Plugin for testing SSL certificate MITM attacks


#1

MITMProxy is an excellent tool for performing MITM. In my day to day work I often need to test if SSL/TLS pinning is implemented correctly and the certificate fields are verified correctly, in mobile applications. The checks include:

  • Are self-signed accepted
  • Hostname is verified correctly
  • Certificate start and end dates are checked.

Improper check of SSL/TLS certificate is quite common, as established in this work: https://saschafahl.de/papers/androidssl2012.pdf.

I want to explore, does current MITMProxy code support writing a plugin for above described case, in which variants of a certificate are sent to the client. Currently I change the code manually and then perform these tests. I feel having a simple plugin will be helpful in general.

If such capability already exists, I am not able to find it in my initial limited research with the tool. Any pointers or suggestions will be helpful for me.


#2

Hi Vikas,

Such a functionality currently doesn’t exist, but I think it’d be a great addition to mitmproxy. You could probably get away with writing an addon that monkeypatches the certificate generation routine and then exposes a command that can be used to switch to various strategies. I’d be more than happy to have that in the core!


#3

Hi Max,

Sure, I will try to hack some code together and send a PR. I assume slack channel will be a good place to ask questions if I face some problem related to the codebase?


#4

Yes! Developer chat is on Slack, please join us! :slight_smile: