In this case study, we tested several applications and libraries against different Man in The Middle Attack (MITM). One interesting finding is about Axis Bank Mobile Application. We found out that its SSL Certificate Validation is completely broken.
Lab Setup
We created a rogue access point to which client machine (smartphone) was connected using the wifi-pumpkin tool. And we bridged this interface with another interface connected to the internet to provide internet connection to the client.
Then we created transparent proxies on port 80 and 443 using better cap and poisoned the DNS on rogue AP to direct all traffic to these proxies using DNS spoof.
Now bettercap strips original SSL certificates and uses self-signed certificates on the SSL traffic.
Then we tried logging in Axis Bank mobile app.
Findings
If SSL certificate validation is properly implemented then the application should not have established a connection and had thrown SSL error because bettercap is injecting self-signed certificate. But to our surprise, it went ahead ignored the SSL check and established a connection to the server.
Bettercap was able to dissect SSL connection and dump the messages.
As one can see in the image above, the application makes a POST request to https://axmob.axisbank.co.in/process/comm.mx for login, bettercap was able to decrypt the SSL traffic.
Further Analysis
As we can see in the User-Agent field application is using Apache-Httpclient. Older versions on HttpClient (3.*) do not verify hostnames. But in this case, it is also not performing the chain of trust verification while establishing SSL connection.