So you’ve been given a web app to pentest. Maybe it’s a banking app or a document workflow system. Either way, you need to make sure it’s done safely. Modern web applications have a large attack surface, and testing everything by hand is inefficient. That’s where fuzzers come in handy. Fuzzers allow you to generate new inputs based on a seed and pass them to a program. Fuzzing can quickly show areas that are worth further examination.
If you’ve been reading my blog since the start, you’ll remember Judas, the pluggable open-source phishing proxy. I wrote Judas to prove a point on an engagement once, and unfortunately neglected it afterwards. (Side note: Go’s comprehensive standard library makes it easy to toss together a proof of concept on an engagement). I’ve had a lot more time to write code in lockdown so I decided to show Judas some love.
Judas is a reverse proxy for red team phishing engagements based on Go’s httputil.ReverseProxy. …
We’ve all heard about algorithmic trading in the news. It sounds great! You think of a program making money for you while you sip Mai Tais and smoke the finest ganja on the beach in Jamaica. I’m going to show you how you can do it yourself with TD Ameritrade and a laptop.
Before we start, you need to know that great reward comes with great risk. Don’t do this with money you’re not willing to lose.
The first thing you’ll need is a TD Ameritrade account. You don’t need to be a US citizen to get an account, and…
Smartphones have become an extension of our bodies. We use mobile apps for everything from sending money to shooting movies, but for the most part, apps are black boxes. On Android, apps can request information about installed apps and their components from the PackageManager. You can see what an Android app is made of using APK Explorer.
Every Android version comes with Easter Eggs, hidden apps that are interesting to some enthusiasts. APK Explorer makes finding Easter Eggs easy, by displaying them in the list of apps instead of having to search through random tap combinations in the Android UI.
I’ve been experimenting with Wireguard as a VPN to protect my internet traffic from local snoopers and communicate between all my devices as if they were on the same network.
Wireguard was designed with mobile devices in mind. It uses battery-friendly cryptography and the protocol can handle endpoints that change IP address seamlessly. It is ideal for exposing local development servers on my laptop to my iPhone, but deploying configuration to a device is a manual and time-consuming process.
The cloak and dagger attack exploits a combination of drawing over other apps and the high level of access to other apps given to accessibility services on Android. It is a simple yet effective technique being exploited in the wild today by cybercriminals.
The cloak and dagger attack takes advantage of two Android permissions:
SYSTEM_ALERT_WINDOW is used to draw over other Android apps. If an app installed from the Play Store requests this permission in its AndroidManifest.xml file, it will automatically be granted by the system. This forms the first building block of the…
Your target has an Android application and you want to walk through their API to check for server-side vulnerabilities. You configure the emulator to use Burp Suite as a proxy and begin using the app.
Suddenly, the app stops working. Nothing shows in Burp and no HTTPS requests work. The developers have implemented SSL pinning and your phony certificate has been detected. Fortunately, SSL pinning can be disabled if you’re willing to get your hands dirty.
First, you need to decompile the app. Apktool works great for this, and it’s available on all…
Postman is an excellent API testing tool for developers, QA testers and penetration testers. Its UI allows you to easily send HTTP requests and see responses, but it’s also a great automation tool.
In the last post, Judas got SOCKS proxy and SSL support to make the proxy sneakier, but all the proxy can do is dump the requests and responses to the console. What if the red teamer wants to send the requests to a logging REST API? Luckily, Go can help with its plugin standard library package.
To make plugins work, we first need to define a contract for plugins to implement. Plugins may need to do some kind of setup, like reading configuration from command line flags, and they will need to process each HTTP request-response transaction.
DISCLAIMER: This post is for educational purposes only. Cybercrime is stupid and will probably have you wasting your talents in prison.
In the last post, I showed how to make a phishing proxy to automate red team phishing engagements. While the proxy works, it does not natively support SSL and can easily be blocked if the target website blocks requests coming from the proxy’s IP address. In this installment, I’ll cover how to make the proxy compatible with SSL and add SOCKS5 proxy support so the server’s IP won’t show up in the target’s log.
I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.