CAUTION!

CAUTION! DANGER ZONE ahead. Beware of misinformation on the open internet. Contents of the site are mere opinions and are not always facts!

Wednesday, September 6, 2017

Can i spoof a web application by spoofing its SSL certificate?

If the web server serves the SSL certificate to anyone visiting the site, can i spoof the web server by spoofing its certificate?

short answer, yes and no! not for long!

I can spoof the legitimate site by spoofing its certificate. I can trick the client to believe I am the legitimate site but I will not be able to further trick the client to communicate with me.

Though the client will trust the server and initiate an SSL connection, the spoof server cannot establish a secure HTTPS connection with the client. The server receives encrypted handshake payload from the client and cannot decrypt without the private key, secured by the legitimate site. ANd thereby, the spoof server cannot complete the SSL handshake and read the traffic from the client.





Background notes:

- SSL negotiation is based on Asymmetric cryptography. Client encrypts the pre-master/ master key -a symmetric encryption key - with the public key of the server (presented by the server in its certificate). Server decrypts the traffic with its private key. Once the client and the server agree on the symmetric key, the further traffic will be encrypted by this symmetric key.

- The certificate stands valid only if it is not modified or tampered. The signature of the certificate is signed by the private key and can be verified by the corresponding public key alone.

- Certificates are issued to web sites by a trusted CA (certificate authority) to legitimate sites. If the given certificate is not backed by a chain of trusted CA's. This certificate must not be trusted.

- Client or the User must verify the server's certificate to ensure it is communicating with the server it is intending to do. This means the client can send sensitive data to any spoofed site if it does not verify its certificate.
Posted by at No comments:
Labels:

Saturday, August 26, 2017

Cordova android REST client test with localhost

Say you have a REST service running on your local machine which is tested using a HTTP client from the same machine.

Now, you have your cordova android client that consumes your REST service.

How do you make requests to the web service running on your local machine (not hosted yet!)?

We will setup your local network for the android client [, infact any client on the internet] to access the web server on your local machine!

We will setup the home router to route the traffic from a specific port (on the router) to a specific port on your local machine (the port to which the web service is listening to). So that any request sent to the router port is routed to the local machine - PORT FORWARDING.

1. Find your router's setup page. Usually 192.168.0.1 or 192.168.1.1 (know your login and password - usually admin, admin).

NOTE: The router setup screens could be different for your router. However, the steps should be the same.

2. Assign a static IP for your local machine on your router:

  • Choose static IP address for the local machine from a valid range. Go to DHCP -> DHCP settings -> between start IP address and end IP address.
  • Go to DHCP -> address reservation -> Add new -> enter a IP and the MAC address of your local machine.
3. Route the traffic from router port to local machine port (service port):

  • Go to Forwarding -> virtual servers -> add new -> enter the protocol (TCP), router port, web service port and the local machine IP address (static IP).
  • Some routers support only same port numbers for the router port and service port.

4. Restart the router for the settings to take effect.

5. Find the WAN IP to post requests: Go to Status -> WAN IP. post requests to WAN_IP:ROUTER_PORT.

Beware! now that you have opened up the access to your local server from the internet, take necessary security measures to keep it safe!

If your WAN IP is same as your public IP, there is no carrier grade NAT, and anyone can access your server (If they know the port on which you are working).

This setup is not specific to your android client. This can be used to configure ACCESS to a local web service from the local network.

There are certain configurations (Security) to be made in Cordova so that the client can make requests to the web service.

1. CSP (Content Security Policy) header overrides the same-origin policy and restricts the origin to a set of sources. Apart from the HTTP header, the <meta> tag in the HTML header also whitelists the origins. Add your web server in the meta tag.
<meta http-equiv="Content-Security-Policy" content="default-src 'self' <protocol://WAN_IP:ROUTER_PORT/path> data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

2. Cordova config (config.xml) by default allows all the origins. Modify the config to restrict requests to known domains.
Cordova version: 6.2.0

<access origin="*://<WAN_IP:ROUTER_PORT>" subdomains="true"/>
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)