SSL pass through - request for help :)

[psiinon]

A few people have mentioned that they're having problems with ZAP generated certs for sites that use certificate pinning.
We have an issue open to fix this: http://code.google.com/p/zaproxy/issues/detail?id=688 but I dont think I'm going to be able to look at it in the near future.
Any volunteers to have a go??

Many thanks,

Simon

[Kevin W. Wall]

Simon,

I'm not sure there is anything that ZAP *can* do to fix this, at least if the certificate pinning is implemented correctly.

You might be able to take an approach like Moxie Marlinespike's sslstrip does and in essence change https://  connections to http:// by rewriting requests & responses on-the-fly, but that has limitations. It would only work if the connection starts out as an http: connection or https is used but certificate pinning is not being used initially. It would also probably fail if HSTS is being used.

You might also be able to disable it *for browsers*  using cert pinning by temporarily tweaking browser settings (e.g., disable some browser plug-in, etc.), but that likely will not work for mobile applications unless there is some way to globally do that (and if there is, I'm not aware of one).

The reason is that this is going to be a problem is because one of the design intents of pinning is to prevent MITM attacks.

-kevin
Sent from my Droid; please excuse typos.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[psiinon]

Hey Kevin,

The 'solution' is to allow the user to configure ZAP to pass the requests through unmolested.
So ZAP becomes a transparent proxy for these requests and not a MITM proxy :)

Cheers,

Simon

[kingt...@gmail.com]

I don't think these any way to get past DANE:

DNS-based Authentication of Named Entities (DANE) (https://datatracker.ietf.org/doc/rfc6698/) - uses Secure DNS to associate Certificates with Domain Names For S/MIME, SMTP with TLS, DNSSEC and TLSA records.

" This document improves on that situation by enabling the administrators of domain names to specify the keys used in that domain's TLS servers. This requires matching improvements in TLS client software, but no change in TLS server software. "

Unless we implemented a full PCAP stack and started futz'ing with DNS requests too...
-----
For PKP:
Public Key Pinning (http://www.ietf.org/id/draft-ietf-websec-key-pinning-09.txt) – an extension to the HTTP protocol allowing web host operators to instruct user agents (UAs) to remember ("pin") the hosts' cryptographic identities for a given period of time.

It might not be as bad, you might be able to do something similar to what we're doing today and the user/tester will just have to accept/ignore the warning.
-----
For other out-of-scope uses like just blindly passing the traffic, why are we worrying about that. If ZAP can't do any inspection of the traffic there isn't much point in using ZAP. There are lots of other plain proxy tools that people could use.

[Kevin W. Wall]

Exactly. Just saying, *if* the certificate pinning is implemented correctly, you won't be able to bypass it. A transparent proxy *can* do MITM attacks (even though that's generally not their intent), and pinning is designing in part to *prevent* that possibility.  You would have a similar issue on sites that require client-side certs, although that one you could get around by making the client-side certificate's *private* key available to ZAP.

-kevin
Sent from my Droid; please excuse typos.

[Kevin W. Wall]

The only 'solution' is to have the user disable the certificate pinning checks. For mobile apps, the likely is built into the app itself and may not be possible.

-kevin
Sent from my Droid; please excuse typos.

[psiinon]

Yes, people are asking for the option to specify which urls ZAP should pass through without decoding and not MITM.
And yes they could do this via something like Foxy proxy, but they have explicitly asked for it as a ZAP option :)

[Kevin W. Wall]

On Feb 26, 2014 10:34 AM, <kingt...@gmail.com> wrote:
>
> I don't think these any way to get past DANE:
>
> DNS-based Authentication of Named Entities (DANE) (https://datatracker.ietf.org/doc/rfc6698/) - uses Secure DNS to associate Certificates with Domain Names For S/MIME, SMTP with TLS, DNSSEC and TLSA records.

I agree; to get around DANE, you would also need to start intercepting DNS requests and try to forge those. You also probably would have to tweak the client's DNS resolver to disable requiring DNSSec records.

-kevin

[kingt...@gmail.com]

Someone at work also just pointed out that there is a push towards Certificate Transparency:
http://www.entrust.com/certificate-transparency/
https://datatracker.ietf.org/doc/rfc6962/

Bypass of which would also require us to do a lot of heavy lifting like DANE.

I think wide acceptance/adoption of any of these is a few years out, so if we're getting requests as Simon has mentioned then maybe it's worth looking into. I mainly chimed in to keep us from wasting too much time on something that might become irrelevant. If we can accomplish what Simon mentioned (and I guess other's have asked for) in short order then go for it, if not then lets so some CBA on the idea(s)....

[ne...@halloleo.hailmail.net]

That is exactly my use cases:

I want to use Dropbox through ZAP. And Dropbox seems to check where the certificate comes from (it does not accept a certificate issued to ZAP).

So, if ZAP just transparently could pass through the HTTPS requests that would be fantastic!

Many thanks, Leo

[Kevin W. Wall]

On Wed, Mar 5, 2014 at 8:19 PM, <ne...@halloleo.hailmail.net> wrote:
> That is exactly my use cases:
>
> I want to use Dropbox through ZAP. And Dropbox seems to check where the
> certificate comes from (it does not accept a certificate issued to ZAP).
>
> So, if ZAP just transparently could pass through the HTTPS requests that
> would be fantastic!

Are you referring to a Dropbox app, such as an Android or iOS app?
If so, the application is probably using certificate pinning and when it
sees a different certificate, it refuses to connect. (This is one problem
that I mentioned earlier.)

Unless you can disable certificate pinning on your OS (which probably can
be done, but _might_ require superuser access and thus a rooted /
jail-broken device). However, you should still be able to access dropbox.com
via your browser. Some browsers at least will not do certificate pinning (for
instance, Firefox does not do certificate pinning without special add-ons).

An with TLS, one cannot "transparently pass through requests" if one
needs to see them to analyze them as ZAP does because the tunneled
connection is encrypted. Now if Dropbox app (which is what I'm assuming
you are referring to rather than using a browser to connect to dropbox.com)
can be itself configured to accept local non-SSL proxies, it might be possible
to get something working by having the connection from the Dropbox app
to ZAP be a vanilla HTTP connection and the connection from ZAP to
dropbox.com be an HTTPS connection. But again, that's app specific.
Also, if iOS or Android supports a local proxy setup, it might be possible
to do proxy-chaining, but I'm not sure that ZAP supports that (unless it can
be configured as a transparent proxy via port-forwarding).

Anyway, I'm just rambling. I have no real answers. But a more detailed
description of your set up that you are trying to test would be helpful
to us all.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.

[ne...@halloleo.hailmail.net]

Hi kevin

Thanks for your reply!

Are you referring to a Dropbox app, such as an Android or iOS app?

I am referring to the Dropbox application on Windows 7. I can configure a  proxy in it, so I have pointed it at my local ZAP, but I have no idea how to load trusted certificates into the Dropbox application.
 

If so, the application is probably using certificate pinning and when it
sees a different certificate, it refuses to connect. (This is one problem
that I mentioned earlier.)

ZAP does not need to analyse the requests for me, just do the NTLM authentication (which it does perfectly) and pass data through from and to the corporate upstream proxy.

Thanks, Leo

[ashkan....@gmail.com]

Hi there,

I am also interested in such a feature and I need it for testing Android devices.
Adding a feature for selectively excluding some domains from using internal ZAP SSL certificate is very practical.

Does anybody work on it? Or has this problem been solved?


Cheers,
Ashkan

[psiinon]

I'm afraid its not been fixed yet :(
Anyone fancy looking at it?

Note that OWASP is now on Bountysource: https://www.bountysource.com/teams/owasp-foundation/bounties so maybe thats an option for encouraging someone to implement this??

Cheers,

Simon

[Ashkan Taslimi]

I guess it's a good idea to add it to Bountysource. I am interested to work on that depending on how long it would take.

Can you estimate approximately how long woult it take to add such a feature? and where is a good point to start?

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-develop/jvJyGc_E5lc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[psiinon]

Ugh, sorry for the delay - I've been concentrating on the GitHub migration :/

Unfortunately I dont know how long it will take - I've only made minor changes to the SSL code. If I knew how to do it quickly then I would ;)
The classes I'd start looking at are:

• https://github.com/zaproxy/zaproxy/blob/master/src/org/parosproxy/paros/core/proxy/ProxyThread.java
• https://github.com/zaproxy/zaproxy/blob/master/src/org/parosproxy/paros/network/SSLConnector.java

Anyone else got any suggestions as to how to implement this?

Cheers,

Simon

To unsubscribe from this group and all its topics, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

[psiinon]

Someones provided me with the attached hack, which seems to do the trick :D
It has one hardcoded URL, which you can tweak as required.
Obviously we'd need the URLs to come from the configs before the patch could be committed, maybe with right click menus to allow users to select hosts from the Sites tree?
Anyone fancy doing that?

Cheers,

Simon

[Nicholas Amon]

What about the case where I have the server side certificate and private key and I want to configure ZAP to use that in MiTM to get around the certificate pinning issue?   Is that supported?  In other words, rather than having ZAP dynamically generate a certificate to present to the browser, I want it to use a configured certificate and private key.

To unsubscribe from this group and all its topics, send an email to zaproxy-devel...@googlegroups.com.

[thc...@gmail.com]

Hi.

That's not supported, you could raise an issue. [1]

There's a FAQ entry on how to disable cert pinning:
https://github.com/zaproxy/zaproxy/wiki/FAQcertpinning


[1] https://github.com/zaproxy/zaproxy/issues/new

Best regards.

On 09/07/16 20:30, Nicholas Amon wrote:
> What about the case where I have the server side certificate and private
> key and I want to configure ZAP to use that in MiTM to get around the
> certificate pinning issue? Is that supported? In other words, rather
> than having ZAP dynamically generate a certificate to present to the
> browser, I want it to use a configured certificate and private key.
>
> On Monday, June 8, 2015 at 11:17:54 AM UTC-4, psiinon wrote:
>
> Someones provided me with the attached hack, which seems to do the
> trick :D
> It has one hardcoded URL, which you can tweak as required.
> Obviously we'd need the URLs to come from the configs before the
> patch could be committed, maybe with right click menus to allow
> users to select hosts from the Sites tree?
> Anyone fancy doing that?
>
> Cheers,
>
> Simon
>
>
> On Monday, 8 June 2015 12:12:38 UTC+1, psiinon wrote:
>
> Ugh, sorry for the delay - I've been concentrating on the GitHub
> migration :/
>
> Unfortunately I dont know how long it will take - I've only made
> minor changes to the SSL code. If I knew how to do it quickly
> then I would ;)
> The classes I'd start looking at are:
>

> * https://github.com/zaproxy/zaproxy/blob/master/src/org/parosproxy/paros/core/proxy/ProxyThread.java
> <https://github.com/zaproxy/zaproxy/blob/master/src/org/parosproxy/paros/core/proxy/ProxyThread.java>
> * https://github.com/zaproxy/zaproxy/blob/master/src/org/parosproxy/paros/network/SSLConnector.java

> <https://groups.google.com/d/topic/zaproxy-develop/jvJyGc_E5lc/unsubscribe>.

> To unsubscribe from this group and all its topics, send
> an email to zaproxy-devel...@googlegroups.com.
> For more options, visit
> https://groups.google.com/d/optout

> <https://groups.google.com/d/optout>.
>
>
> --
> You received this message because you are subscribed to the Google

> Groups "OWASP ZAP Developer Group" group.

> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-devel...@googlegroups.com

> <mailto:zaproxy-devel...@googlegroups.com>.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/zaproxy-develop/272f01f6-a123-4a51-a850-4b7e1c3a5be6%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-develop/272f01f6-a123-4a51-a850-4b7e1c3a5be6%40googlegroups.com?utm_medium=email&utm_source=footer>.

[psiinon]

We do support importing CA certificates as PEM files, which may or may not help you.
Details here, including the Superfish root CA that you can try out ;)

https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsDynsslcert#import

Cheers,

Simon

> an email to zaproxy-develop+unsubscribe@googlegroups.com
> <mailto:zaproxy-develop+unsub...@googlegroups.com>.