来源

关联漏洞

描述

OkHttp sample app vulnerable to CVE-2016-2402

介绍

# OkHttp simple-client app vulnerable to CVE-2016-2402

This is a fork of the default [simple-client](https://github.com/square/okhttp/blob/okhttp_31/samples/simple-client) from the okhttp project.

Simple-client is a Java app that just does a GET request to https://api.github.com and fetches the names of okhttp's contributors.

This fork has been edited so that OkHttp 3.0.1 is used for networking connections and certificate pinning is also used.

OkHttp 3.0.1 is vulnerable to CVE-2016-2402 - this app demonstrates the flaw.

For more information please read:

* [https://koz.io/pinning-cve-2016-2402](https://koz.io/pinning-cve-2016-2402)
* [https://www.cigital.com/blog/ineffective-certificate-pinning-implementations/](https://www.cigital.com/blog/ineffective-certificate-pinning-implementations/)


## Building

To build the app, first clone the repository and then run:

`ant build`

## Usage

If you don't have the private key of a CA trusted by your system's JRE, you'll have to add the proxy's certificate to your CA store.
Let's say CA_CERT.pem is your proxy's CA certificate.

`$cp /etc/ssl/certs/java/cacerts .`

`$keytool -import -trustcacerts -alias ikozCA -file CA_CERT.pem -keystore cacerts -storepass changeit`

Then start simple-client using the following parameters to connect through a local proxy

`$java -DproxyHost=127.0.0.1 -DproxyPort=8080 -Djavax.net.ssl.trustStore=cacerts -jar certPinningVulnerableOkHttp.jar`

John Kozyrakis

文件快照

 [4.0K]  /data/pocs/3a18a3aa4b19a525094bd9e563decb39c9a0db20
├── [8.8K]  build.xml
├── [297K]  certPinningVulnerableOkHttp.jar
├── [4.0K]  lib
│   ├── [224K]  gson-2.6.2.jar
│   ├── [319K]  okhttp-3.0.1.jar
│   └── [ 64K]  okio-1.6.0.jar
├── [1.4K]  README.md
└── [4.0K]  src
    ├── [4.0K]  META-INF
    │   └── [  69]  MANIFEST.MF
    └── [4.0K]  okhttp3
        └── [4.0K]  sample
            └── [2.0K]  OkHttpContributors.java

5 directories, 8 files

备注