Penetration Testing mailing list archives
[Fwd: Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp]
From: Liaw Man Cheon <liaw () scan-associates net>
Date: Tue, 20 Oct 2009 18:43:14 +0800
re-sent -------- Original Message --------Subject: Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp
Date: Tue, 20 Oct 2009 15:45:09 +0800 From: Chris <"chrisliaw at gmail dot com"> To: Matthew Zimmerman <mzimmerman () gmail com> CC: pen-test <pen-test () securityfocus com>References: <da4938c20811190435o46b19d1dp86f663fb30e20f19 () mail gmail com> <da4938c20811190438t223e676cm87e454f6c290e7dd () mail gmail com>
Hi Matthew, Matthew Zimmerman wrote:
Usually not possible for token. The security of token lies in the fact that no private key can be accessible outside of the token. It is no way it can be get those thing off the token as PKCS #12The list rejected my "rich" formatting... resending. ---------- Forwarded message ---------- From: Matthew Zimmerman <mzimmerman () gmail com> Date: Wed, Nov 19, 2008 at 7:35 AM Subject: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp To: pen-test <pen-test () securityfocus com>, webappsec () lists owasp org So my organization recently switched to requiring client authentication as well as server authentication on our web applications. These places are using PKI certificates issued from our CA. The client certificates are contained on safenet 2032 tokens (ikey, rainbow token, etc). This is great for security. It's not great for security testing however. Because of this, a proxy like Paros / Webscarab / Burp / etc won't work. The webserver returns 4xx errors to us if we don't use the right cert. So there's two ways around it I think. 1) Get the whole certificate off of the token in PKCS#12 (including the private key) so we canimport it into these tools.
2) Work directly with the browsers toallow more manipulation other than URLs/GETs.
This is more viable option.
Usually token provider will implement PKCS #11, which is the smart token interfacing standard, which is international standard. I believe you can integrate to Firefox with little effort. Most of the vendor however, also distribute the MS CAPI interface, which immediately can be use with IE.3) Pass the http protocol through another tool that supports safenet 2032 tokens? (Would be very slow setting up each https connection...) Something that would work for #2 would be a browser addon like Tamper Data for Firefox; however, I can't seem to get the 2032 tokens to work with firefox correctly (seems to be that the 2032 only implements pkcs#11 and firefox is looking for a pkcs#12 device, but I am by no means a PKI guy). Which brings me to addons that are available for internet explorer that allow on-the-fly modification; which I found none.
Although option (2) is more viable, the integration of token to browser is more SSL handshaking level integration, which means the browser will look for token to involve in the SSL workflow. You can look at creating a dummy SSL engine which loads PKCS #11 and the token and perform the SSL handshaking with it. This approach is more to your option (3) already.
Can you explain why it is hard to convince to management to fix their SQL injection issue in soft certs case? I am looking at this is quite viable.3) The last option is to request software certs (already in PKCS#12 format) for all future tests. Although with this case, it's pretty hard to convince to management to fix their SQL injection issue if you need someone on the inside to issue you a software cert instead of the 2032...
Any ideas? Thanks, Matt Z ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Thanks! Chris SCAN CONFIDENTIALITY NOTICE & DISCLAIMER The contents of this e-mail and its attachment, if any ("message") are intended for the named addressee only and may contain confidential information. If you are not the named addressee, you must not copy this message or disclose it to any other person. If you received this message by error, you should delete this message immediately and notify the sender by return e-mail. SCAN Associates Berhad, its subsidiaries and/or group companies ("SCAN") disclaim all liability for any error, loss or damage arising from this message being infected by computer virus or other malicious software. The views and other information in this message that do not relate to the official business of SCAN shall not be deemed provided nor endorsed by SCAN ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- [Fwd: Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp] Liaw Man Cheon (Oct 21)