In this case study we tested several applications and libraries against different Man In The Middle Attack (MITM). One interesting finding is about Axis Bank Mobile Application. We found out that it’s SSL Certificate Validation is completely broken.
We created a rogue access point to which client machine (smartphone) was connected using wifi-pumpkin tool. And we bridged this interface with another interface connected to internet to provide internect connection to client.
Then we created transparent proxies on port 80 and 443 using bettercap and poisoned the dns on rogue AP to direct all traffic to these proxies using dnsspoof.
Now bettercap strips original SSL certicates and uses self signed certificates on the SSL traffic.
Then we tried logging in Axis Bank mobile app.
If SSL certificate validation is properly implemented then application should not have established connection and had thrown SSL error because bettercap is injecting self signed certificate. But to our surprise it went ahead ignored the SSL check and established connection with server.
Bettercap was able to disect SSL connection and dump the messages.
As one can see in the image above, application makes a POST request to https://axmob.axisbank.co.in/process/comm.mx for login, bettercap was able to decrypt the SSL traffic.
As we can see in the User-Agent field application is using Apache-Httpclient. Older versions on HttpClient (3.*) do not verify hostnames. But in this case it is also not performing the chain of trust verification while establishing SSL connection.
By – Ajay Yadav, Team Lead