Config Files Ssl Enabled False In Network

Description

Identifies XML configurations where SSL/TLS encryption is explicitly disabled for network communications through the enablessl="false" attribute. Disabling SSL/TLS removes transport security, potentially exposing sensitive data to network interception attacks.

Weakness:

149 - Use of an insecure channel - SMTP

Category: Information Collection

Detection Strategy

• Search for XML <network> tags in configuration files

• Check if the enablessl attribute is present and set to 'false' (case-insensitive)

• Report a vulnerability when SSL is explicitly disabled in network configuration

• The file path and exact location (line, column) of the disabling configuration is included in the report

Vulnerable code example

<configuration>
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="Network">
        <network
          host="mail.example.com"
          port="25"
          enableSsl="false"/>  <!-- Vulnerable: SMTP traffic sent unencrypted without SSL/TLS -->...

✅ Secure code example

<configuration>
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="Network">
        <network
          host="mail.example.com"
          port="587"           <!-- Changed to standard TLS port -->
          enableSsl="true"     <!-- Enabled TLS/SSL encryption for secure mail transmission -->...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.