You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: _posts/2021-08-05-oauth2-attacks-client.md
+16-16
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ date: 9999-08-03 10:00:00
5
5
categories: [Topic, OAuth2]
6
6
toc: true
7
7
author: paoloserra
8
-
img_path: /images/
8
+
media_subpath: /images/
9
9
image:
10
10
src: wallpapers/jujutsukaisen.jpeg
11
11
---
@@ -33,27 +33,27 @@ The typical scenario for this attack requires that the target website allows use
33
33
*1° Scenario*
34
34
: Register a new account with the victim's email on the target website. From this time, you own the credentials but still not the account takeover, because an email verification will be probably required. When the victim registers himself by using OAuth (with Facebook or Google, for example), this authorization will bypass the verification required and you will have another way to log in with the victim's account.
35
35
36
-
| Functional Requirements |
37
-
|:------------------------------------|
38
-
| Multiple Authentication Methods |
36
+
| Functional Requirements |
37
+
|:------------------------------|
38
+
| Multiple Authentication Methods |
39
39
40
40
41
41
*2° Scenario*
42
42
: First of all, this scenario depends on how the website manages the linking process. It might use IDs parameters, xxx or yyy. What I can suggest, it's seeing the workflow and trying to find out if the process is flawed. For example, if IDs are used to tie the third-party profile to the account, try changing them with the victim's id, thus the victim will have his account tied to the attacker's account.
43
43
44
-
| Functional Requirements |
45
-
|:------------------------------------|
46
-
| Link a third-party Account in the profile page |
44
+
| Functional Requirements |
45
+
|:--------------------------------------------- |
46
+
| Link a third-party Account in the profile page |
47
47
48
48
49
49
50
50
*3° Scenario*
51
51
: Register a new account on the OAuth Provider with the victim’s email (even if email verification is required), then log in to the target website via OAuth with the account just created (with the victim’s email) and see what the target website does. Obviously, the victim must have already a registered account on the website and signed up via email. If you’re lucky, it logs you in the victim's account.
52
52
53
-
| Functional Requirements |
54
-
|:------------------------------------|
55
-
| The victim signed up by email |
56
-
| The victim doesn't have an account on the Authorization Server |
| Need to have an external app that uses the same OAuth Provider |
187
187
188
188
From Facebook Documentation:
189
189
> To understand how this happens, imagine a native iOS app that wants to make API calls, but instead of doing it directly, communicates with a server owned by the same app and passes that server a token generated using the iOS SDK. The server would then use the token to make API calls. The endpoint that the server uses to receive the token could be compromised and others could pass access tokens for completely different apps to it. This would be obviously insecure
Copy file name to clipboardexpand all lines: _posts/2022-06-02-black-box-mindset.md
+2-2
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ date: 9999-06-02 10:00:00
5
5
categories: [Topic, Mindset]
6
6
toc: true
7
7
author: paoloserra
8
-
img_path: /images/black-box-mindset
8
+
media_subpath: /images/black-box-mindset
9
9
image:
10
10
path: wallpaper.jpg
11
11
---
@@ -23,4 +23,4 @@ Prova ad immaginarti all'interno di una grande bolla dove ci sei solo tu e l'app
23
23
24
24
Durante un test black box, non si è a conoscenza di nulla, quindi i primi step da seguire sono basati tutti su un unica filosofia: intuire come l'applicazione si sposta (funziona). Se l'obiettivo finale è quello di scovare più vulnerabilità possibili, non si può pensare di andare a cercarle, perchè ti perderesti facilmente, ciò è dovuto a causa di tanti fattori. Una vero predatore conoscere la sua preda, e se abbastanza furbo, sa che non è lui che deve andare a cercarla, ma deve fare in modo che è la preda stessa che si avvicina a lui. Ormai è una cosa dimostrata, ma per raggiungere delle risposte bisogna porsi delle domande, per questo il mindset dovrebbe essere un "fisso rispondere" a what-how: cosa è questo e come funziona. Una volta che sei pienamente coscente di cosa qualcosa è e come essa funziona, allora le intuzioni vengono da loro, così come le vulnerabilità. Un consiglio è prendere note, per assicurarsi di capire a pieno cosa si ha davanti e farcelo entrare in testa.
25
25
26
-
Spendere parecchio tempo a conoscere l'applicazione è davvero l'unico modo per
26
+
Spendere parecchio tempo a conoscere l'applicazione è davvero l'unico modo per
Copy file name to clipboardexpand all lines: _posts/2022-08-01-mariana_trench.md
+11-11
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ date: 2022-09-07 10:00:00
5
5
categories: [Mobile Security, Mariana Trench]
6
6
toc: true
7
7
author: paoloserra
8
-
img_path: /images/mariana-trench/part_1
8
+
media_subpath: /images/mariana-trench/part_1
9
9
image:
10
10
path: wallpaper.jpeg
11
11
---
@@ -224,15 +224,15 @@ At this point, we can decide which flow we are more interested in:
224
224
225
225
Let's start with the first one. At the moment, Facebook already offers some default sources and sinks with the corresponding ***kind*** (listed in the table below), but none of them concerns a model that deals with input from deep links. For this reason, we are going to create one that fits with the source and sink we are looking for.
226
226
227
-
| Kind (Sources) | Kind (Sinks) |
228
-
|:--- |:----|
229
-
|ActivityUserInput | LaunchingComponent|
230
-
|FragmentUserInput |CodeExecution|
231
-
|ReceiverUserInput |FileResolver|
232
-
|IntentCreation |InputStream|
233
-
|SensitiveCookieData |SQLQuery|
234
-
|ProviderUserInput |SQLMutation|
235
-
|ServiceUserInput |WebView|
227
+
| Kind (Sources) | Kind (Sinks) |
228
+
|:------------------ | :----------------- |
229
+
|ActivityUserInput | LaunchingComponent|
230
+
|FragmentUserInput | CodeExecution|
231
+
|ReceiverUserInput | FileResolver |
232
+
|IntentCreation | InputStream|
233
+
|SensitiveCookieData | SQLQuery |
234
+
|ProviderUserInput | SQLMutation |
235
+
|ServiceUserInput | WebView |
236
236
237
237
238
238
We have to create our source and sink. The following is a basic structure of the JSON file for writing a model:
@@ -367,4 +367,4 @@ I showed you a pretty simple example that should have taught you the fundamental
Copy file name to clipboardexpand all lines: _posts/2022-09-30-mariana_trench_part_2.md
+13-13
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ date: 2023-02-12 10:00:00
5
5
categories: [Mobile Security, Mariana Trench]
6
6
toc: true
7
7
author: paoloserra
8
-
img_path: /images/mariana-trench/part_2/
8
+
media_subpath: /images/mariana-trench/part_2/
9
9
image:
10
10
path: wallpaper.jpeg
11
11
width: 100%
@@ -76,12 +76,12 @@ Once all the models are generated, Mariana does its job and produces a result th
76
76
#### Minimize the false positives
77
77
Basically, we designed two models based on the ***name*** constraint, which treats the method as a source only if the item contains the specified value. It doesn't care about the class, the arguments' types, or the return value. Each method starting with the ```getQueryParameter``` or the ```putString``` string is treated as a source.
Let's try to be more efficient. When you define a constraint, you have more options:
87
87
-*signature* : specify a regex to fully match the full signature of the target method.
@@ -185,12 +185,12 @@ The JSON definition of our model has been increased a bit. Let me give you some
185
185
186
186
After tuning, we can say we achieved our goal of minimizing false positives. We are now sure that we have defined a model that handles the methods held by the proper classes.
In the next episode, we will focus on the SAPP UI to better understand what we can achieve along with it that cannot be with Mariana itself. Additionally, we will backtrack on [Step 2](/posts/mariana_trench/#step-2) and [Step 3](/posts/mariana_trench/#step-3) to generate the necessary rules to complete the first challenge of the Ovaa application with minimal effort and without having to go deeper into the source code to spot the issue.
Copy file name to clipboardexpand all lines: _posts/2023-06-02-mariana_trench_part_3.md
+2-2
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ date: 9999-01-01 10:00:00
5
5
categories: [Mobile Security, Mariana Trench]
6
6
toc: true
7
7
author: paoloserra
8
-
img_path: /images/mariana-trench/part_3
8
+
media_subpath: /images/mariana-trench/part_3
9
9
image:
10
10
path: wallpaper.jpeg
11
11
---
@@ -23,4 +23,4 @@ It's time to level up and explore some other features beyond sources and sinks.
23
23
24
24
- analizzeremo la UI
25
25
- minimizzare i falsi positivi usando i filter sulla UI (si può fare concatenando le regole? Forse l'unico modo è con le feature) features in action
26
-
- scriveremo la regola per trovare "a flow where data stored in the shared preferences are processed in an HTTP request" e cercheremo di creare una regola unica per identificare l'insieme dei due flow analizzati: input che proviene dal deeplink salvato nelle shared preferences, poi recuperato e mandato in una richiesta http.
26
+
- scriveremo la regola per trovare "a flow where data stored in the shared preferences are processed in an HTTP request" e cercheremo di creare una regola unica per identificare l'insieme dei due flow analizzati: input che proviene dal deeplink salvato nelle shared preferences, poi recuperato e mandato in una richiesta http.
@@ -23,13 +23,13 @@ Episode of [Fighting with Frameworks](/posts/mobile-security-fighting-with-frame
23
23
24
24
Apache Cordova (aka PhoneGap) is an open-source mobile development framework. It allows you to use standard web technologies - HTML5, CSS3, and JavaScript for cross-platform development. Applications execute within wrappers targeted to each platform and rely on standards-compliant API bindings to access each device's capabilities such as sensors, data, network status, etc. Cordova doesn't offer any UI
|**UI Engineering**|Code Sharing for the cost of native experience |
33
33
34
34
### Detecting app
35
35
@@ -49,18 +49,18 @@ Android
49
49
-{: .shadow width="35" height="35" } {: .shadow width="35" height="35" } use ***Bettercap*** to set up an ARP Poisoning attack
50
50
-{: .shadow width="35" height="35" } {: .shadow width="35" height="35" } use ***NoPE Proxy*** (Burp extension) to carry on a DNS Spoofing attack
51
51
-{: .shadow width="35" height="35" } {: .shadow width="35" height="35" } set up an Access Point and connect the iOS device to it
52
-
-{: .shadow width="35" height="35" } use ProxyDroid App
53
-
-{: .shadow width="35" height="35" } in case of “client isolation” activated in the Wireless network and the iOS device and your laptop are not able to communicate: use SSH remote port forwarding
52
+
-{: .shadow width="35" height="35" } use **ProxyDroid** app
53
+
-{: .shadow width="35" height="35" } in case of **client isolation** enabled in the network and the iOS device and your laptop are not able to communicate: use SSH remote port forwarding
54
54
-{: .shadow width="35" height="35" } use the `/etc/hosts`{: .filepath} file to make the target domain point to the IP address of your interception proxy.
55
55
56
56
57
57
iOS
58
58
: - {: .shadow width="35" height="35" } {: .shadow width="35" height="35" } use the local proxy settings (WiFi settings)
59
-
-{: .shadow width="35" height="35" } {: .shadow width="35" height="35" } set up a VPN Server and implement the IPTables rules to forward all incoming traffic on 80 and 443 ports to the proxy host and port. Lastly, download OpenVPN Client on the device
59
+
-{: .shadow width="35" height="35" } {: .shadow width="35" height="35" } set up a VPN Server and implement the IPTables rules to forward all incoming traffic on 80 and 443 ports to the proxy host and port. Lastly, download OpenVPN Client on the device.
60
60
-{: .shadow width="35" height="35" } {: .shadow width="35" height="35" } use ***Bettercap*** to set up an ARP Poisoning attack
61
61
-{: .shadow width="35" height="35" } {: .shadow width="35" height="35" } use ***NoPE Proxy*** (Burp extension) to carry on a DNS Spoofing attack
62
62
-{: .shadow width="35" height="35" } {: .shadow width="35" height="35" } set up an Access Point and connect the iOS device to it
63
-
-{: .shadow width="35" height="35" } in case of “client isolation” activated in the Wireless network and the iOS device and your laptop are not able to communicate: use SSH remote port forwarding
63
+
-{: .shadow width="35" height="35" } in case of **client isolation** enabled in the network and the iOS device and your laptop are not able to communicate: use SSH remote port forwarding
64
64
-{: .shadow width="35" height="35" } use the `/etc/hosts`{: .filepath} file to make the target domain point to the IP address of your interception proxy.
0 commit comments