Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp

[Rogan Dawes <lists () dawes za net>]

Matthew Zimmerman wrote:
> So my organization recently switched to requiring client
> authentication as well as server authentication on our web
> applications.  These places are using PKI certificates issued from our
> CA.  The client certificates are contained on safenet 2032 tokens
> (ikey, rainbow token, etc).  This is great for security.
>
> It's not great for security testing however.  Because of this, a proxy
> like Paros / Webscarab / Burp / etc won't work.  The webserver returns
> 4xx errors to us if we don't use the right cert.

WebScarab supports client certs on a PKCS#11-compliant device. See 
Tools->Certificates->Add Keystore->PKCS#11

Provide the DLL that came with your token, and the PIN/password of the 
token, and you should be good to go. Please write to the WebScarab list 
(owasp-webscarab AT lists.owasp.org) if you are still having difficulties.

> So there's two ways around it I think.  1) Get the whole certificate
> off of the token in PKCS#12 (including the private key) so we can
> import it into these tools.  2) Work directly with the browsers to
> allow more manipulation other than URLs/GETs.  3) Pass the http
> protocol through another tool that supports safenet 2032 tokens?
> (Would be very slow setting up each https connection...)

1) is not possible, which is the point of the token.
2) sounds like a possibility.
3) not really that slow, WebScarab does this, and there is not much 
additional overhead, over and above the regular SSL decrypt/recrypt.

> Something that would work for #2 would be a browser addon like Tamper
> Data for Firefox; however, I can't seem to get the 2032 tokens to work
> with firefox correctly (seems to be that the 2032 only implements
> pkcs#11 and firefox is looking for a pkcs#12 device, but I am by no
> means a PKI guy).  

FF *does* support PKCS#11, see Options->Advanced->Security Devices.

> Which brings me to addons that are available for
> internet explorer that allow on-the-fly modification; which I found
> none.
>
> 3) The last option is to request software certs (already in PKCS#12
> format) for all future tests.  Although with this case, it's pretty
> hard to convince to management to fix their SQL injection issue if you
> need someone on the inside to issue you a software cert instead of the
> 2032...

One final possibility is to tamper with the enrollment process, and 
convince your browser to create the cert in the default Windows 
Keystore, rather than on the token. I have done this in the past using 
WebScarab to dynamically modify the client-side javascript which was 
specifying which keystore to use.

> Any ideas?

Enough for you? :-)

> Thanks,
> Matt Z

Rogan


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------