Don’t trust all SSL / TLS certificates

Earlier I did a story about CSR checkers from CA’s and their resellers. This was a nice thing to do and an eye opener for some people. I went for the certificate checkers no! I generated my own CA and self-signed certificate and checked some websites with it.

In my FakeCA root certificate and the leaf certificate on it, I set some XSS information. A simple JavaScript alert. You easily can do this with OpenSSL for example. So I setup my test site and went testing. It wasn’t very difficult to find my first vulnerable website.


Read more

AXFR can leak sensitive information

Many services are depending on DNS and it is getting more and more used for serving information. Sometime’s companies are putting some inside information in their DNS that others do not need to know.

Maybe the information that is in the DNS looks innocent,  but if you are a target for criminal hackers, or state sponsored hackers, the can get very much information from your nameserver. That is why we advice to disable AXFR for the whole world. If you have AXFR enabled, you can leak information of you digital infrastructure that can be used by criminals to get a more complete overview of your company.

I do not know if it’s “by design”, but the fourth nameserver of DNS provider is accepting AXFR commands. I asked them multiple times if why this is open for everyone, but the do not respond to my e-mail.

With a simple dig command, we can get the whole DNS zone of EasyDNS, or one of it’s customers.


sebastian@nw4allws01:~$ dig @ -t AXFR;
<<>> DiG 9.10.3-P4-Ubuntu <<>> @ -t AXFR;
(1 server found)
;; global options: 300 IN SOA 1509041294 3600 600 1209600 300 300 IN NS 300 IN NS 300 IN NS 300 IN NS 300 IN MX 0 300 IN A 300 IN TXT "google-site-verification=9lCtJVFGHp_WlDRhU9LpYB84rGYjlh-SMjxGUgpP6Eg"
... snip...

Look at the domains and It is not very pretty. Certum is also a CA (certificate authority), so they do need to keep their infrastructure safe!

dig @ -t AXFR
dig @ -t AXFR

Screenshot from 2017-11-10 13-01-52

Background information:

Update: They fixed it 10 minutes after sharing.




XSS in a certificate signing request

Web application developers will all know, never to trust the input of the users of the web application. But what if you do not really know what they are submitting?

While investigating some form fields in our application, I came across a form for checking a certificate signing request (CSR) which you need to order a SSL / TLS certificate.

A certificate signing request is an encoded file with the information to request a certificate from a certificate authority (CA) or a reseller of that CA. You will need to create that file yourself and put in the information that you want.

Read more