XSS in a certificate signing request

Web application developers will all know, never to trust the input of the users of the web application. But what if you do not really know what they are submitting?

While investigating some form fields in our application, I came across a form for checking a certificate signing request (CSR) which you need to order a SSL / TLS certificate.

A certificate signing request is an encoded file with the information to request a certificate from a certificate authority (CA) or a reseller of that CA. You will need to create that file yourself and put in the information that you want.

So, you can also put something in it like this:

< script > alert('attacked') < /script >

u can do an SQL injection if the certificate CA of reseller is saving the information from the CSR to an SQL database for later use.

So, let me show you some examples.

Note: All the tested websites are informed about this.


This is the CSR I used in all the cases:


You can check the contents of it here:


How did I made that certificate signing request? Simple, like all other:

sebastian@blade:~$ openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout private2.key -out cert2.csr
Generating a 2048 bit RSA private key
writing new private key to 'private2.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Utrecht
Locality Name (eg, city) []:Utrecht
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Nw4all BV
Organizational Unit Name (eg, section) []:< script > alert('attacked') < /script >
Common Name (e.g. server FQDN or YOUR name) []:www.ocsr.nl
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


So, do not only check your input, also the results what will be displayed on the screen.

Update 2017-09-29: Most of them updated their website.

One thought on “XSS in a certificate signing request

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.