I am working on a vulnerability scanner in Java to check for websites that allow connections using weak cipher suites. So I would, for example, try to connect using 56 bits "SSL_DHE_RSA_WITH_DES_CBC_SHA" (or other weak ciphers) and if I get say 200 OK, the website is vulnerable. Here is where I am so far:
1- HttpURLConnection works good all the time with default ciphers but if I try to use "System.setProperty() to set a weak cipher, I either get "cipher not supported exception (for most of the cipher suites) or "connection rejected" exception when I try to connect(). I know connection rejected is my answer to the websites that don't accept weak ciphers, but how do I get the actual http reponse header (with rejection code) instead of the exception?
2- I am actually not interested in finding vulnerability on the SSL level (layer 6) but on HTTP level (layer 7) and I know that http header may be deceptive in some instances, but I am OK with that.
In summary, I need something like this to work for Weak Cipher Suites only:
URL url = new URL(ip);
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
con.setHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
con.connect();
System.out.println("Response Code : " + con.getResponseCode());
You don't. The SSL connection isn't formed so there is nothing for HTTP headers to be transmitted over. What you get is the SSLException.
This statement doesn't make any sense. The vulnerability exists at the SSL level. There is no HTTP(s)-level connection until the SSL connection is complete, and it fails instead.