Fluid Attacks Database

Description

Detects when SSL/TLS is disabled in server configurations within CloudFormation templates. This represents a critical security vulnerability as it could allow sensitive data to be transmitted without encryption, potentially exposing it to interception and tampering.

Weakness:

332 - Use of insecure channel - Source code

Category: Information Collection

Detection Strategy

• Scan CloudFormation template files for server configuration blocks

• Check if the server configuration has SSL/TLS explicitly disabled

• Report a vulnerability if server configurations are found with SSL/TLS disabled

• Focus on configurations where 'server' key is present with SSL settings

Vulnerable code example

server:
  port: 8443
  ssl:
    enabled: false    # Vulnerable: Explicitly disabling SSL/TLS leaves traffic unencrypted
    key-store: "classpath:store.jks"

✅ Secure code example

server:
  port: 8443
  ssl:
    enabled: true     # Enable TLS to encrypt traffic
    key-store: "classpath:store.jks"
    key-store-password: "${KEYSTORE_PASSWORD}"  # Use environment variable for sensitive data
    key-store-type: "JKS"
    key-alias: "server"...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.