sec-notes
  • Whoami
  • WEP-Pen
    • Reconnaissance
    • Enumeration
    • OWSAP TOP 10
      • Cryptographic Failures
        • Weak Encoding for Password
        • Improper Following of a Certificate's Chain of Trust
          • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
          • Transport Layer Security (TLS) and SSL **
        • Clear Text Transmission Of Sensitive Data
          • SSLStripping **
      • Broken Access Control
        • Path Traversal
        • Sensitive Cookie with Improper SameSite Attribute
        • Link Following
        • Incorrect Default Permissions
        • Information disclosure
        • CSRF
          • csrf checklist
        • 403 bypass
        • Exposure of WSDL File Containing Sensitive Information
        • bussiness logic checklist
        • 2FA bypass checklist
        • admin panal checklist
        • idor checklist
        • Authentication checklist
        • reset_password_checklist
        • ATO
      • Injection
        • Cross Site Scripting
          • Cross Site Scripting
          • Exploitation
          • Protections
        • SQL Injection
          • SQL Injection Overview
        • NoSQL Injection
        • CRLF Injection
        • XML Injection
      • Insecure Design
      • Security Misconfiguration
        • CORS Miscofigration
        • Mail Server Misconfiguration
      • Vulnerable and Outdated Components
      • Identification and Authentication Failures
      • Software and Data Integrity Failures
      • Security Logging and Monitoring Failures
      • Server-Side Request Forgery (SSRF)
    • Checklists
      • mass assignment
      • aem misconfiguration
      • exif_geo
      • xss
      • Session Management
      • Authorization
      • cookie
      • Django
      • Symfony
      • json
      • bypass rate limit
      • Rce
      • Register Page
    • JWT Hacking
    • GraphQL Vulnerabilities
    • PostMessage Vulnerabilities
      • PostMessage Vulnerabilities
      • Blocking main page to steal postmessage
      • Bypassing SOP with Iframes - part 1
      • Bypassing SOP with Iframes - part 2
      • Steal postmessage modifying iframe location
  • API-Pen
    • API Discovry
    • Reverse Engineering API Documentation
    • Excessive Data Exposure
    • Vulnerability Scanning
    • API Authentication Attacks
      • Classic Authentication Attacks
      • API Token Attacks
    • API Authorization Attacks
      • Broken Object Level Authorization (BOLA)
      • Broken Function Level Authorization
    • Improper Assets Management
    • Mass Assignment
    • SSRF
    • Injection Attacks in API
    • Evasive Maneuvers
  • NET-Pen
    • Active Directory Pentesting
      • Active Directory Components
      • Initial Attack Vectors
        • LLMNR Poisoning
        • SMB Relay Attacks
        • IPv6 Attacks ( IPv6 DNS Takeover )
        • Printer Hacking
        • Methodology
        • Some Other Attacks
          • Zerologon (CVE-2020-1472)
          • PrintNightmare (CVE-2021-1675)
      • Post-Compromise Attacks
        • Pass Attacks
        • Kerberoasting Attack
        • Token Impersonation Attack
        • LNK File Attack
        • GPP / cPassword Attacks
        • Mimikatz
        • Methodology
      • We've Compromised the Domain
        • Dumping the NTDS.dit
        • Golden Ticket Attacks
        • Methodology
      • Case Study
      • Password Attacks
    • Attack Vectors by Port
      • FTP 21
      • SSH 22
      • Telnet 23 - 2323
      • SMTP 25
      • DNS 53
      • Kerberos 88
      • POP 110-995
      • RPC 111
      • Ident 113
      • NNTP 119
      • NetBIOS 137-138
      • SMB / Samba 135-139, 445
      • MSRPC 135
      • SNMP 161
      • LDAP 389,636
      • Modbus 502
      • OpenSSL 1337
      • Ms-SQL 1433
      • Oracle Listener 1521 1522 1529
      • NFS 2049
      • MySql 3306
      • RDP 3389
      • ADB Android Debug Bridge 5555
      • WinRM 5985 5986
      • VNC 5800 5900
      • Redis 6379
      • Unreal IRC 6667
      • Tomcat 8080
      • MongoDB 27017
      • http 80
    • Network basics
    • Information Gathering
    • Privilege Escalation
      • Windows Privilege Escalation
      • Linux Privilege Escalation
  • write-ups
    • How i found a Privilege Escalation via Impersonation Features feature
    • How I Bypassed SAML Authentication, Leading to Admin Panel Access.
    • How I was able to discover ATO Via IDOR vulnerability
    • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  • Explanation
  • Common Causes
  1. WEP-Pen
  2. OWSAP TOP 10
  3. Cryptographic Failures

Improper Following of a Certificate's Chain of Trust

Secure communication on the internet relies heavily on Public Key Infrastructure (PKI) and SSL/TLS certificates. These certificates establish trust between a client and a server, ensuring that users are connecting to legitimate services rather than malicious ones.

However, when a system fails to properly validate the certificate chain of trust, it opens the door to man-in-the-middle (MITM) attacks, impersonation, phishing, and data interception. This is classified as CWE-296: Improper Following of a Certificate's Chain of Trust.

Explanation

Certificates are used to establish secure communication, ensuring that entities (like websites or services) are who they claim to be. The chain of trust relies on:

  1. The end-entity certificate (used by the website or service).

  2. Intermediate certificate(s) issued by a trusted authority.

  3. A root certificate from a trusted Certificate Authority (CA).

When a system improperly follows this chain, it may accept an untrusted or malicious certificate, leading to security risks.

Common Causes

1. Accepting Self-Signed Certificates Without Verification

Description:

  • Self-signed certificates are not issued by a trusted Certificate Authority (CA), meaning they cannot be verified by a root of trust.

  • Some applications allow users to provide their own certificates but fail to check the issuer, making them vulnerable to MITM attacks.

Attack Scenario:

Wi-Fi Hotspot MITM Attack

  • A hacker sets up a malicious public Wi-Fi network and intercepts traffic using a self-signed certificate.

  • A victim connects to the Wi-Fi and visits a site over HTTPS.

  • If the victim’s browser does not validate certificates properly, it will accept the attacker's self-signed certificate, allowing the attacker to steal sensitive data.

Mitigation: Always validate the certificate issuer and ensure it belongs to a trusted CA. Implement certificate transparency logs to detect unauthorized certificates.

2. Trusting User-Supplied Certificates Without Validating the Entire Chain

Description:

  • Some applications allow users to provide custom certificates, but if the entire certificate chain is not validated, attackers can use fraudulent certificates.

Attack Scenario:

Bypassing Client Authentication

  • A web service uses mutual TLS (mTLS) for authentication.

  • An attacker supplies a fake client certificate, and if the server fails to validate the full chain, it may accept the certificate as valid, granting access.

Mitigation: - Always validate the full chain of trust, ensuring each certificate is issued by a legitimate CA. - Implement strict mutual TLS validation.

3. Improper Certificate Pinning Leading to Bypasses

Description:

  • Certificate pinning ensures that an application only trusts specific certificates, reducing MITM risks.

  • However, improper pinning can lead to security bypasses if attackers exploit weak implementations.

Attack Scenario:

SSL Pinning Bypass in Mobile Apps

  • A mobile banking app uses certificate pinning but only checks the common name (CN) instead of verifying the entire certificate.

  • An attacker installs a proxy tool and pins their own CA certificate.

  • The app accepts the attacker’s certificate, allowing MITM attacks to steal login credentials.

Mitigation: - Pin public keys instead of full certificates to allow certificate renewal. - Use HPKP (HTTP Public Key Pinning) or DNS-based TLSA records for proper pinning.

4. Ignoring Certificate Revocation (CRL/OCSP Bypass)

Description:

  • Attackers can use revoked certificates if an application does not check for Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responses.

Attack Scenario:

Using a Revoked Certificate for Spoofing

  • A hacker obtains a revoked SSL certificate from a compromised CA.

  • A web application fails to check OCSP, so it still trusts the revoked certificate.

  • The hacker can impersonate a legitimate service and perform MITM attacks.

Mitigation: - Enforce OCSP stapling to ensure revocation checks are performed. - Require applications to verify CRLs (Certificate Revocation Lists).

5. Weak or Incomplete Validation of Certificate Authorities (CAs)

Description:

  • Some applications accept any certificate from a CA, even if the CA itself is untrusted or compromised.

Attack Scenario:

Using a Rogue CA to Issue Fake Certificates

  • An attacker compromises a low-security CA and issues fake certificates for major websites.

  • Browsers that trust all CA-issued certificates automatically accept the fake ones.

  • This enables large-scale phishing attacks or MITM attacks.

Mitigation: - Maintain a strict list of trusted root CAs and remove untrusted CAs. - Use Certificate Transparency Logs to detect unauthorized certificates.

PreviousWeak Encoding for PasswordNextUnderstanding Digital Certificates : Self-Signed and CA-Signed Certificate **

Last updated 1 month ago