M4: GenieMD Broken SSL (15 pts)

What You Need for This Project

An Android emulator such as Genymotion
Burp proxy

Summary

The GenieMD Android app sends login credentials over broken HTTPS, without verifying the SSL certificate.

This is such a serious security flaw that the FTC punished Fandango and Credit Karma for doing the same thing in 2014.

Adjusting Android Networking to Bypass the Proxy

While Burp is useful, most of the time you want to bypass it so you can get to Google Play.

From the Android home screen, click the circle at the bottom center.

Open Settings.

In Settings, click "Network & internet".

Click Wi-Fi.

Click AndroidWiFi.

Click Advanced.

In the "Network details" screen, at the top right, click the Pencil icon.

In the "Proxy" field, click the down-arrow.

Click None.

Then click Save.

Installing the GenieMD Android App

Open Google Play and search for geniemd.

Install the "Harvard Health Info" app, as shown below.

Adjusting Android Networking to Use the Burp Proxy

On your Android device, in Settings, click "Network & internet".

Click Wi-Fi.

Click AndroidWiFi.

Click Advanced.

In the "Network details" screen, at the top right, click the Pencil icon, outlined in green in the image below.

In the "AndroidWifi" box, in the "Advanced options" row, click the down-arrow.

In the "Proxy" field, click the down-arrow.

Click Manual, which is outlined in green in the image below.

Enter the IP address and port number of the Burp proxy listener, as shown below.

On your Android device, click SAVE.

At the bottom center of the device, click the round Home button.

Observing the HTTPS Traffic

From the Android home screen, click the Circle. Drag to the left to see new apps. Launch Harvard....

Click "Sign in" and enter test credentials, as shown below.

Click "SIGN IN".

In Burp, on the Proxy tab, click the "HTTP Requests" sub-tab.

Find the POST method going to /GenieMD.Com/resources/Email/SignIn.

The username and password appear in Burp, as shown below:

If you have been doing these projects in order, this is not a security problem, because you have the PortSwigger certificate installed--your Android device has been told to trust Burp.

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, right-click any entry and click "Clear history". Click Yes.

Removing the PortSwigger Certificate

On your Android device, in Settings, click "Security & location", Advanced, "Encryption & credentials", "Clear credentials".

Click OK.

Enter your PIN.

Testing HTTPS Connections

On your Android device, open Chrome. Go to google.com.

You should see an error message, as shown below.

No valid HTTPS connections can be made from your device now, because it no longer trusts Burp.

Logging In Again

On your Android device, open Harvard... again.

Click "Sign in" and enter test credentials, including your name, as shown below.

Capturing Credentials in Burp

In Burp, on the Proxy tab, click the "HTTP Requests" sub-tab.

Find the POST method going to /GenieMD.Com/resources/Email/SignIn.

The username and password still appear in Burp, as shown below:

This is a big problem--the MITM attack is allowed. GenieMD exposes its users to this attack, because they don't bother to validate SSL certificates. Find the text covered by a green box in the image above. Enter it into the form below to record your success.

M4: Recording Your Success (15 pts)

Use the form below to record your success.

Name:

Text:

Posted 12-21-16 by Sam Bowne
Updated 1-13-19
Modified to a CTF 2-28-19