I need it for security testing. My purpose is to check, how the application would behave, if the adversary presents a certificate with a wrong Common Name (CN) and/or SubjectAltName, but signed by a correct CA.
I believe that the application in test uses HostnameVerifier incorrectly and need to prove it.
4 Answers, 1 is accepted
0
Click Rules > Customize Rules. Scroll to OnBeforeRequest.
Inside that function, add the following:
if (oSession.HTTPMethodIs("CONNECT") &&
oSession.HostnameIs("siteIcareabout.com"))
{
oSession["X-OverrideCertCN"] = "badhostname.net";
}
Save the file and restart the browser if it had previously established any connections to https://siteIcareabout.com.
Regards,
Eric Lawrence
Telerik
Inside that function, add the following:
if (oSession.HTTPMethodIs("CONNECT") &&
oSession.HostnameIs("siteIcareabout.com"))
{
oSession["X-OverrideCertCN"] = "badhostname.net";
}
Save the file and restart the browser if it had previously established any connections to https://siteIcareabout.com.
Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans?
Do you want to know when a feature you care about is added or when a bug fixed?
Explore the
Telerik Feedback Portal
and vote to affect the priority of the items
0
Andrew
Top achievements
Rank 1
answered on 14 Dec 2015, 10:46 AM
Thank you, Eric! Works like a charm.
Now I want to check, how the application would behave, if the SSL certificate has expired. Is there any way to do that? I browsed the documentation, but did not find a way to do that.
Thank you again!
0
Hello, Andrew--
Expired certificates are slightly trickier. Which certificate generator are you using (Tools > Fiddler Options > HTTPS, look at the blue link on the right)?
Probably the simplest thing to do would be to use the app so that Fiddler creates the certificate, then, without closing the app, change the local system clock to three years in the future.
Alternatively, if you're using the CertEnroll generator, you can type
prefs set fiddler.certmaker.ValidDays -364
in the QuickExec box so that the certificates generated expire nearly a year before the current date.
If you do that, don't forget to remove the preference and use the "Remove Interception Certificates" Action in the HTTPS tab to remove the "bad" certificates after you're done testing (or everything else will break too!)
Regards,
Eric Lawrence
Telerik
Expired certificates are slightly trickier. Which certificate generator are you using (Tools > Fiddler Options > HTTPS, look at the blue link on the right)?
Probably the simplest thing to do would be to use the app so that Fiddler creates the certificate, then, without closing the app, change the local system clock to three years in the future.
Alternatively, if you're using the CertEnroll generator, you can type
prefs set fiddler.certmaker.ValidDays -364
in the QuickExec box so that the certificates generated expire nearly a year before the current date.
If you do that, don't forget to remove the preference and use the "Remove Interception Certificates" Action in the HTTPS tab to remove the "bad" certificates after you're done testing (or everything else will break too!)
Regards,
Eric Lawrence
Telerik
Do you want to have your say when we set our development plans?
Do you want to know when a feature you care about is added or when a bug fixed?
Explore the
Telerik Feedback Portal
and vote to affect the priority of the items
0
Andrew
Top achievements
Rank 1
answered on 15 Dec 2015, 02:17 PM
Thank you again!