RD Service Security Test RIG

[Sanjith Sundaram]

Dear All,

Please find attached the RD Service Security test RIG (Windows/Linux) and its supporting document. Use this thread (only)  for any queries or issues related to the RIG execution. 

Android RIG will be released shortly.

Regards,

Sanjith Sundaram

[natekar srinivas]

Dear All,

Please find the latest 'beta' version (V 1.1) of RD Service Security test RIG (Windows/Linux) and its supporting document here: https://drive.google.com/drive/folders/0BxWehLB8x64PanFUZXk2MV9LcjA?usp=sharing 

Use this thread (only)  for queries/ issues related to the RIG execution. 

Regards,

Srinivas

UIDAI- Team. 

[natekar srinivas]

Dear All,

Please find attached Updated RD Service Security Test RIG ( Android) with supporting document. Later could be some minor enhancement will update you accordingly.    

Regards,

Srinivas

UIDAI- Team. 

On Tuesday, 18 April 2017 21:18:47 UTC+5:30, Sanjith Sundaram wrote:

[Ranga]

Is the test rig ready for Linux ?

Sent from my iPhone  regards Ranga 

On 05-May-2017, at 6:28 PM, natekar srinivas <natekar....@gmail.com> wrote:

Dear All,

Please find attached Updated RD Service Security Test  RIG ( Android) with supporting document. Later could be some minor enhancement will update you accordingly.    

Regards,

Srinivas

UIDAI- Team. 

On Tuesday, 18 April 2017 21:18:47 UTC+5:30, Sanjith Sundaram wrote:

Dear All,

Please find attached the RD Service Security test RIG (Windows/Linux) and its supporting document. Use this thread (only)  for any queries or issues related to the RIG execution. 

Android RIG will be released shortly.

Regards,

Sanjith Sundaram

--
You received this message because you are subscribed to the Google Groups "Aadhaar Registered Devices Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aadhaar_rd+...@googlegroups.com.
To post to this group, send email to aadha...@googlegroups.com.
Visit this group at https://groups.google.com/group/aadhaar_rd.
To view this discussion on the web visit https://groups.google.com/d/msgid/aadhaar_rd/57cf977f-46d5-4a3a-be66-c3102221b093%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

<RDServiceTestApp.apk>

<RIG_doc_Android.docx>

[bhaskarjp]

Dear Team,

Do we have the test RIG for Embedded Linux? 

Regards,

Bhaskar Jyoti Phukan

Integra Micro Systems

[natekar srinivas]

Dear All,

Please find attached latest RD Service Security Test RIG V3 ( Windows/Linux/Android) and its supporting documents.

Regards,

Srinivas-UIDAI Team.   

On Tuesday, 18 April 2017 21:18:47 UTC+5:30, Sanjith Sundaram wrote:

[PANT Vineet (SAFRAN IDENTITY AND SECURITY)]

Dear UIDAI Team,

 

The current version of Security Rigs perform only XML attacks however the document “guidance_to_applicant for publish_revised V2” mentions following security test cases also for Provisional Certificate :-

 

1. Insert a internet proxy and try inserting keys in the response. Once completed validate if a capture succeeds. Capture call should end with failure.

2. Insert a internet proxy and replace the response from server with a response used for another device. Attempt a capture call and the result should be a failure .

3. Remove signature and try upgradation of unsigned files.

4. Make change any of the files to break signature and try upgradation of unsigned files.

 

Please let us know how will these tests be performed , Is there any plan to add more features to Security Rig ?

 

Regards,
Vineet Pant

--

You received this message because you are subscribed to the Google Groups "Aadhaar Registered Devices Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aadhaar_rd+...@googlegroups.com.
To post to this group, send email to aadha...@googlegroups.com.
Visit this group at https://groups.google.com/group/aadhaar_rd.

To view this discussion on the web visit https://groups.google.com/d/msgid/aadhaar_rd/c48f4392-545c-4acf-94f2-8296656d7db6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite.Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
******
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."
#

[Dzung Pham]

Hi Team,

We found following validation for HTTP header (of RDService response) in file "rd_service_connector.py", method "validate_discovery_headers"

if('ACCESS-CONTROL-ALLOW-ORIGIN' in headers and headers['ACCESS-CONTROL-ALLOW-ORIGIN'].upper() != "*"):
   print TEST_CASE_RESULT_TEMPLATE % ("Access Header Validation for RD Service Discovery", TEST_CASE_RESULT_PASS)
else:
   print TEST_CASE_RESULT_TEMPLATE % ("Access Header Validation for RD Service Discovery", TEST_CASE_RESULT_FAILURE)

The header key "ACCESS-CONTROL-ALLOW-ORIGIN" is not mentioned in Registered Device spec, what is the expectation value for it?

Other headers' validation are not matched with Registered Device spec:
1/ "LOCATION": the RIG test expects an additional '\' character at the end of "http://127.0.0.1:<service-port>"
2/ "CONNECTION": the RIG test expects value "CLOSE" but in the spec value is "CLOSED", though "CLOSE" is more popular and is a better choice.

Best,
Pham

[Dzung Pham]

Hi Team,

There are other comments as following:

File name: rd_service_connector.py
Method: attack_service
########
    def attack_service(self,interface_id,path,attack_file_full_path):
        f = open(attack_file_full_path,'rb')       
        s = self.get_socket(self.host,self.current_port)
        #attack_string = interface_id + " " +path + " HTTP/1.1 \r\nHOST: " + self.host + ":"+str(self.current_port)+" \r\n\r\n"
        #TODO: This is not the correct template as per spec. The above is the correct one.
        attack_string = interface_id + " " +path + " HTTP/1.1 \r\nHOST: " + self.host + ":"+str(self.current_port)+" \r\n\r\n"
        #print "*************************"
        #print interface_id
        #print "*************************"
        s.sendall(attack_string)
        l = f.read(1024)
        while (l):   
            s.sendall(l)
            l = f.read(1024)
        f.close()
########

1/ There should be no space character right after HTTP/1.1, the redundant space cause the version invalid.
2/ The XML data is sent as the HTTP body, there must be some header added to HTTP header to describe about the body data
Content-Type: text/xml
Content-Length: length in bytes of the data

Without such header, the server will process the data in "attack_string" as a complete HTTP request, then process the
content from XML as a new request (in this case it is an invalid HTTP request since not starting with suitable HTTP header).

Best,
Pham

On Tuesday, April 18, 2017 at 10:48:47 PM UTC+7, Sanjith Sundaram wrote:

[Dzung Pham]

Hi Team,

Attached please find the suggested modification for Test RIG v3, file "rd_service_connector.py"
Modification are marked & started by comment "#IriTech"

Best,
Pham


On Tuesday, April 18, 2017 at 10:48:47 PM UTC+7, Sanjith Sundaram wrote: