[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: Lack of TLS certification chain validation in ZAP Proxy
From: Gabriel Corona <gabriel.corona () enst-bretagne ! fr>
Date: 2022-03-24 6:46:31
Message-ID: 78ad4469-23ca-e81d-6a5f-43afc716dfa9 () enst-bretagne ! fr
[Download RAW message or body]
On 23/03/2022 22:02, Gabriel Corona wrote:
> ZAP proxy does not verify the certificate chain of the HTTPS servers it
> connects to. For example, it connects without warning to servers
> presenting a self-signed certificate, an expired certificate, etc.
>
> This opens up a browser configured to use ZAP as an intercepting proxy to:
>
> 1. man-in-the-middle (MITM) attacks;
> 2. DNS rebinding attacks (to HTTPS servers configured as default virtual
> server).
>
This is CVE-2022-27820.
Regards,
Gabriel Corona
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic