binaryfigments.com

My thoughts about IT and infosec.

Don’t trust all SSL / TLS certificates

Earlier I did a story about CSR checkers from CA’s and their resellers. This was a nice thing to do and an eye opener for some people. I went for the certificate checkers no! I generated my own CA and self-signed certificate and checked some websites with it.

In my FakeCA root certificate and the leaf certificate on it, I set some XSS information. A simple JavaScript alert. You easily can do this with OpenSSL for example. So I setup my test site and went testing. It wasn’t very difficult to find my first vulnerable website.

certificate-details

Testing the HTTPS checkers

The first website I checked was https://threatintelligenceplatform.com/ and I got a hit! I put in my URL and there is was a nice XSS pop-up. I immediately emailed to the support address on the website, in they fixed it in no time!

threatintelligenceplatform

Now I wanted to do some more testing! So I did some searching and created a list of websites with a test option for HTTPS. Many websites had this XSS vulnerability. It was a long list. There are some screenshots below.

Note: All the tested websites are informed about this.

sslcheck01 sslcheck02 sslcheck03 sslcheck04 sslcheck05 sslcheck06 sslcheck07 sslcheck08 sslcheck09 sslcheck10

There is more!

A few days later I had to replace a certificate on a firewall. I uploaded the new certificate and was surprised to see that the web-interface of the firewall show me some certificate details. So, I could not resist to test this with my own generated root and leaf certificate. And there is was! Also an XSS pop-up! It also screwed-up the web-interface completely. Again, I emailed the vendor about this. This time, there wasn’t a nice thank you, but some pages legal stuff in the response.

Another firewall gave me a nicer answer. They reacted within an hour and solved the issue. Maybe creating a Github issue wasn’t the best way to disclose this, but the chance that this XSS is abused in the administrator interface was not very high. The next time I will try to find an email address for these issues. Thumbs up for OPNsense for their quick response.

opnsense1

And in the details:

opnsense3

Conclusion

The conclusion you can get from this story is that you really can not trust anything if you are developing a website, web application or a web-interface of an appliance. Always check the input and output.

If you want to play with this,here you can find my fakeca files. Please don’t sloop something with it!

Footnote: All website and vendors are e-mailed about this issue around the 28th of November.