999. These protocols are well-known for protecting web traffic with HTTPS. However, they can be used to protect lots of different kinds of traffic, for example they can also be used to protect email traffic, instant messaging, and more.


Preventing Username Enumeration

Published: 01 December 2022    Last Updated: 05 July 2023

First of all, what is username enumeration? It is when a web application has a feature that allows a user to supply a username and the application will disclose (not necessarily intentionally) if the username is valid or not. This is closely related to Username Disclosure, except in the latter the application is including valid usernames in server responses in some way, which allows a threat actor to determine a username is valid without having to specify it first themselves. Both of these are an issue and both should be addressed.


HTTP Security Headers: X-Frame-Options

Published: 21 February 2022    Last Updated: 03 July 2023

The X-Frame-Options header can be used to specify whether a web browser should be allowed to render the target page in a frame (such as a frame, iframe, embed, or an object tag). This can be used to prevent attacks such as ClickJacking.


HTTP Security Headers: Cache-Control

Published: 21 February 2022    Last Updated: 03 July 2023

The Cache-Control HTTP server response header specifies whether the server response can be cached by the web browser and any interim devices such as web proxies. Generally, if the content of the page includes confidential information, then it should not be cached, as if confidential information is cached on user's device, and that device is a public device, or shared with other users then the information may be compromised by another user with access to the device.


[Webinar] Your Security Awareness Training Sucks

Published: 13 December 2021    Last Updated: 03 July 2023

Akimbo hosted a Webinar to cover hints and tips about running more effective Security Awareness Training. We're sharing the recording for those that couldn't make it on the day!


Strong Passwords: The Problem with Rotation

Published: 10 June 2021    Last Updated: 09 November 2022

Password rotation has previously been included within best practice guides as a method of minimising the risk of compromised passwords being valid at the time a threat actor attempts to use them. Recent research has indicated that the enforcing password rotation is linked to increased risk of weak passwords, due to users selecting passwords based on patterns - such as Password1, Password2, Password3, or patterns such as Summer2021, Autumn2021, Winter2021.


Strong Passwords: The Problem with Complexity

Published: 07 June 2021    Last Updated: 04 November 2022

Weak passwords are those which are predictable and can be easily guessed. To ensure that users do not select weak passwords organisations may look to enforce password complexity. Complexity refers to the requirement to use a mixed character set. For example, on Active Directory accounts complexity requires three of the four: uppercase, lowercase, numbers, and symbols. However it is still possible to select weak passwords with complexity enabled, such as Welcome!, Summer2020, or Password123456.


Implementing Sub-resource Integrity

Published: 31 May 2021    Last Updated: 03 July 2023

Hosting web application content such as dynamic scripts and stylesheets on third parties such as Content Delivery Networks (CDNs) can allow for significant improvements to site performance and can reduce bandwidth costs. However, scripts included within a web application will execute within the user's browser with the same privileges as the currently logged in user. Therefore if a script is included from an external domain, that domain is trusted with the confidentiality and integrity of data stored within the application.


Implementing Certification Authority Authorization (CAA)

Published: 14 April 2021    Last Updated: 03 July 2023

Certification Authority Authorization (CAA) is a used to specify which Certificate Authorities may issue certificates for the domain. Whilst lack of CAA does not constitute a vulnerability itself, it may be used to harden the transport layer security of an application by reducing the risk of certificates being mis-issued. Additionally, it can be used to notify the application owner when a mis-issue is detected and prevented through CAA.


Securing Wi-Fi Networks

Published: 23 January 2021    Last Updated: 05 July 2023

We recently discussed how to break WPA2 keys very quickly using cloud computing. We've also looked at how to use a Rogue AP to capture user credentials from a network using PEAP (MSCHAP).

In this article we'll look at hardening Enterprise wireless networks from these attacks.

The most secure option is to utilise mutual authentication (where both the server and the client authenticate to each other) using digital certificate based authentication, such as offered by EAP-TLS. However, there can be more administrative overhead involved in the deployment of these networks and therefore PEAP may be offer a balance of security and overhead.

To be clear, we recommend the use of EAP-TLS wherever possible - but if you must use PEAP, we offer the following hardening steps:


Preventing Windows Accounts Being Bruteforced

Published: 23 January 2021    Last Updated: 05 July 2023

In a previous article we discussed how bruteforcing Windows accounts is often easier than people expect. In this post - we'll cover some steps to harden these accounts.

The Observation Window

When configuring an account lockout threshold on a Domain another setting is suggested, the observation window. This setting effectively reduces the protection of the account lockout by setting a timer. For example, a lockout threshold of 5 and an observation window of 30 minutes has the impact of meaning that if a threat actor attempts 5 incorrect passwords within 30 minutes the account will lock - but four passwords would not cause it to lock.

Therefore, an attacker could attempt 4 passwords every 30 minutes - or 192 per account per day, without locking any accounts.


Strong Passwords: Three Random Words

Published: 23 January 2021    Last Updated: 04 November 2022

When performing security tests, we very often come across weak passwords. We often see dictionary words with suffixes such as Welcome1, Password123, or Lockdown2020. We also see "leet" substitutions, such as P@55w0rd, 3l3ph@nt, or L0ckd0wn. We've previously shown how quickly password cracking can be performed. With passwords like the above they would be cracked easily. Simple protections such as "Password complexity" don't solve the problem on their own, for example complexity enforces the requirement for three of the following: uppercase, lowercase, numbers, and symbols - which all of the weak options above meet.


Fixing SQL Injection

Published: 22 January 2021    Last Updated: 03 July 2023

SQL Injection is a vulnerability that occurs where user supplied input is insecurely concatenated into an SQL query. We showed how easy can be to detect in our Finding SQL Injection article, and we’ve run through exploitation in many posts such as our post on Exploiting Error-based SQL Injection.

However, in this post, we’re looking at fixing it. The fix is quite a simple code change. As the issue described is user input insecurely concatenated into a query, the remediation for SQL injection is fairly simple: don’t build queries through string concatenation. Instead, it’s more secure to use “Prepared Statements”, often called “Parameterized Queries”. All modern languages support this type of query either directly or through a framework; here we will supply a PHP example to show the difference.


Fixing LLMNR and NetBIOS-NS Spoofing

Published: 21 January 2021    Last Updated: 05 July 2023

In our article LLMNR and NetBIOS-NS Spoofing with Responder we stepped you through how to exploit a very common issue on Windows networks. In this one, we’re going to cover how to fix it.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS-Name Service (NBT-NS) are name resolution protocols that are enabled by default on Windows machines. They’re both used as a fallback for DNS. If a machine requests a hostname, such as when attempting to connect to a file-share, and the DNS server doesn’t have an answer – either because the DNS server is temporarily unavailable or the hostname was incorrectly typed – then an LLMNR request will be sent, followed by an NBT request. LLMNR is a multicast protocol and NBT-NS is a broadcast protocol.


Fixing Cross-site Scripting (XSS)

Published: 25 October 2020    Last Updated: 03 July 2023

This issue comes about where user supplied input is included within server responses without filtration or encoding.

One very effective method of preventing this attack is to use an allow-list (sometimes called a whitelist) which will allow only known good content. For example, if your expected input is an integer and the user supplies anything other than an integer you can simply reject that input – and perhaps supply a message to inform the user what the issue is, without including the original payload.


Fixing DOM-Based XSS

Published: 25 October 2020    Last Updated: 03 July 2023

Whilst Reflected and Stored XSS can generally be addressed through server-side user input encoding (such as through the PHP htmlentities() function) or with browser protections such as Content-Security-Policy – this is not sufficient for DOM-XSS.

Where a dangerous function is used, user input into that function should be limited through user input filtering. An allow-list approach of restricting user input to only known-good input should be used. For example, limiting input to the smallest number of characters possible (such as alphanumerics only) and checking the expected data type (such as limiting input to integers only). This is in contrast to a block-list of known-bad inputs being blocked, which is often less effective due to the large degree of flexibility that JavaScript allows. For a good example of this flexibility, consider something like JScrewIt.


HTTP Security Headers: Content-Security-Policy

Published: 19 October 2020    Last Updated: 03 July 2023

Content Security Policy (CSP) allows the application to restrict the location of resources to an allow-list of approved locations, including where scripts can be loaded from and when the application may be framed. This can therefore mitigate reflected and stored cross-site scripting attacks as well as issues such as Clickjacking.