Request encryption, get script injection

A large number of websites remain vulnerable to cross-site scripting after researchers discovered a weakness in web hosting providers’ implementation of the ACME protocol.

Developed by Let’s Encrypt, the Automatic Certificate Management Environment (ACME) protocol specifies how to automate interactions between certificate authorities and their users’ web servers.

While the protocol was designed with security in mind, Detectify security researchers Frans Rosén and Linus Särud found flaws in two large web hosting providers’ implementation of the http-01 verification method.

“This verification method works by having Let’s Encrypt request a file located in /.well-known/acme-challenge/KEY1 and expects a response in the format of KEY1.KEY2,” the researchers explained in a blog post yesterday.

“As KEY1 is in both the response and the request, some hosting providers that used an ACME enabled certificate issuer… created a solution where the first key, KEY1, would be reflected from the URL and combined with a fixed KEY2 inside the response.”

After discovering that the hosting firms had implemented the protocol in such a manner, the researchers focused their attention on circumventing various XSS mitigations, such as plain text content and web browsers’ built-in URL encoding and XSS auditor features.

“We found bypasses for all three cases and the issues were reported to two major web hosting companies, as it caused all their customers to be vulnerable,” they said.

Although the hosting firms in question have now fixed the vulnerabilities, Rosén and Särud said they have spotted flawed implementations on other sites, indicating that more service providers are vulnerable.

Ultimately, while Let’s Encrypt has proved to be extremely useful when it comes to automating the SSL certification process, ACME implementations must be carried out with care, as it’s clear that this additional functionality is not without its hazards.