How to make Fiddler generate certificate with wrong CN

5 posts, 0 answers
  1. Andrew
    Andrew avatar
    3 posts
    Member since:
    Dec 2015

    Posted 11 Dec 2015 Link to this post

    I need it for security testing. My purpose is to check, how the application would behave, if the adversary presents a certificate with a wrong Common Name (CN) and/or SubjectAltName, but signed by a correct CA.

    I believe that the application in test uses HostnameVerifier incorrectly and need to prove it.

  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 11 Dec 2015 Link to this post

    Click Rules > Customize Rules. Scroll to OnBeforeRequest.

    Inside that function, add the following:

       if (oSession.HTTPMethodIs("CONNECT") && 
           oSession.HostnameIs("siteIcareabout.com"))
       {
             oSession["X-OverrideCertCN"] = "badhostname.net";
       }


    Save the file and restart the browser if it had previously established any connections to https://siteIcareabout.com.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Andrew
    Andrew avatar
    3 posts
    Member since:
    Dec 2015

    Posted 14 Dec 2015 in reply to Eric Lawrence Link to this post

    Thank you, Eric! Works like a charm. 

    Now I want to check,  how the application would behave, if the SSL certificate has expired. Is there any way to do that? I browsed the documentation, but did not find a way to do that.

     

    Thank you again!

  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 14 Dec 2015 Link to this post

    Hello, Andrew--

    Expired certificates are slightly trickier. Which certificate generator are you using (Tools > Fiddler Options > HTTPS, look at the blue link on the right)?

    Probably the simplest thing to do would be to use the app so that Fiddler creates the certificate, then, without closing the app, change the local system clock to three years in the future.

    Alternatively, if you're using the CertEnroll generator, you can type

       prefs set fiddler.certmaker.ValidDays -364

    in the QuickExec box so that the certificates generated expire nearly a year before the current date.

    If you do that, don't forget to remove the preference and use the "Remove Interception Certificates" Action in the HTTPS tab to remove the "bad" certificates after you're done testing (or everything else will break too!)

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  5. Andrew
    Andrew avatar
    3 posts
    Member since:
    Dec 2015

    Posted 15 Dec 2015 Link to this post

    Thank you again!
Back to Top