关联漏洞
标题:
Square OkHttp 安全漏洞
(CVE-2016-2402)
描述:Square OkHttp是美国Square公司的一套用于Android系统和Java应用程序的HTTP和HTTP /2客户端软件。该软件支持同步阻塞调用和回调的异步调用、响应缓存避免网络重复请求等。 Square OkHttp 2.7.4之前的版本和3.1.2之前的3.x版本中存在安全漏洞。攻击者可利用该漏洞实施中间人攻击,绕过证书锁定。
描述
Simple script for testing CVE-2016-2402 and similar flaws
介绍
# cert pinning flaw POC
Simple POC script for testing CVE-2016-2402 and similar flaws. Read [my blog post](https://koz.io/pinning-cve-2016-2402) for details.
This utility will set up a HTTPS server that servers a malicious certificate chain to the client for a specific domain.
If traffic from an app with a vulnerable certificate pinning implementation is redirected to this server,
the pinning control will be bypassed and you should be able to see a GET or a POST request in the server console.
By default, this uses a hardcoded CA certificate and key (CA_CERT.pem and CA_KEY.pem files).
You can change these, use the following command to generate a new pair.
`openssl req -x509 -days 1825 -nodes -newkey rsa:2048 -outform pem -keyout CA_KEY.key -out CA_CERT.pem`
You will want to insert CA_CERT.pem to the platform being tested.
John Kozyrakis
文件快照
[4.0K] /data/pocs/c44ec065efe138cce89026c2dc30ffe2e30396dd
├── [1.2K] CA_CERT.pem
├── [1.7K] CA_KEY.pem
├── [5.7K] cert-pinning-flaw-poc.py
├── [1.1K] LICENSE
└── [ 856] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。