Don’t trust all SSL or TLS certificates
Earlier I did a story about CSR checkers from CA’s and their resellers. This was a nice thing to do and an eye opener for some people. I went for the certificate checkers no! I generated my own CA and self-signed certificate and checked some websites with it.
Testing the HTTPS checkers
The first website I checked was https://threatintelligenceplatform.com/ and I got a hit! I put in my URL and there is was a nice XSS pop-up. I immediately emailed to the support address on the website, in they fixed it in no time!
Now I wanted to do some more testing! So I did some searching and created a list of websites with a test option for HTTPS. Many websites had this XSS vulnerability. It was a long list. There are some screenshots below.
Note: All the tested websites are informed about this.
There is more!
A few days later I had to replace a certificate on a firewall. I uploaded the new certificate and was surprised to see that the web-interface of the firewall show me some certificate details. So, I could not resist to test this with my own generated root and leaf certificate. And there is was! Also an XSS pop-up! It also screwed-up the web-interface completely. Again, I emailed the vendor about this. This time, there wasn’t a nice thank you, but some pages legal stuff in the response.
Another firewall gave me a nicer answer. They reacted within an hour and solved the issue. Maybe creating a Github issue wasn’t the best way to disclose this, but the chance that this XSS is abused in the administrator interface was not very high. The next time I will try to find an email address for these issues. Thumbs up for OPNsense for their quick response.
The conclusion you can get from this story is that you really can not trust anything if you are developing a website, web application or a web-interface of an appliance. Always check the input and output.
If you want to play with this,here you can find my fakeca files. Please don’t sloop something with it!
Footnote: All website and vendors are e-mailed about this issue around the 28th of November.