Vulnerability in SSL checkers

With OpenSSL library, it is easy to create a self-signed SSL Certificate with the information you want. You can thus create and install a fake SSL certificate like this one :

This certificate contains XSS injections in several fields. So the question is : what happens if you test this SSL Certificate with online checkers ? This was tried a few days ago on several of these services, among the most famous :

1. SSL Cheker:

2. SSL Tools :

3. SSL Tools Go Daddy :

4. Go Get SSL:

5. SSL 2 Buy :

6. UK Fast :

7. Trust Ico :

8. Click SSL :

9. Comodo SSL Store :

These tools, which trust data present in certificates issued by SSL authorities, were vulnerable to XSS attacks with a self-signed certificate. They were quickly patched or set into maintenance.

HTTPCS SSL Checker

HTTPCS also offers an online SSL checker (https://www.httpcs.com/en/test-ssl-certificate) but this one is not vulnerable to this type of attack. In the end, this example is a perfect illustration of the adage well known by web developers : « Do not trust user data ». For more details about XSS flaws, please have a look at our briefing note : https://www.httpcs.com/en/cross-site-scripting-xss-vulnerability  

Source

https://binaryfigments.com/2017/12/11/dont-trust-all-ssl-tls-certificates/#jp-carousel-370