Over on the NCC Group website I published a solution to an open demonstration of the well-known JSON Web Token (JWT) algorithm confusion vulnerability (the one where you swap the token algorithm from ‘RS’ to ‘HS’ and sign your payload with the public key). I use OpenSSL to gain full visibility of what’s happening and, by walking through the method, if you ever need to test this vulnerability yourself, it will hopefully help to avoid false negatives.
This article dissects the recent Logjam paper from a pentesting viewpoint to reveal a number of different factors that affect the impact of the vulnerability. One of those factors includes the use of common primes and I’ve included a small change to OpenSSL that you can use to look out for this. Continue reading
I recently did an internal presentation on POODLE – what the flaw is and how to test for it – and a version of the slides can be found here. Obviously much has been written about the vulnerability, its mitigations and what the future holds. What follows expands on the testing aspect of the presentation, with a few pointers on manual checks if you feel you need to verify or clarify – and possibly even add to – what the tools are telling you. Continue reading
It’s often important to know which SSL/TLS cipher suite is preferred by a server to alter the risk rating of a particular issue. For POODLE, if the server prefers RC4 ciphers over SSLv3 connections then it’s very unlikely that a connection will be vulnerable to POODLE. Similarly, if a server prefers block ciphers then reporting RC4 support should be appropriately adjusted. Occasionally tools conflict over which cipher suite is preferred so I thought I’d write up how to resolve this manaully in the spirit of the SSL/TLS manual cheatsheet. Continue reading
The other day my attention was drawn to a switch in OpenSSL called
-legacy_rengotation. I pulled up the built-in help for
s_client and, sure enough, there it was. So I trawled back through the release notes and it looked to have been there since version 0.9.8m. I couldn’t believe that I hadn’t spotted this before: it looked like the perfect way to test for insecure renegotiation without the faff of having to recompile OpenSSL or use an older version. But after a bit of testing this proved to be a red herring… Continue reading