Fuzz Testing a Secure Sockets Layer (SSL) Server
Overview
This topic describes how to test a SSL server using SSL modules in beSTORM.
Testing
To test a SSL server with beSTORM, do the following:
-
Install beSTORM Client on a computer that is not in use or on a network and assign an IP address to it. This will create the beSTORM server.
-
Set up an HTTPS server on another computer that is also not in use or on a network and assign an IP address to it. If your SSL server is Windows-based, do the following:
-
Open beSTORM Monitor.
-
On the Processes tab, select SSL.
-
In the Host box, enter the IP address of the beSTORM server, and then select Attach.
-
-
Using an Ethernet cable, connect the beSTORM server to the SSL server. Do not include a switch between the two servers.
-
Open beSTORM Client.
-
Select New Project. The beSTORM New Project Wizard opens.
-
On the Welcome page, do the following:
-
Select Next.
-
On the Basic Configuration page, do the following:
-
Select Next.
-
On the Module Environment page, review the parameters listed and make any necessary changes.
-
Select Next.
-
If the SSL server is not accessible, select ICMP Echo and TCP Echo on the Extra Configuration page. Leave all other parameters to their default setting.
-
Select Next.
-
On the Complete beSTORM wizard page, select Finish to begin testing, or clear the Auto-start beSTORM scan now checkbox to run the test later.
-
If an exception occurs once your test begins (that is, an attack was successful), a message will appear in the Exception Information dialog informing you that the remote server is not responding. This indicates a possible vulnerability. Testing will resume after five seconds unless you select Pause Test.
-
When testing is complete, select Report from the Test Information pane to view a short report of your test. To generate a more comprehensive report of your test, select Report > Generate Report from the beSTORM Client.