Heartbleed Tests and Projects


Here are the projects I wrote to demonstrate both the client and server attacks:

Attacking a Server with Heartbleed: Detecting the Heartbleed OpenSSL Vulnerability and Patching It

Attacking Clients with a Malicious Heartbleed SSL Server

Public server to test clients for vulnerability

Attacking the CloudFlare Challenge Server

Testing VMware Fusion

Tests of Clients

These tests use the pacemaker.py malicious HTTPS server to attack clients who browse to it.

There are two big surprises here:

Android 4.1.1 Web Browser: VULNERABLE

I used an Android virtual machine running in VirtualBox on Mac OS X.

Here is the RAM I captured from this device:


curl on Kali Linux: VULNERABLE

IceWeasel on Kali Linux: NOT VULNERABLE

curl on Mac OS X 10.9.2: NOT VULNERABLE

Chrome on Mac OS X 10.9.2: NOT VULNERABLE

Safari on Mac OS X 10.9.2: NOT VULNERABLE

Firefox on Mac OS X 10.9.2: NOT VULNERABLE

Posted: 4-9-14 4:18 pm by Sam Bowne
Android added 4-10-14 4:37 pm and 5:24 pm
CloudFlare Challenge added 4-11-14 1:44 pm
VMware Fusion test added 4-11-14 5:32 pm