Now every financial sector applications i.e. mobile or web, use one more security layer which is encryption mechanism so the attacker who able to intercept the traffic through any MITM tools can not able to understand the request data. When we do pen-testing we follow some methodology, we have to test each and every parameter and request. well as we all know attackers don't follow any rules or regulations, when they want to attack they will find the way to do it. So as keeping the mindset of the attacker, we will understand this kind of encryption mechanism, what developer thinks when they implement this? also what kind of mistakes they do? why they feel putting encryption means the application is secure? what makes them think that no one can break there logic? so they hide sensitive information behind the encryption. So keeping all above maybe some more cases in my mind, I prepared my own "Debugging methodology" for this, which I follow when I face this kind of scenarios https://nsconclave.net-square.com/cold-war-with-javascript.html

3. What is this talk about?
● JavaScript
● Brief About Js Engines
● DevTools (V8)
● Extra Security layer implemented inside banking application
● How to break it, fuzz it and bypass something?
● How to debug JavaScript based mobile application?
● How to debug Add-on or web browser extensions?
Don’t worry, this session will have lot of demos!!!

5. What you can do with JavaScript?

7. ● How Developers see it : Building stuff
● How Attackers see it : Breaking stuff
● Using JS, you can build a complete -
a. web/mobile applications.
b. Real-time networking apps (chats, video streamings).
c. Command line tools.
d. Games.
e. Desktop Application.
f. Windows 95 using electron.

9. Javascript vs ECMAScript?

10. Where does JavaScript code run?
● Browser Engines
● JavaScript engines (V8 for Chrome, spidermonkey for firefox etc.)
● Previously, we were able to run javascript inside browsers only.
● Later on, Node was developed (which is nothing but Javascript engine
outside browser).

11. Debugging
with
Chrome
DevTool

12. Debugging is the process of finding and fixing errors within a script

13. Debugger is your friend.
function hello(name) {
let phrase = `Hello, ${name}!`;
Debugger; //Let’s have a cup of Tea.
alert(phrase);
}

15. What Developer Thinks?

17. Proper Server
Side Validation
Encrypt the
Encrypted Data

18. Breaking and Bypassing

19. What?

20. How?

21. 1. Understand the application and It’s flow.

22. 2. When you found something, is it on client side?

24. 3. Look for all the files.

25. 4. Want to break encryption? Or bypass something?

26. 5. Find the Logic

27. We are fully charged now.

28. DEMO
Lets Debug!

32. 1. Monitor()
2. Debug()
3. Memory analysis
4. Network
5. Snippet
6. Extension based
7. console.save()
8. Save all Javascript file
…….

34. Fuzzing?

36. function fuzz(){
var textArea = document.getElementById('payloads');
var lines = textArea.value.split('n');
for (var j = 0; j < lines.length; j++) {
console.log('Payload: ' + lines[j]);
var mykey = "myKey123"
otpEncrypt = CryptoJS.AES.encrypt( lines[j],
mykey, {format: CryptoJSAesJson} );
$.post("otpvalidate.php",{
otp: otpEncrypt.toString()
},
function(res){
var data2 =
CryptoJS.AES.decrypt(JSON.stringify(res), mykey,
{format:
CryptoJSAesJson}).toString(CryptoJS.enc.Utf8);
var data = JSON.parse(data2);
console.log(data);
}

37. DEMO
Lets Fuzz!

41. Mobile
Applications

42. Mobile Application

43. Cordova and React:

44. Android Application Remote debugging

46. Debugging
Web Browser Extensions

47. chrome://extensions

48. about:debugging

51. Reality……….

52. Obfuscation:

53. Github: bhattsameer Twitter: sameer_bhatt5