Need to be able to skip SSL Verification

[mr-tomr]

Option -s , enables SSL verification and is on by default.

Testing within environments where there are self signed certs, is causing the tool to fail.

Debian (Kali) Certificate for this server is in ca-certificates folder and added. Error message is as follows, server name changed, etc.

[16:49:44] INFO Checking whether host example.com:443 is available tester_utils.py:41
ERROR Unable to connect to host example.com:443 due to error: SSLCertVerificationError(1, tester_utils.py:49
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate
chain (_ssl.c:1006)')
ERROR Stopping tests due to unavailibility of host: example.com:443

Also, it appears your error message has the incorrect spelling of unavailability. :)

[nrathaus]

@mr-tomr At the moment there is no code that supports self-signed certificates (i.e. don't verify certificates of SSL)

Can you provide a patch to support it?

[nrathaus]

#115

[dmdhrumilmistry]

fixed in latest release: https://github.com/OWASP/OFFAT/releases

[sev-hack]

Hello @dmdhrumilmistry @nrathaus

Still have the problem in with skipping SSL verification with self-signed certificates.

Tested on OFFAT v0.19.1, the output is the same as @mr-tomr mentioned

Is it possible to skip SSL verification at all?

[nrathaus]

Please provide the cmdline you used

[sev-hack]

Thanks for fast response!

Used this cmd:

offat -f scheme-openapi.yml -H 'Authorization: Bearer XXX' -rl 10 --server "https://internal-example.io/"

[nrathaus]

I found the bug, it is related to two things (see PR) if you want to see what

[sev-hack]

@nrathaus thanks!

Do I understand correctly that there will be no SSL validation by default (in the next OFFAT release)?

[dmdhrumilmistry]

I found the bug, it is related to two things (see PR) if you want to see what

I'll release the latest version right away

[dmdhrumilmistry]

@nrathaus thanks!

Do I understand correctly that there will be no SSL validation by default (in the next OFFAT release)?

Yes! If you need to enforce SSL then you can use -s or --ssl-verify flag

[sev-hack]

@dmdhrumilmistry @nrathaus tested on new version, got next output:

ERROR    Unable to send request due to error: RetryError[<Future at 0x108a62ef0 state=finished       runner.py:150
                    raised ClientConnectorCertificateError>]
           ERROR    {'self': <offat.tester.runner.TestRunner object at 0x106398760>, 'test_task': {'url':       runner.py:151
                    'https://internal-example.io:443/support/routes', 'endpoint':
                    '/support/routes', 'method': 'POST', 'body_params': [{'type': 'string', 'format': 'uuid',
                    'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in': 'body'}, {'type':
                    'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'target_city_id', 'required':
                    True, 'in': 'body'}, {'type': 'string', 'enum': ['qq', 'ww'], 'value': "{{7*'7'}}",
                    'name': 'distributor_code', 'required': True, 'in': 'body'}], 'query_params': [],
                    'path_params': [], 'security': [], 'test_name': 'SSTI Test', 'args': (), 'kwargs': {'json':
                    {'dc_city_id': "{{7*'7'}}", 'target_city_id': "{{7*'7'}}", 'distributor_code':
                    "{{7*'7'}}"}}, 'malicious_payload': "{{7*'7'}}", 'vuln_details': {True: 'One or more
                    parameter is vulnerable to SSTI Attack', False: 'Parameters are not vulnerable to SSTI
                    Attack'}, 'response_filter': 'BODY_REGEX_FILTER', 'response_match_regex': '49',
                    'request_headers': [], 'response_headers': [], 'response_body': 'No Response Body Found',
                    'response_status_code': -1, 'redirection': '', 'error': True}, 'url':
                    'https://internal-example.io:443/support/routes', 'http_method':
                    'POST', 'args': (), 'kwargs': {'json': {'dc_city_id': "{{7*'7'}}", 'target_city_id':
                    "{{7*'7'}}", 'distributor_code': "{{7*'7'}}"}}, 'body_params': [{'type': 'string',
                    'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in':
                    'body'}, {'type': 'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name':
                    'target_city_id', 'required': True, 'in': 'body'}, {'type': 'string', 'enum': ['qq',
                    'ww'], 'value': "{{7*'7'}}", 'name': 'distributor_code', 'required': True, 'in': 'body'}],
                    'query_params': [], 'test_result': {'url':
                    'https://internal-example.io:443/support/routes', 'endpoint':
                    '/support/routes', 'method': 'POST', 'body_params': [{'type': 'string', 'format': 'uuid',
                    'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in': 'body'}, {'type':
                    'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'target_city_id', 'required':
                    True, 'in': 'body'}, {'type': 'string', 'enum': ['qq', 'ww'], 'value': "{{7*'7'}}",
                    'name': 'distributor_code', 'required': True, 'in': 'body'}], 'query_params': [],
                    'path_params': [], 'security': [], 'test_name': 'SSTI Test', 'args': (), 'kwargs': {'json':
                    {'dc_city_id': "{{7*'7'}}", 'target_city_id': "{{7*'7'}}", 'distributor_code':
                    "{{7*'7'}}"}}, 'malicious_payload': "{{7*'7'}}", 'vuln_details': {True: 'One or more
                    parameter is vulnerable to SSTI Attack', False: 'Parameters are not vulnerable to SSTI
                    Attack'}, 'response_filter': 'BODY_REGEX_FILTER', 'response_match_regex': '49',
                    'request_headers': [], 'response_headers': [], 'response_body': 'No Response Body Found',
                    'response_status_code': -1, 'redirection': '', 'error': True}, 'e': RetryError(<Future at
                    0x108a62ef0 state=finished raised ClientConnectorCertificateError>)}

What could be the problem?

[nrathaus]

The problem is client side certificate as the error states

As this seems to be a commercial version - I think it's appropriate that you either provide a patch or sponsor the work of the author of this tool

[dmdhrumilmistry]

The problem is client side certificate as the error states

As this seems to be a commercial version - I think it's appropriate that you either provide a patch or sponsor the work of the author of this tool

Thanks, @nrathaus. @sev-hack contributions are accepted for the project in any possible way.

It turned out that ssl_verify was not being passed to TestRunner due to which it was using the default True value.

Patch: #129

[nrathaus]

Sev hack issue is related to OFFAT support client side certificate

[dmdhrumilmistry]

@dmdhrumilmistry @nrathaus tested on new version, got next output:

ERROR    Unable to send request due to error: RetryError[<Future at 0x108a62ef0 state=finished       runner.py:150
                    raised ClientConnectorCertificateError>]
           ERROR    {'self': <offat.tester.runner.TestRunner object at 0x106398760>, 'test_task': {'url':       runner.py:151
                    'https://internal-example.io:443/support/routes', 'endpoint':
                    '/support/routes', 'method': 'POST', 'body_params': [{'type': 'string', 'format': 'uuid',
                    'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in': 'body'}, {'type':
                    'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'target_city_id', 'required':
                    True, 'in': 'body'}, {'type': 'string', 'enum': ['qq', 'ww'], 'value': "{{7*'7'}}",
                    'name': 'distributor_code', 'required': True, 'in': 'body'}], 'query_params': [],
                    'path_params': [], 'security': [], 'test_name': 'SSTI Test', 'args': (), 'kwargs': {'json':
                    {'dc_city_id': "{{7*'7'}}", 'target_city_id': "{{7*'7'}}", 'distributor_code':
                    "{{7*'7'}}"}}, 'malicious_payload': "{{7*'7'}}", 'vuln_details': {True: 'One or more
                    parameter is vulnerable to SSTI Attack', False: 'Parameters are not vulnerable to SSTI
                    Attack'}, 'response_filter': 'BODY_REGEX_FILTER', 'response_match_regex': '49',
                    'request_headers': [], 'response_headers': [], 'response_body': 'No Response Body Found',
                    'response_status_code': -1, 'redirection': '', 'error': True}, 'url':
                    'https://internal-example.io:443/support/routes', 'http_method':
                    'POST', 'args': (), 'kwargs': {'json': {'dc_city_id': "{{7*'7'}}", 'target_city_id':
                    "{{7*'7'}}", 'distributor_code': "{{7*'7'}}"}}, 'body_params': [{'type': 'string',
                    'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in':
                    'body'}, {'type': 'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name':
                    'target_city_id', 'required': True, 'in': 'body'}, {'type': 'string', 'enum': ['qq',
                    'ww'], 'value': "{{7*'7'}}", 'name': 'distributor_code', 'required': True, 'in': 'body'}],
                    'query_params': [], 'test_result': {'url':
                    'https://internal-example.io:443/support/routes', 'endpoint':
                    '/support/routes', 'method': 'POST', 'body_params': [{'type': 'string', 'format': 'uuid',
                    'value': "{{7*'7'}}", 'name': 'dc_city_id', 'required': True, 'in': 'body'}, {'type':
                    'string', 'format': 'uuid', 'value': "{{7*'7'}}", 'name': 'target_city_id', 'required':
                    True, 'in': 'body'}, {'type': 'string', 'enum': ['qq', 'ww'], 'value': "{{7*'7'}}",
                    'name': 'distributor_code', 'required': True, 'in': 'body'}], 'query_params': [],
                    'path_params': [], 'security': [], 'test_name': 'SSTI Test', 'args': (), 'kwargs': {'json':
                    {'dc_city_id': "{{7*'7'}}", 'target_city_id': "{{7*'7'}}", 'distributor_code':
                    "{{7*'7'}}"}}, 'malicious_payload': "{{7*'7'}}", 'vuln_details': {True: 'One or more
                    parameter is vulnerable to SSTI Attack', False: 'Parameters are not vulnerable to SSTI
                    Attack'}, 'response_filter': 'BODY_REGEX_FILTER', 'response_match_regex': '49',
                    'request_headers': [], 'response_headers': [], 'response_body': 'No Response Body Found',
                    'response_status_code': -1, 'redirection': '', 'error': True}, 'e': RetryError(<Future at
                    0x108a62ef0 state=finished raised ClientConnectorCertificateError>)}

What could be the problem?

This has been patched, you can use the latest version v0.19.3

[sev-hack]

Hi there @dmdhrumilmistry @nrathaus !

Thank you again for fast fix, now it works as expected.