usefulfor.com/security

x509 certificate generation

Generate the certificate using OpenSSL:-

$ openssl genrsa 1024 > foo.key
$ openssl req -new -x509 -nodes -sha1 -days 7300 -key foo.key > foo.crt
$ openssl pkcs12 -export -out foo.p12 -in foo.crt -inkey foo.key -name "your name"

You will need the .p12 file (contains key and certificate) to configure Burp. And the .crt file to add it to the Java keystore used by the client. Checkout Burp’s help page for instructions on how to get the first done.

Create a Java keystore, import the certificate

Straightforward enough (just remember the password you entered):

keytool.exe -import -file foo.crt -keystore usefulfor.jks -alias burpcert

Run the application and point it to your keystore

java \
  -Djavax.net.ssl.trustStore=usefulfor.jks \
  -Djavax.net.ssl.trustStorePassword=password \
  -Djavax.net.debug=all  \
  com.usefulfor.Demo

Other interesting properties that you may need in order to further tweak the SSL configuration are javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword.

DeepSec 2008 took place in Vienna in November. For a period of two days attendees enjoyed a good set of talks, a good atmosphere and had the chance to talk to different people from different security backgrounds.

I was invited to present my ‘Behind Enemy lines’ research, which mainly focused on different attack techniques that are currently affecting a large number of administrative web interfaces.

The slides of this presentation can be found here: [1]

More information about this research can be found in the following white paper: [3] [4]

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!