The Downside of Improper Certificate Validation

Things have been so hectic for the past few weeks, I thought I’ll never be able to write again. Today is Thursday and I’m playing catch up after three incredibly hectic weeks. While I was glancing through my notebook, I recalled my conversation a few days back with one of our security experts at AFour and his emphasis on the impacts of Improper Certificate Validation. He did give me a wonderful analogy when I probed him further on his concerns on Improper Certificate Validation. He said, ‘what would happen if you left the lock to your house door open’? I must admit that the above analogy provided by our security expert did leave a lasting impression on my mind.

So, what is Certificate Validation?

Certificate Validation is an advanced feature for businesses that need to verify or authenticate the interaction between the client or application with the data stored on a server to prevent malpractice

This issue exists due to failing to verify SSL server certificates and does not properly validate certificates with host-mismatch. A remote attacker can supply a specially crafted SSL certificate, perform a man-in-the-middle attack, and eavesdrop on encrypted communication.

Let us see how to replicate and identify this issue in any of the Android Mobile applications to avoid the potential impact.

In Host-Mismatch, the application communicates with a host that provides a certificate, but the application does not properly ensure that the certificate is actually associated with that host.

The following OpenSSL code obtains a certificate and verifies it.

cert = SSL_get_peer_certificate(ssl);

if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) {

// do secret things

}

So, what exactly happens when a certificate is invalid?

  • It might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The application might connect to a malicious host while believing it to be trusted.
  • It may also lead to loss of brand value and customer trust which eventually may result in monetary loss.

How to Identify?

  1. Self-signed certificate

In BurpSuite, go to the Proxy tab, select the Options tab, then go to the Proxy Listeners section, highlight your listener, and click Edit. Then go to the Certificate tab, check to Use a self-signed certificate, and click Ok. Now, run your application. If you are able to see HTTPS traffic, your application is accepting self-signed certificates.

  1. Accepting certificates with an untrusted CA

In BurpSuite, go to the Proxy tab, select the Options tab, then go to the Proxy Listeners section, highlight your listener, and click Edit. Then go to the Certificate tab, check to Generate a CA-signed certificate with a specific hostname, and type the backend server’s hostname. Now, run your application. If you are able to see HTTPS traffic, your application is accepting certificates with an untrusted CA.

  1. Accepting incorrect hostnames

In BurpSuite, go to the Proxy tab, select the Options tab, then go to the Proxy Listeners section, highlight your listener, and click Edit. Then go to the Certificate tab, check to Generate a CA-signed certificate with a specific hostname. Type an invalid hostname e.g. yahoo.com. Now, run your application. If you are able to see HTTPS traffic, your application is accepting all hostnames.

Some Scenarios:

  1. First, the attacker configures a proxy in the Android mobile device and connects with BurpSuite. By default, BurpSuite uses a trusted CA certificate.
  2. The attacker changes the default certificate with a self-signed certificate or an invalid certificate in BurpSuite.
  3. In a target mobile application, if a certificate validation is not properly configured, then the application does not properly ensure that the certificate comes from a trusted source. A target application might connect to a malicious host while believing it is a trusted one.
  4. A remote attacker can perform a man-in-the-middle attack and eavesdrop an encrypted communication by supplying such a special crafted SSL certificate.

Steps to curb such attacks:

  • Certificates should be carefully managed and checked to assure that data is encrypted with the intended owner’s public key.
  • If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

The above blog is one of the many steps taken by our team at AFour Technologies towards our continuous efforts of educating businesses about various security threats. If this is something you or your business is also concerned about, our security experts would love to have a conversation with you.

Reference: https://cwe.mitre.org/data/definitions/295.html   

Author: Vikas Suhane



Author: Tanvir
An aspiring digital marketer, a passionate singer, a guitarist and a mechanical engineer by degree. It would be so cool if I had lots of fans but the ceiling space is limited. You can find me on LinkedIn.

Leave a Reply