Javascript Outdated Tls Versions Enabled
Description
Detects the use of weak or outdated SSL/TLS protocol versions in JavaScript code that could expose applications to man-in-the-middle attacks and other security vulnerabilities. Using deprecated protocols like SSL 3.0 or TLS 1.0/1.1 fails to provide adequate encryption strength for secure communications.
Detection Strategy
• Identifies JavaScript code that explicitly configures or enables weak SSL/TLS protocol versions
• Reports when code specifies insecure protocol versions like 'SSLv3', 'TLSv1.0', or 'TLSv1.1' in security-sensitive configurations
• Checks TLS/SSL configuration options in Node.js HTTPS/TLS modules and similar networking code
• Flags uses of deprecated crypto APIs or explicit protocol version downgrades
Vulnerable code example
const https = require('https');
const tls = require('tls');
// Vulnerable: Uses deprecated TLS 1.0 protocol
const unsafeOptions = {
secureProtocol: 'TLSv1_method' // Noncompliant: Uses insecure TLS 1.0
};
...✅ Secure code example
const https = require('https');
const tls = require('tls');
const constants = require('crypto');
// Safe: Uses modern TLS 1.2+ configuration
const safeOptions = {
minVersion: 'TLSv1.2', // Only allow TLS 1.2 or higher
maxVersion: 'TLSv1.3' // Support up to TLS 1.3...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.