Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp

The list rejected my "rich" formatting... resending.

---------- Forwarded message ----------
From: Matthew Zimmerman <mzimmerman@xxxxxxxxx>
Date: Wed, Nov 19, 2008 at 7:35 AM
Subject: Getting around mutual Certificate authentication using
safenet 2032 tokens enforced in a webapp
To: pen-test <pen-test@xxxxxxxxxxxxxxxxx>, webappsec@xxxxxxxxxxxxxxx


So my organization recently switched to requiring client
authentication as well as server authentication on our web
applications. These places are using PKI certificates issued from our
CA. The client certificates are contained on safenet 2032 tokens
(ikey, rainbow token, etc). This is great for security.

It's not great for security testing however. Because of this, a proxy
like Paros / Webscarab / Burp / etc won't work. The webserver returns
4xx errors to us if we don't use the right cert.

So there's two ways around it I think. 1) Get the whole certificate
off of the token in PKCS#12 (including the private key) so we can
import it into these tools. 2) Work directly with the browsers to
allow more manipulation other than URLs/GETs. 3) Pass the http
protocol through another tool that supports safenet 2032 tokens?
(Would be very slow setting up each https connection...)

Something that would work for #2 would be a browser addon like Tamper
Data for Firefox; however, I can't seem to get the 2032 tokens to work
with firefox correctly (seems to be that the 2032 only implements
pkcs#11 and firefox is looking for a pkcs#12 device, but I am by no
means a PKI guy). Which brings me to addons that are available for
internet explorer that allow on-the-fly modification; which I found
none.

3) The last option is to request software certs (already in PKCS#12
format) for all future tests. Although with this case, it's pretty
hard to convince to management to fix their SQL injection issue if you
need someone on the inside to issue you a software cert instead of the
2032...

Any ideas?

Thanks,
Matt Z

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Relevant Pages

  • WSE 3.0 Clarification
    ... maintaining all the authenticated tokens within the last X minutes etc... ... between Authentication, Authorization and Security. ... uses Security when talking about Authentication, ... Say we are dealing with X509 MutualSecurity, the client has a Certificate ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: RAS and eTokens
    ... >Second without tokens and I don't see any LDAP packets and the connection is ... The first you should check is the properties for the RAS server under ... There you need to activate the authentication method "Extensible ... "Smart Card or other certificate" under Authentication in the profile. ...
    (microsoft.public.win2000.ras_routing)
  • [Fwd: Re: Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a w
    ... Getting around mutual Certificate authentication using ... safenet 2032 tokens enforced in a webapp ...
    (Pen-Test)
  • Re: Overriding X509SecurityTokenManager.AuthenticateToken
    ... Lookup in the policy configuration reference IssuerToken. ... > our web service if they have a certificate issued by us. ... >> with the tokens on its way in like, may be add an identity to the ... >> manager you're short circuiting the whole authentication process. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: RSA SecureID on Solaris
    ... Your tokens are provided with a floppy disk which contains an encrypted ... In fact it depends of the agent and the type of the token. ... SecurID PINPAD and Software SecurID where Pincode is given to ... some of them use securID authentication to ...
    (Focus-SUN)
Quantcast