Simple POC script for testing CVE-2016-2402 and similar flaws. Read my blog post for details.
This utility will set up a HTTPS server that servers a malicious certificate chain to the client for a specific domain.
If traffic from an app with a vulnerable certificate pinning implementation is redirected to this server, the pinning control will be bypassed and you should be able to see a GET or a POST request in the server console.
By default, this uses a hardcoded CA certificate and key (CA_CERT.pem and CA_KEY.pem files).
You can change these, use the following command to generate a new pair.
openssl req -x509 -days 1825 -nodes -newkey rsa:2048 -outform pem -keyout CA_KEY.key -out CA_CERT.pem
You will want to insert CA_CERT.pem to the platform being tested.
John Kozyrakis