Penetration Testing mailing list archives
Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp
From: "Matthew Zimmerman" <mzimmerman () gmail com>
Date: Wed, 19 Nov 2008 19:08:36 -0500
Rogan, you were right on the money. Thanks. On Wed, Nov 19, 2008 at 12:06 PM, Rogan Dawes <lists () dawes za net> wrote:
Matthew Zimmerman wrote:So my organization recently switched to requiring client authentication as well as server authentication on our web applications. These places are using PKI certificates issued from our CA. The client certificates are contained on safenet 2032 tokens (ikey, rainbow token, etc). This is great for security. It's not great for security testing however. Because of this, a proxy like Paros / Webscarab / Burp / etc won't work. The webserver returns 4xx errors to us if we don't use the right cert.WebScarab supports client certs on a PKCS#11-compliant device. See Tools->Certificates->Add Keystore->PKCS#11 Provide the DLL that came with your token, and the PIN/password of the token, and you should be good to go. Please write to the WebScarab list (owasp-webscarab AT lists.owasp.org) if you are still having difficulties.
I was able to get WebScarab to work with the safenet / rainbow ikey 2032 using the dkck201.dll. On one machine, WebScarab had almost no issues once I figured out how to use it. On some other machines, I needed to run WebScarab with the -Djava.security.debug=sunpkcs11,pkcs parameter. Not sure exactly why, but it works now! :)
So there's two ways around it I think. 1) Get the whole certificate off of the token in PKCS#12 (including the private key) so we can import it into these tools. 2) Work directly with the browsers to allow more manipulation other than URLs/GETs. 3) Pass the http protocol through another tool that supports safenet 2032 tokens? (Would be very slow setting up each https connection...)1) is not possible, which is the point of the token. 2) sounds like a possibility. 3) not really that slow, WebScarab does this, and there is not much additional overhead, over and above the regular SSL decrypt/recrypt.
3) Yes, I had meant another tool like Putty or stunnel. Setting up the SSL tunnel and then push the browser through that. WebScarab works MUCH better :)
Something that would work for #2 would be a browser addon like Tamper Data for Firefox; however, I can't seem to get the 2032 tokens to work with firefox correctly (seems to be that the 2032 only implements pkcs#11 and firefox is looking for a pkcs#12 device, but I am by no means a PKI guy).FF *does* support PKCS#11, see Options->Advanced->Security Devices.
I had been looking at Firefox to use the token and just couldn't quite get it to work. I got FF to prompt for the password off the token, but the application would still give access denied (never did figure out why it wouldn't work). Our application development & PKI teams are still looking at it, but not too hard as we don't officially support it...
Which brings me to addons that are available for internet explorer that allow on-the-fly modification; which I found none. 3) The last option is to request software certs (already in PKCS#12 format) for all future tests. Although with this case, it's pretty hard to convince to management to fix their SQL injection issue if you need someone on the inside to issue you a software cert instead of the 2032...One final possibility is to tamper with the enrollment process, and convince your browser to create the cert in the default Windows Keystore, rather than on the token. I have done this in the past using WebScarab to dynamically modify the client-side javascript which was specifying which keystore to use.
Good thought, although in this case the enrollment requires in-person proofing.
Any ideas?Enough for you? :-)
Yes, thank you!
Thanks, Matt ZRogan
Matt Z ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp Matthew Zimmerman (Nov 19)
- Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp Rogan Dawes (Nov 19)
- Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp Matthew Zimmerman (Nov 19)
- Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp JB (Nov 19)
- Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp Rogan Dawes (Nov 19)