Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp

The list rejected my "rich" formatting... resending.

---------- Forwarded message ----------
From: Matthew Zimmerman <mzimmerman@...>
Date: Wed, Nov 19, 2008 at 7:35 AM
Subject: Getting around mutual Certificate authentication using
safenet 2032 tokens enforced in a webapp
To: pen-test <pen-test@...>, webappsec@...


So my organization recently switched to requiring client
authentication as well as server authentication on our web
applications.  These places are using PKI certificates issued from our
CA.  The client certificates are contained on safenet 2032 tokens
(ikey, rainbow token, etc).  This is great for security.

It's not great for security testing however.  Because of this, a proxy
like Paros / Webscarab / Burp / etc won't work.  The webserver returns
4xx errors to us if we don't use the right cert.

So there's two ways around it I think.  1) Get the whole certificate
off of the token in PKCS#12 (including the private key) so we can
import it into these tools.  2) Work directly with the browsers to
allow more manipulation other than URLs/GETs.  3) Pass the http
protocol through another tool that supports safenet 2032 tokens?
(Would be very slow setting up each https connection...)

Something that would work for #2 would be a browser addon like Tamper
Data for Firefox; however, I can't seem to get the 2032 tokens to work
with firefox correctly (seems to be that the 2032 only implements
pkcs#11 and firefox is looking for a pkcs#12 device, but I am by no
means a PKI guy).  Which brings me to addons that are available for
internet explorer that allow on-the-fly modification; which I found
none.

3) The last option is to request software certs (already in PKCS#12
format) for all future tests.  Although with this case, it's pretty
hard to convince to management to fix their SQL injection issue if you
need someone on the inside to issue you a software cert instead of the
2032...

Any ideas?

Thanks,
Matt Z

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Matthew Zimmerman wrote:
WebScarab supports client certs on a PKCS#11-compliant device. See
Tools->Certificates->Add Keystore->PKCS#11

Provide the DLL that came with your token, and the PIN/password of the
token, and you should be good to go. Please write to the WebScarab list
(owasp-webscarab AT lists.owasp.org) if you are still having difficulties.

> So there's two ways around it I think.  1) Get the whole certificate
> off of the token in PKCS#12 (including the private key) so we can
> import it into these tools.  2) Work directly with the browsers to
> allow more manipulation other than URLs/GETs.  3) Pass the http
> protocol through another tool that supports safenet 2032 tokens?
> (Would be very slow setting up each https connection...)

1) is not possible, which is the point of the token.
2) sounds like a possibility.
3) not really that slow, WebScarab does this, and there is not much
additional overhead, over and above the regular SSL decrypt/recrypt.

> Something that would work for #2 would be a browser addon like Tamper
> Data for Firefox; however, I can't seem to get the 2032 tokens to work
> with firefox correctly (seems to be that the 2032 only implements
> pkcs#11 and firefox is looking for a pkcs#12 device, but I am by no
> means a PKI guy).  

FF *does* support PKCS#11, see Options->Advanced->Security Devices.

> Which brings me to addons that are available for
> internet explorer that allow on-the-fly modification; which I found
> none.
>
> 3) The last option is to request software certs (already in PKCS#12
> format) for all future tests.  Although with this case, it's pretty
> hard to convince to management to fix their SQL injection issue if you
> need someone on the inside to issue you a software cert instead of the
> 2032...

One final possibility is to tamper with the enrollment process, and
convince your browser to create the cert in the default Windows
Keystore, rather than on the token. I have done this in the past using
WebScarab to dynamically modify the client-side javascript which was
specifying which keystore to use.

> Any ideas?

Enough for you? :-)

> Thanks,
> Matt Z

Rogan


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

If you are willing to do some coding (and understand java), you can modify
the source code of Paros (www.parosproxy.com) to allow you to use a token.
Thats what I did for another company and we were able to use the iKeys for
testing.

JB



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Rogan, you were right on the money.  Thanks.

On Wed, Nov 19, 2008 at 12:06 PM, Rogan Dawes <lists@...> wrote: I was able to get WebScarab to work with the safenet / rainbow ikey
2032 using the dkck201.dll.  On one machine, WebScarab had almost no
issues once I figured out how to use it.  On some other machines, I
needed to run WebScarab with the -Djava.security.debug=sunpkcs11,pkcs
parameter.  Not sure exactly why, but it works now! :) 3) Yes, I had meant another tool like Putty or stunnel.  Setting up
the SSL tunnel and then push the browser through that.  WebScarab
works MUCH better :)
>> Something that would work for #2 would be a browser addon like Tamper
>> Data for Firefox; however, I can't seem to get the 2032 tokens to work
>> with firefox correctly (seems to be that the 2032 only implements
>> pkcs#11 and firefox is looking for a pkcs#12 device, but I am by no
>> means a PKI guy).
>
> FF *does* support PKCS#11, see Options->Advanced->Security Devices.
I had been looking at Firefox to use the token and just couldn't quite
get it to work.  I got FF to prompt for the password off the token,
but the application would still give access denied (never did figure
out why it wouldn't work).  Our application development & PKI teams
are still looking at it, but not too hard as we don't officially
support it... Good thought, although in this case the enrollment requires in-person proofing.
>
>> Any ideas?
>
> Enough for you? :-)
>
Yes, thank you!
>> Thanks,
>> Matt Z
>
> Rogan
>
>
Matt Z

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

On Tue, Oct 20, 2009 at 3:45 AM, Chris <"chrisliaw at gmail dot
com"@mta1.scan-associates.net> wrote:
>>
>> So there's two ways around it I think.  1) Get the whole certificate
>> off of the token in PKCS#12 (including the private key) so we can
>> import it into these tools.
>
> Usually not possible for token. The security of token lies in the fact that
> no private key can be accessible outside of the token. It is no way it can
> be get those thing off the token as PKCS #12
Agreed.  As I understand it, that's the difference between PKCS #11
and PKCS #12 :)  That's the point :)  But just because a security
control wasn't broken before, doesn't mean it won't be broken now ;)
(Just to clarify, I had no success here...)
>>
>> 2) Work directly with the browsers to
>> allow more manipulation other than URLs/GETs.
>
> This is more viable option.
Found not really.  The integrated browser plugins weren't flexible
enough for me. This worked quite well with WebScarab.  It even talks http(s), so it
had all the parsing and everything intact.  The interface on how to
use it was a little clunky and confusing, but it worked beautifully
once it was setup.  Just remember to run java in debug mode (see my
earlier follow-up post for instructions on how it worked for me)  (I
realize it makes no sense, but it worked...) Yep.  Where I work we follow NIST guidance.  SP 800-30 says that risk
is comprised of the likelihood something is going to happen and the
impact of the event happening.  In terms of likelihood, no one in the
wild is going to have a software cert.  As previously discussed, we
hand out PKCS #11 tokens.  Given that, there's no way to get the
certificate off.  When I wrote this statement, I hadn't yet figured
out a way to tamper with the parameters the browser was passing when
using the PKCS #11 token.  So the fact that a tool would have to be
written to support that, made the likelihood of the event happening go
way down.  When likelihood goes down, the resulting risk goes down.

Matt

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------