Config Files Ssl Flags Disabled
Description
Detects when SSL security is disabled or not configured in .NET applications through IIS configuration files. This misconfiguration allows unencrypted HTTP traffic, potentially exposing sensitive data in transit to interception.
Detection Strategy
• Scans .NET configuration files (ApplicationHost.config and web.config) for security settings
• Reports a vulnerability if a <security> tag exists in ApplicationHost.config without an <access> child element
• Checks <access> tags for missing sslFlags attribute
• Identifies when sslFlags attribute is explicitly set to 'none'
• Considers both the main ApplicationHost.config and application-specific web.config files
Vulnerable code example
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<access sslFlags="None" /> # Disables SSL protections, making connections insecure
<authorization>
<remove users="*" /> # Removes all user restrictions before adding new ones, could leave gaps
</authorization>...✅ Secure code example
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" /> # Enforces SSL and client certificates
<authorization>
<remove users="*" roles="" verbs="" /> # Properly clears all access rules
<add accessType="Allow" users="" roles="Administrators" /> # Explicitly grants access to admins only...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.