Ssl Tls Certificate Revocation Not Checked

Description

This detector identifies SSL/TLS certificates that lack proper revocation checking mechanisms. When certificates are compromised or no longer valid, they should be revocable through OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation Lists), but this certificate provides neither method for validation.

Weakness:

313 - Insecure service configuration - Certificates

Category: Functionality Abuse

Detection Strategy

• Establishes SSL/TLS connection to the target server and examines the presented certificate

• Checks if the certificate contains OCSP (Online Certificate Status Protocol) information for real-time revocation checking

• Verifies if the certificate includes CRL Distribution Points extension for certificate revocation list access

• Reports vulnerability when the certificate lacks both OCSP and CRL Distribution Points, meaning there's no way to check if the certificate has been revoked

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.