OWASP DeepVioletTLS/SSLJAVA API & Tools

Project LeaderMilton SmithTwitter: @deepvioletapiBlog: https://www.securitycurmudgeon.com/

Black Hat EU 2016 LondonTools Arsenal

What is DeepViolet?

TLS/SSLscanningAPI

2referencecasesdemonstratingAPI

Commandlinetool&desktopapplication

Why Build DeepViolet?

WhybuildDeepViolet(DV)?Ididnotsetouttobuildatoolforthepublic.DVwasalearningtoolforme.Heartbleedwasinthepopularpress,IwantedtolearnmoreaboutunderlyingTLS/SSLprotocols.WhenIfinishedtheoriginalcodeIpostedittomygithubsite.

IwasapproachedseveraltimestoaddimprovementstoDV.Askedotherswhytheylikedit.MostcommonansweristhattherearefewavailablechoicesforlibrariesthatprovideTLS/SSLscanningfeaturesforapplications.

GreattoolsexisttodaylikeOpenSSL,Qualys SSLServerTest,MozillaObservatory,etc.Yes,myfavoritesaswell.Nointentiontocompetewithanytools.

What Can DeepViolet API/Tools Do?IdentifyWeakServerCipherSuites

IdentityWeakSignatureAlgorithms

IdentityCertificatesAbouttoExpire

PrintX.509Certificates&Metadata

PrintTrustChains

PrintTrustStatus,TrustedorNotTrusted

Andmore…

Getting Started with the API

IDSession session=DVFactory.initializeSession(url);

IDVOnEng eng =DVFactory.getIDVOnEng(session);

//Getcertificates,ciphersuites,printsomereports…//Reviewunittestsincom.mps.deepviolet.test.api togetstarted…

DeepViolet Desktop Application

1)ProvideaURLandClick

2)Reportisgenerated

3)Savereporttodisk

Easyasthat.Adaptasneeded.

DeepViolet Command Tool

1)Tryacommandlinelikethis,java-jardvCMD.jar -serverurlhttps://www.google.com/-shrcisn

2)Reportisgenerated

3)Redirectoutputtofileorpipetogrep tosearchcertificatemetadata

Easyasthat.Adaptasneeded.

Additional References

OWASPProjectSite:https://www.owasp.org/index.php/OWASP_DeepViolet_TLS/SSL_Scanner

GitHubSite:https://github.com/spoofzu/DeepViolet

Download:https://github.com/spoofzu/DeepViolet/releases

FollowOnline:twitter,@deepvioletapi

;o)