bologna sabato 14 ottobre federico dotta
play

Bologna - Sabato 14 Ottobre Federico Dotta Se Securi rity Adviso - PowerPoint PPT Presentation

Sep 29, 2023 •40 likes •670 views

Bologna - Sabato 14 Ottobre Federico Dotta Se Securi rity Adviso isor r @ Media iaservic ice.n .net S. S.r.l .l. (fe federi rico.dotta@media iaservice.net) OSCP, CREST PEN, CSSLP 7+ years in Penetration Testing

  1. Bologna - Sabato 14 Ottobre

  2. Federico Dotta Se Securi rity Adviso isor r @ Media iaservic ice.n .net S. S.r.l .l. (fe federi rico.dotta@media iaservice.net) OSCP, CREST PEN, CSSLP • 7+ years in Penetration Testing • • Focused on application security Developer of sec tools: • https://github.com/federicodotta Trainer •

  4. • Custom compiled client • Fixed client (web browser) • Logic usually divided • Logic usually is mainly on between client and the backend components backend • Client-side application • Client-side application code usually is coded with code can be interpreted or interpreted languages compiled • Provisioned directly from • Provisioned from a trusted the application server third party

  5. It’s alm lmost im impossible to test a complex mobile application adequately without skills in: • Reversing (Java for Android but also ARM64 for iOS applications) • Instrumentation and debugging • Development of custom plugins for your favorite HTTP Proxy (Burp Suite, OWASP ZAP)

  6. 4 3 2 5 1 6

  7. 4 3 2 5 1 6

  8. 4 3 2 5 1. Set an HTTP proxy in the device. 1 2. Intercept data traffic 6 3. Test the backend!

  9. • Suite of tools that helps penetration testers during the assessment • Contains a lot of useful tools: HTTP Proxy, Intruder (fuzzer), a great automatic Scanner and a Repeater Tool • Furthermore, it offers an external server very useful to test external service interactions (Collaborator) and a very good session manager • It exports API to extend its functionalities, and consequently a huge number of plugins have been released by various developers that aid pentesters in almost every situation. • It It is is de-fa facto sta tandard fo for r web appli lication security te testing.

  10. 4 3 2 5 1 6

  11. 4 3 2 5 1. Install Burp Suite CA certificate in the device 1 2. Set Burp Suite as proxy in the device 6 3. Intercept data traffic 4. Test the backend!

  13. 4 3 2 5 1 6

  14. 4 3 2 5 Now complications start! We can try generic tools/scripts for pinning bypass, but often 1 we need to reverse the application and bypass the 6 check. For this task our favorite tool is Frida!

  15. • If If you are re lu lucky, several generic tools and scripts try to bypass SSL pinning implemented in common ways. • Android Example: Universal Android SSL Pinning Bypass with Frida (https://codeshare.frida.re/@pcipolloni/universal-android- ssl-pinning-bypass-with-frida/) • iOS Examples: Burp Suite Mobile Assistant (https://portswigger.net/burp/help/mobile_testing_using_ mobile_assistant.html) and SSL Kill Switch 2 (https://github.com/nabla-c0d3/ssl-kill-switch2)

  16. • But if you are not so lucky… it’s time to reverse the application! ▪ For Android applications: decompile dex and get Java code ▪ For iOS applications and Android native libraries: disassemble code with IDA Pro (https://www.hex-rays.com/products/ida/), Radare2 (https://github.com/radare/radare2) or Hopper (https://www.hopperapp.com/) • Once you locate the SSL Pinning code, you can patch the binary or you can dynamically modify code at runtime

  17. • Frida is a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, Android, and QNX. (cit. www.frida.re) • It is an amazing tool and it works both on iOS and on Android, allowing to inspect and modify running mobile code • The hooks are specified with JavaScript language and can be used for in instr trumenta tation and re repla lacement of Java and Objective-C functions

  19. 4 3 2 5 1 6

  20. 4 3 2 5 1. Install Burp Suite certificate in the device 2. Set Burp Suite as proxy in 1 the device 3. Bypass SSL Pinning 6 4. Ouch! All POST bodies are encrypted! :’(

  21. POST /login HTTP/1.1 Host: www.test.com … parameters=djshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnnvdfjsf jdanjfndsjncjxknjskdnfjnjvxcnjkansdjksncxjndjskjcndjshfj dsvcxuchvjsdbfvjbjfndakfdshfcjxnnvdfjsfjdanjfndsjncjxknj skdnfjnjvxcnjkansdjksncxjndjskjcndjshfjdsvcxuchvjsdbfvjb jfndakfdshfcjxnnvdfjsfjdanjfndsjncjxknjskdnfjnjvxcnjkans djksncxjndjskjcndjshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnnv dfjsfjdanjfndsjncjxknjskdnfjnjvxcnjkansdjksncxjndjskjcn% 3d%3d

  22. SampleClass + (id)generatePostBody :(id) SampleClass + (id)getClearTextMessage :(id)

  23. SampleClass + (id)generatePostBody :(id) SampleClass + (id)getClearTextMessage :(id)

  24. SampleClass + (id)generatePostBody :(id) SampleClass + (id)getClearTextMessage :(id) … * generatePostBody input: {“username”:”test”,”password”:” testPassword ”} * generatePostBody output: djshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnnvdfjsfj danjfndsjncjxknjskdnfjnjvxcnjkansdjksncxjndjsk jcndjshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnnvdfj sfjdanjfndsjncjxknjskdnfjnjvxcnjkansdjksncxjnd jskjcndjshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnnv dfjsfjdanjfndsjncjxknjskdnfjnjvxcnjkansdjksncx jndjskjcndjshfjdsvcxuchvjsdbfvjbjfndakfdshfcjx nnvdfjsfjdanjfndsjncjxknjskdnfjnjvxcnjkansdjks ncxjndjskjcn== …

  25. POST /login HTTP/1.1 Host: www.test.com … parameters=djshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnnvdfjsfjdanjfndsjn cjxknjskdnfjnjvxcnjkansdjksncxjndjskjcndjshfjdsvcxuchvjsdbfvjbjfnda kfdshfcjxnnvdfjsfjdanjfndsjncjxknjskdnfjnjvxcnjkansdjksncxjndjskjcn djshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnnvdfjsfjdanjfndsjncjxknjskdnf jnjvxcnjkansdjksncxjndjskjcndjshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnn vdfjsfjdanjfndsjncjxknjskdnfjnjvxcnjkansdjksncxjndjskjcn%3d%3d Reverse base64EncodedText = Base64(AES(clear-te text))

  26. POST /login HTTP/1.1 Host: www.test.com … parameters=djshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnnvdfjsfjdanjfndsjn cjxknjskdnfjnjvxcnjkansdjksncxjndjskjcndjshfjdsvcxuchvjsdbfvjbjfnda kfdshfcjxnnvdfjsfjdanjfndsjncjxknjskdnfjnjvxcnjkansdjksncxjndjskjcn djshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnnvdfjsfjdanjfndsjncjxknjskdnf jnjvxcnjkansdjksncxjndjskjcndjshfjdsvcxuchvjsdbfvjbjfndakfdshfcjxnn vdfjsfjdanjfndsjncjxknjskdnfjnjvxcnjkansdjksncxjndjskjcn%3d%3d Reverse base64EncodedText = Base64(AES(clear-te text)) KEY?

  27. … CCOperation: 0 (encrypt) CCAlgorithm: 0 (kCCAlgorithmAES128) CCOptions: 1 (kCCOptionPKCS7Padding ) Key: testPassword (in ASCII to make it more readable) Key length: 16 … And were is the key stored? Often it’s hard -coded in the binary !

  28. • Great! Now we have only to code a Burp Suite plugin to decrypt requests and responses and to re-encrypt them if modified • It seems simple, but it is not always so… We have to find a library that offers the same algorithm with the same parameters (padding, key size, etc.). Java Bouncy Castl tle is the way! • Many hours of coding work!

  29. • We want to write a Burp Suite plugin user-fr friendly enough to test this particular application. • We want to add a custom edita itable subtab containing the decrypted request/response • We want be able to modify the decrypted requests • It’s not an option: it’s the only way to test the backend!

  31. 4 3 2 5 1 6

  32. POST MESSAGE AES Clear-text JSON message RSA Random key SERVER PUBLIC key

  33. POST MESSAGE AES Clear-text JSON message RSA Random key SERVER PRIVATE key

  34. We don’t have We can’t decrypt the private key We can’t the body from necessary to decrypt the our custom- decrypt the random key written Burp Suite random key plugin. Stop.

  35. We don’t have We can’t decrypt the private key We can’t the body from necessary to decrypt the our custom- decrypt the random key written Burp Suite We have to random key plugin. Stop. fin ind another way .

  36. We can trap CCCrypt function with Frida (as seen before) and print the asymmetric keys before they are encrypted. Not t convenie ient. We need to pass to the plugin a new key fo for r every ry re request (if we try 20 SQL injection vectors we have to manually insert 20 keys in the plugin)

  37. We can replace the public key used for the encryption of the key (physically if it is stored on the device or with Frida) with a public key generated by us (as a classic MitM itM with ith SSL). This way, Burp can decrypt the random key, and re-encrypt it with the public key of the server. More convenie ient, but it requires more coding work, because the Burp Suite plugin has to deal also with public key encryption and not only with symmetric encryption.

  38. • Ok, and if we trap the function that generates the random values with Frida and replace the return value with a fixed string? For example 0x1111111111111111 ? • In this way we can write a plugin that encrypts/decrypts the JSON of every request with the chosen fixed key without considering the part of the asymmetric encryption at all! • And the pro roblem is is solv lved!

  39. • We spent t a lo lot of f tim time in in re reversin ing! • We spent t a lo lot of f tim time in in codin ing! • What if the application employs a custom encryption method? We need to reverse and re-implement in Java, Python or Ruby the custom encryption method. Very ry tim time consuming! • What if we can’t find a library that offers the same encryption/signature algorithm with the same parameters of the mobile application?

  41. 4 3 2 5 1 6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CORS (In)Security HackInBo Winter Edition - Bologna, 27 Ottobre 2018 2 _ ABOUT Davide Danelon

CORS (In)Security HackInBo Winter Edition - Bologna, 27 Ottobre 2018 2 _ ABOUT Davide Danelon

CORS (In)Security HackInBo Winter Edition - Bologna, 27 Ottobre 2018 2 _ ABOUT Davide Danelon Founder & CEO @ BeDefended MSc. in Computer Engineering CCSK, GWAPT, Comptia Security+, CCNA OWASP Testing Guide

1.03k views • 43 slides
Page 1 Information Security In an Agile Environment Bologna 29 Ottobre 2016 Page 2 Welcome

Page 1 Information Security In an Agile Environment Bologna 29 Ottobre 2016 Page 2 Welcome

Page 1 Information Security In an Agile Environment Bologna 29 Ottobre 2016 Page 2 Welcome Giacomo Collini Director of Information Security @ King.com Page 3 Chi Sono 2002-2006 2006-2012 2014- Page 4 Chi Sono

805 views • 45 slides
Benvenuti al Mera-TeV! 4-5- -6 Ottobre 2011 6 Ottobre 2011 Sala POE di OAB a Merate Sala

Benvenuti al Mera-TeV! 4-5- -6 Ottobre 2011 6 Ottobre 2011 Sala POE di OAB a Merate Sala

Benvenuti al Mera-TeV! 4-5- -6 Ottobre 2011 6 Ottobre 2011 Sala POE di OAB a Merate Sala POE di OAB a Merate Lorenzo Sironi Lorenzo Sironi FATE DOMANDE! FATE DOMANDE! Le domande sono gradite, anche prima della fine dei

1.42k views • 113 slides
Decision Procedures for Algebraic Data Types with Abstractions Philippe Suter, Mirco Dotta and

Decision Procedures for Algebraic Data Types with Abstractions Philippe Suter, Mirco Dotta and

Decision Procedures for Algebraic Data Types with Abstractions Philippe Suter, Mirco Dotta and Viktor Kuncak Verification of functional programs proof counterexample (input, trace) sealed abstract class Tree case class Node(left: Tree, value:

694 views • 55 slides
Transcultural Identity in European Popular Crime Narratives Slides: Federico Pagello

Transcultural Identity in European Popular Crime Narratives Slides: Federico Pagello

Detecting Transcultural Identity in European Popular Crime Narratives Slides: Federico Pagello (University of Bologna) Mediating Italy in a Global 1 Project overview 1. What is DETECt ? 2. Who is DETECt ? 3. Why DETECt ? 4. DETECt

521 views • 18 slides
Loss minimization and parameter estimation with heavy tails Sivan Sabato # Daniel Hsu ? ?

Loss minimization and parameter estimation with heavy tails Sivan Sabato # Daniel Hsu ? ?

Loss minimization and parameter estimation with heavy tails Sivan Sabato # Daniel Hsu ? ? Department of Computer Science, Columbia University # Microsoft Research New England On the job marketdont miss this amazing hiring opportunity!

568 views • 40 slides
Software with the Quality that Has No Name Federico Mena Quintero federico@gnome.org Desktop

Software with the Quality that Has No Name Federico Mena Quintero federico@gnome.org Desktop

Software with the Quality that Has No Name Federico Mena Quintero federico@gnome.org Desktop Summit, Berlin, Aug/2011 Our house in the middle of our street FIXME: before/after pictures 1994 1999 Christopher Alexander 1977 Intimacy

1.19k views • 63 slides
Mechanisms of the Bologna Process WG of the BFUG The Ministerial Conferences Since the Bologna

Mechanisms of the Bologna Process WG of the BFUG The Ministerial Conferences Since the Bologna

Mechanisms of the Bologna Process WG of the BFUG The Ministerial Conferences Since the Bologna declaration (1999), Ministries are convinced that : the establishment of the European area of higher education requires constant support,

504 views • 24 slides
Playing with multi-critical systems: RG and CFT approaches in the -expansion in d>2 Gian

Playing with multi-critical systems: RG and CFT approaches in the -expansion in d>2 Gian

Playing with multi-critical systems: RG and CFT approaches in the -expansion in d>2 Gian Paolo Vacca INFN - Bologna Cagliari , 11 Ottobre 2017 1 Based on A. Codello, M. Safari, G.P.V., O. Zanusso JHEP 1704 (2017) 127

552 views • 42 slides
Defining sustainable and qualitative growth Sebastiano Sabato Observatoir ire social europen

Defining sustainable and qualitative growth Sebastiano Sabato Observatoir ire social europen

Ter Munk working group: Qualitative growth a focus on social partners ACW, Zaal de B Bond, , Leuven 12 and 13 November 2013 Defining sustainable and qualitative growth Sebastiano Sabato Observatoir ire social europen (OSE) CONTENTS *

379 views • 18 slides
Large scale agreements via Microdebates Simone Gabbriellini and Paolo Torroni Department of

Large scale agreements via Microdebates Simone Gabbriellini and Paolo Torroni Department of

Large scale agreements via Microdebates Simone Gabbriellini and Paolo Torroni Department of Informatics: Science & Engineering (DEIS) University of Bologna marted 16 ottobre 12 Debating online Web 2.0 platforms have rapidly become a

598 views • 24 slides
10-11-12 Ottobre 2016 Palazzo Bonin Longare Vicenza Terapia an)coagulante orale:

10-11-12 Ottobre 2016 Palazzo Bonin Longare Vicenza Terapia an)coagulante orale:

10-11-12 Ottobre 2016 Palazzo Bonin Longare Vicenza Terapia an)coagulante orale: tra1amento delle complicanze emorragiche Vi#orio Pengo Clinica Cardiologica Universit di Padova POTENTIAL

526 views • 16 slides
Gossipping in Bologna Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA

Gossipping in Bologna Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA

Gossipping in Bologna Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Background 2003: Mrk Jelasity brings the gossipping gospel to Bologna from Amsterdam 2003-2006: We get good milage from gossipping in the

596 views • 47 slides
Machine Translation: An Overview Marcello Federico FBK, Trento - Italy 2014 M. Federico MT

Machine Translation: An Overview Marcello Federico FBK, Trento - Italy 2014 M. Federico MT

Machine Translation: An Overview Marcello Federico FBK, Trento - Italy 2014 M. Federico MT 2014 Outline 1 Introduction Motivation Approaches Brief history Evaluation State-of-the-art Examples References: P.

635 views • 41 slides
Machine Translation: An Overview Marcello Federico FBK, Trento - Italy 2013 M. Federico MT

Machine Translation: An Overview Marcello Federico FBK, Trento - Italy 2013 M. Federico MT

Machine Translation: An Overview Marcello Federico FBK, Trento - Italy 2013 M. Federico MT 2013 Outline 1 Introduction Motivation Approaches Brief history Evaluation State-of-the-art Examples References: P.

692 views • 41 slides
VISUALISATION AND ESERA Conference, University of Bologna, Bologna, Italy, SPATIAL THINKING IN

VISUALISATION AND ESERA Conference, University of Bologna, Bologna, Italy, SPATIAL THINKING IN

VISUALISATION AND ESERA Conference, University of Bologna, Bologna, Italy, SPATIAL THINKING IN June 26-30, 2019 PRIMARY STUDENTS UNDERSTANDINGS OF ASTRONOMY Presenters : Russell Tytler 1 , Peta White 1 , and Joanne Mulligan 2 1. Deakin

425 views • 31 slides
The Mythos Project: The Mythos Project: a distance learning experience a distance learning

The Mythos Project: The Mythos Project: a distance learning experience a distance learning

The Mythos Project: The Mythos Project: a distance learning experience a distance learning experience in the field of lyric music in the field of lyric music P. Castoldi, A. Morelli, P. Vascelli TERENA Networking Conference (TNC 2003) cnit

463 views • 13 slides
Reduction and Approximation of Multidimensional Persistent Homology Massimo Ferri 1 , 2 1 Dip. di

Reduction and Approximation of Multidimensional Persistent Homology Massimo Ferri 1 , 2 1 Dip. di

Reduction and Approximation of Multidimensional Persistent Homology Massimo Ferri 1 , 2 1 Dip. di Matematica, Univ. di Bologna, Italia 2 ARCES - Vision Mathematics Group, Univ. di Bologna, Italia ferri@dm.unibo.it GETCO 2010 Geometric and

1.39k views • 85 slides
Description Logics Description Logics and Databases Enrico Franconi Department of Computer

Description Logics Description Logics and Databases Enrico Franconi Department of Computer

1 + Description Logics Description Logics and Databases Enrico Franconi Department of Computer Science University of Manchester http://www.cs.man.ac.uk/~franconi + + 2 + Description Logics and Databases Queries Conceptual

503 views • 39 slides
Arc Routing, Vehicle Routing, and Turn Penalties Thibaut Vidal Departamento de Inform atica,

Arc Routing, Vehicle Routing, and Turn Penalties Thibaut Vidal Departamento de Inform atica,

Arc Routing, Vehicle Routing, and Turn Penalties Thibaut Vidal Departamento de Inform atica, Pontif cia Universidade Cat olica do Rio de Janeiro Rua Marqu es de S ao Vicente, 225 - G avea, Rio de Janeiro - RJ, 22451-900,

889 views • 68 slides
2 . Neutrinos from the Sun and from stellar gravitational collapse M. Spurio Universit e INFN

2 . Neutrinos from the Sun and from stellar gravitational collapse M. Spurio Universit e INFN

2 . Neutrinos from the Sun and from stellar gravitational collapse M. Spurio Universit e INFN Bologna XXVIII SEMINARIO NAZIONALE di FISICA NUCLEARE E SUBNUCLEARE "Francesco Romano" OTRANTO (Serra degli Alimini 1) 3-10 giugno 2016

909 views • 56 slides
Output Processing PrintStream System.out Files Output Files PrintStream Class

Output Processing PrintStream System.out Files Output Files PrintStream Class

Output Processing PrintStream System.out Files Output Files PrintStream Class System.out is a PrintStream! We generally use it to output to the console: System.out.println( Hello W orld!) ; System.out.print (E nter name:

231 views • 21 slides
An exact algorithm for separable non-convex MINLPs Claudia DAmbrosio Jon Lee achter

An exact algorithm for separable non-convex MINLPs Claudia DAmbrosio Jon Lee achter

An exact algorithm for separable non-convex MINLPs Claudia DAmbrosio Jon Lee achter Andreas W University of Bologna IBM T.J. Watson Research Center, NY. Part of this research was carried out while the first author was intern

1.13k views • 69 slides
Multi-Agent Oriented Programming Introduction The JaCaMo Platform O. Boissier 1 R.H.

Multi-Agent Oriented Programming Introduction The JaCaMo Platform O. Boissier 1 R.H.

Multi-Agent Oriented Programming Introduction The JaCaMo Platform O. Boissier 1 R.H. Bordini 2 J.F. Hbner 3 A. Ricci 4 1. Ecole Nationale Suprieure des Mines (ENSMSE), Saint Etienne, France 2 Pontificia Universidade Catolica do Rio

1.01k views • 76 slides

More recommend