Skip to content

jjarmoc/csaw2012_cert_app

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
lib
 
 
 
 
 
 
tmp
 
 
 
 
 
 
 
 
 
 

CSAW Cert App

An intentionally vulnerable ruby/rack SSL/TLS Client Certificate application. Generates and distributes certs, and maintains a directory of public keys.

Authenticate as 'admin' to obtain the flag.

History

This was used as a challenge in NYU Poly's CSAW CTF 2012. 7 of 15 competing teams were able to solve it.

Solution

There's a writeup and an exploit

Requirements

  • Some version of Ruby >= 1.9.1 (ruby1.9.x)
  • Developer libraries for same (ruby1.9.x-dev)
  • A working mongodb installation
  • rubygems
  • bundler

Development Environment

The Development environment is configured to use Webrick. Sample CA and Server keypairs are generated on first run.

To install, type;

bundler install

To run

rackup

Notes:

  • Both CA certificate and public key must reside (or be symlinked) in the app's /keys directory ** If these are unavailable on first launch, both will be created. ** You may wish to create your own keypairs
  • Ruby 1.8.7 should work, but bundle fails to install Webrick. Feel free to troubleshoot if you'd prefer.

Production Environment

The Production environment has been testing under nginx with Phusion Passenger.

A sample nginx config will include:

server {
    listen       443;
	root /path/to/certapp/public;
	passenger_enabled on;

    ssl                  on;
    ssl_certificate      /path/to/keys/cert.pem;
    ssl_certificate_key  /path/to/keys/cert.key;
	ssl_client_certificate /path/to/keys/ca.crt;
	ssl_verify_client optional;
	passenger_set_cgi_param	    SSL_CLIENT_CERT $ssl_client_raw_cert;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;
}

Notes:

  • The client certificate is passed as an SSL_CLIENT_CERT cgi parameter.
  • Server keypair must be made available to nginx
  • The CA certificate (but not key) must be made available to nginx
  • Both CA certificate and public key must also reside (or be symlinked) in the certapp's /keys directory ** If these are unavailable on first launch, a CA will be created. It must match the CA cert used by nginx for proper operation. ** You may wish to create your own CA keypair

About

csaw-ctf2012-certapp

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages