WebApp Sec mailing list archives
Evading Client-Certificate Authentication
From: "Kevin Vanhaelen" <blowfish448 () hotmail com>
Date: Wed, 31 Mar 2004 22:43:56 +0200
Hi to all, whilst in the middle of a Penetration Test I stumbled on a web server only serving SSL and demanding the client to present a certificate to identify himself. I tried to nikto it with sslproxy and browse the site thru paros both with a temporary Verisign personal certificate. No such luck, the server keeps bouncing me off. Even vulnerability scanners like Nessus and Retina don't get passed the port-scan portion. Does anyone have an idea to further assess this server? Am I looking at a mission impossible here maybe? Thanks, ~kevin
Current thread:
- Evading Client-Certificate Authentication Kevin Vanhaelen (Mar 31)
- Re: Evading Client-Certificate Authentication Skip Carter (Mar 31)