Don’t trust all SSL / TLS certificates
Earlier I did a story about CSR checkers from CA’s and their resellers. This was a nice thing to do and an eye opener for some people. I went for the certificate checkers no! I generated my own CA and self-signed certificate and checked some websites with it.
Testing the HTTPS checkers
The first website I checked was https://threatintelligenceplatform.com/ and I got a hit! I put in my URL and there is was a nice XSS pop-up. I immediately emailed to the support address on the website, in they fixed it in no time!
Now I wanted to do some more testing! So I did some searching and created a list of websites with a test option for HTTPS. Many websites had this XSS vulnerability. It was a long list. There are some screenshots below.
Note: All the tested websites are informed about this.
There is more!
A few days later I had to replace a certificate on a firewall. I uploaded the new certificate and was surprised to see that the web-interface of the firewall show me some certificate details. So, I could not resist to test this with my own generated root and leaf certificate. And there is was! Also an XSS pop-up! It also screwed-up the web-interface completely. Again, I emailed the vendor about this. This time, there wasn’t a nice thank you, but some pages legal stuff in the response.
Another firewall gave me a nicer answer. They reacted within an hour and solved the issue. Maybe creating a Github issue wasn’t the best way to disclose this, but the chance that this XSS is abused in the administrator interface was not very high. The next time I will try to find an email address for these issues. Thumbs up for OPNsense for their quick response.
And in the details:
The conclusion you can get from this story is that you really can not trust anything if you are developing a website, web application or a web-interface of an appliance. Always check the input and output.
If you want to play with this,here you can find my fakeca files. Please don’t sloop something with it!
Footnote: All website and vendors are e-mailed about this issue around the 28th of November.