WebApp Sec mailing list archives
Re: Evading Client-Certificate Authentication
From: Skip Carter <skip () taygeta com>
Date: Wed, 31 Mar 2004 15:23:02 -0800
whilst in the middle of a Penetration Test I stumbled on a web server only serving SSL and demanding the client to present a certificate to identify himself.
...
Does anyone have an idea to further assess this server? Am I looking at a mission impossible here maybe?
Its likely that the server not only expects a certificate from the client, but that it be signed by a PARTICULAR CA (maybe a local/private one). You might need to figure out a way to get such a certificate (via social engineering perhaps ?). Skip -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940
Attachment:
_bin
Description:
Current thread:
- Evading Client-Certificate Authentication Kevin Vanhaelen (Mar 31)
- Re: Evading Client-Certificate Authentication Skip Carter (Mar 31)