Showing posts from May, 2010

NULL Prefix attack against SSL certificates

I was show casing the SSLStrip tool in my office. Everybody was asking how it works. Security Researcher Moxie had released two tools SSLSniff and SSLStrip during Black Hat 2009. These tools were capable of doing MITM on SSL connection. They exploited a weakness in signing the certificates. SSL heavily rely on X509 certificate structure to prove authenticity.
For the SSL it is the 'common name field' of the X509 certificate that is used to identify authentic servers. For example, Paypal will used '' in the common name field.
The signing process heavily relies on the above convention. The Certificate Authorities will sign '', they don't care whether you are requesting for '' or ''- as long as you prove that you are
The Trick:
X509 certificates are commonly formatted using ASN.1 notation. ASN.1 supports many string types but all of them are represented as some…

Holistic Approach to Code Review

These days I am doing code review. Good, I am learning one more new thing apart from Network scanning and Server security assessment. Code review is a very complex process. You have to be familiar with at least one language, rest of languages you will automatically learn as time passes.
Automated code review is a process where you run the scanning tools like Fortify on the code base followed by manual auditing of them. The scanner flags the whole code base with vulnerabilities based on its perception. Now its job of the auditor to differentiate between real issues and false positives. Here the real pain starts. You don't have command over each and very language. So taking help of the language specific resources is required. Now the situation is I have got familiar with almost all major language ( .NET, Java, PHP) specific vulnerabilities. Doing Black box assessment you never come to know , where the real problem lies. But Code review gives you the complete picture of the vulnerabi…