Failing tests with https sites in Kali 2.0

[mpeshev]

Hey,

I've read some of the previous issues reporting problems with HTTPS resources.

I seem to be able to run tests against non-SSL sources but I still can't get around the limitation for https sites.

I tried using --no-head in order to bypass the initial notice. I also ran update-ca-certificates in order to get these updated as well.

curl -I calls work properly and render the resources as expected. But when I run xsser with a verbose flag, all responses return http code 0.

Since I wasn't sure how up-to-date xsser is in Kali, I pulled the latest version from this repository but I'm facing the very same problems.

The target URL seems to be intact. I'm testing several different sites with the standard format, i.e. https://example.com/?s= or https://example.com/index.php?s=.

Any thoughts or observations? I think that Python's raw curl callback may return http 0 by default as seen in https://superuser.com/questions/854101/whats-the-exit-code-for-curl-i-when-not-http-200

[epsylon]

I will check it soon. Many thanks for your report.

[epsylon]

I have fixed that on a new release. Stay tuned for updates...

[epsylon]

If you want more info about this issue, I have discovered that it is related with Curl options used for SSL transmissions:

curlcontrol.py#L72

This line should be replaced, because SSL vulnerability was found after current release and now to use this version is considered a deprecated method:

self.set_option(pycurl.SSLVERSION, pycurl.SSLVERSION_SSLv3)

I have added this other lines (and commented previous one):

        try:
            self.set_option(pycurl.SSLVERSION, pycurl.SSLVERSION_TLSv1_3)
        except:
            self.set_option(pycurl.SSLVERSION, pycurl.SSLVERSION_TLSv1_0)

And now all SSL related tasks are working properly ;-)