Realist

I dont want to give away too much, but I want to know if this is purposely part of the challenge or a misconfig.

The SSL cert on part of the site is not valid, and prevents local proxies and many other tools from interacting with the site.

Burp and ZAP both throw this error:

Empty issuer DN not allowed in X509Certificates

RFC3280 dictates "The issuer field MUST contain a non-empty distinguished name (DN)." The SSL cert is invalid and prevents manaul testing of part of the challenge.

Can ghozt or someone chime in if this is by design or not? Not being able to replay requests presents a big headache from a testing perspective.

The fact that DN is empty has no relation with the challenge itself.
I don’t know burp but maybe there is an option to disable certificate verifiaction.

java -Djsse.enableSNIExtension=false -jar burpsuite.jar
maybe

Thanks for the response @ghozt. It’s not just burp and ZAP. Dirbuster too. So far the only thing I can get to work for fuzzing is dirb and curl ( with -k option). If I have to manually fuzz this thing or script something from the ground up Im not sure how much time I will devote to this. Being able to use standard manual testing tools like a local proxy would be a huge help. I hope you guys consider renewing the cert to be valid and conform to x509 standard.

@und3ath

Tried that as well. Still fails to negotiate SSL. In burp and zap all you can really do is allow for SSL pass through which doesn’t let you intercept requests , so its wholly useless.

@Dr Russell Jimmies : The certificate problem should be fix now.
Have fun :)

@mayfly Thanks I appreciate that.