Renegotiation allowing to insert data into HTTPS sessions

By
Prathap
Published on
19 Jun 2022
Vulnerability
SSL

A Secure Socket Layer/Transport Layer Security process allows the exchange of the details of a handshake after a connection is made with the server. A number of Internet connections require SSL renegotiation. Renegotiation is required for making an SSL connection when no client-server authentication is initially required. Renegotiation adds authentication details to the current connection, rather than dropping and creating a new SSL connection.

There are many servers that do not properly associate renegotiation handshakes with an existing connection. This bug will allow an attacker to insert malicious data into HTTPS sessions and possibly other types of sessions protected by TLS or SSL.

Impact

This vulnerability can be exploited by Man-in-the-middle attackers. A man-in-the-middle attack is a client vulnerability with disastrous power in cryptography and computer security world. It is an attack in which the attacker secretly monitors and alters the communication between two parties.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Upgrade the OpenSSL to the latest version.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Prathap
Prathap
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment