OWASP DeepViolet TLS/SSL Java API and Tools
-
Upload
milton-smith -
Category
Software
-
view
129 -
download
1
Transcript of OWASP DeepViolet TLS/SSL Java API and Tools
OWASP DeepVioletTLS/SSLJAVA API & Tools
Project LeaderMilton SmithTwitter: @deepvioletapiBlog: https://www.securitycurmudgeon.com/
Black Hat EU 2016 LondonTools Arsenal
What is DeepViolet?
TLS/SSLscanningAPI
2referencecasesdemonstratingAPI
Commandlinetool&desktopapplication
Why Build DeepViolet?
WhybuildDeepViolet(DV)?Ididnotsetouttobuildatoolforthepublic.DVwasalearningtoolforme.Heartbleedwasinthepopularpress,IwantedtolearnmoreaboutunderlyingTLS/SSLprotocols.WhenIfinishedtheoriginalcodeIpostedittomygithubsite.
IwasapproachedseveraltimestoaddimprovementstoDV.Askedotherswhytheylikedit.MostcommonansweristhattherearefewavailablechoicesforlibrariesthatprovideTLS/SSLscanningfeaturesforapplications.
GreattoolsexisttodaylikeOpenSSL,Qualys SSLServerTest,MozillaObservatory,etc.Yes,myfavoritesaswell.Nointentiontocompetewithanytools.
What Can DeepViolet API/Tools Do?IdentifyWeakServerCipherSuites
IdentityWeakSignatureAlgorithms
IdentityCertificatesAbouttoExpire
PrintX.509Certificates&Metadata
PrintTrustChains
PrintTrustStatus,TrustedorNotTrusted
Andmore…
Getting Started with the API
IDSession session=DVFactory.initializeSession(url);
IDVOnEng eng =DVFactory.getIDVOnEng(session);
//Getcertificates,ciphersuites,printsomereports…//Reviewunittestsincom.mps.deepviolet.test.api togetstarted…
DeepViolet Desktop Application
1)ProvideaURLandClick
2)Reportisgenerated
3)Savereporttodisk
Easyasthat.Adaptasneeded.
DeepViolet Command Tool
1)Tryacommandlinelikethis,java-jardvCMD.jar -serverurlhttps://www.google.com/-shrcisn
2)Reportisgenerated
3)Redirectoutputtofileorpipetogrep tosearchcertificatemetadata
Easyasthat.Adaptasneeded.
Additional References
OWASPProjectSite:https://www.owasp.org/index.php/OWASP_DeepViolet_TLS/SSL_Scanner
GitHubSite:https://github.com/spoofzu/DeepViolet
Download:https://github.com/spoofzu/DeepViolet/releases
FollowOnline:twitter,@deepvioletapi
;o)