SlideShare uma empresa Scribd logo

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)

Ajin Abraham
Ajin Abraham

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

Celular
1 de 38
Baixar para ler offline
Ajin Abraham Automated Mobile Application Security Testing with Mobile Security Framework
About Me !   Security Consultant @ Yodlee !   Security Engineering @ IMMUNIO !   Next Gen Runtime Application Self Protection (RASP) !   Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. !   Teach Security via https://opsecx.com !   Blog about Security: http://opensecurity.in
The Takeaways !   A FREE and Open Source Security Tool for Mobile App Security Assessment. !   Mobile App Pentesters/Mobile Malware Analysts - How to make your job easier with MobSF. !   Developers – Build secure mobile Apps identifying vulnerabilities at all stages of development. (SDLC Integration) !   Web Pentesters – REST API Fuzzer capable of detecting vulnerabilities like SSRF, XXE, IDOR etc.
Agenda !   What is MobSF? !   MobSF Architecture !   Static Analyzer !   Dynamic Analyzer !   Web API Fuzzer !   Static Analysis !   Static Analysis & some Statistics !   Top Indian Bank Mobile Apps !   Top Indian Wallet Mobile Apps !   Observations !   Dynamic Analysis !   Dynamic SSL Testing !   Exported Activity Tester !   Challenges in Dynamic Analysis !   Dynamic Analysis on Custom VM/ Rooted Android Device. !   Web API Fuzzer !   Vulnerabilities API Fuzzer detects. !   Explains the API Fuzzer Logic. !   Conclusion
What is MobSF? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing end to end security testing of mobile Apps. Android iOS
Hosted in your environment. Your application and data is never send to the cloud.
MobSF Architecture
Static Analyzer Mobile Security Framework INPUT OUTPUT REPORT
Demo Static Analysis & Report Generation (Diva)
Static Analysis & Some Statistics !   Static Analysis on Top Financial Apps - Criteria !   SSL bypass in Native Code !   SSL bypass in WebView !   Remote Web View Debugging !   Hardcoded Secrets
Top Indian Bank Apps Analyzed
Face palm
Top Indian Wallet Apps Analyzed
Observations !   State of Mobile App Security, Not evolved as Web Security. !   Most common issue is SSL Bypass in (Both Native Code and WebView) !   SSL Error bypassed in WebViews are really really bad.
Real-world Exploitation
Dynamic Analyzer Mobile Security Framework INPUT Android VM Or Android Device REPORT OUTPUT
Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM/Device Application Data Agent Collected Information Start HTTP(S) Web Proxy
DEMO (LOCX)
Dynamic SSL Testing !   Dynamically verify if SSL connections are securely implemented. !   Disable JustTrustMe and Remove MobSF Root CA. !   If you can still access the decrypted HTTPS Web Traffic then that means the app is bypassing SSL errors.
Exported Activity Tester !   Android Exported Activities. DEMO
Challenges in Dynamic Analysis !   Some Android Apps are built with security in mind. !  Anti VM Detection !  Anti Root Detection !  Anti MITM with Certificate Pinning. !  Some Apps / Malwares have sophisticated methods to detect Virtual Machines.
How to deal with these Challenges !   API overriding with Xposed Framework !  Anti VM Detection Bypass –> Android Blue Pill !  Anti Root Detection Bypass -> RootCloak !  Anti MITM Certificate Pinning Bypass -> JustTrustMe !   APK smali Patching. !   For sophisticated apps and malware, Use a real device for dynamic analysis.
Dynamic Analysis on Device ! MobSFy Script – Convert your VM/ Device to support MobSF Dynamic Analysis !   Documentation here: https://github.com/ajinabraham/Mobile-Security-Framework- MobSF/wiki/2.-Configure-MobSF-Dynamic-Analysis- Environment-in-your-Android-Device-or-VM !   DEMO : Weak Crypto !   Java - String hashCode() Method !   s[0]*31^(n-1) + s[1]*31^(n-2) + ... + s[n-1]
Web API Fuzzer •  Login API •  Pin API •  Register API •  Logout API Select •  Select Scope URLs of Scan •  Select Scope Vulnerabilities Web API Fuzzing Logic REPORT OUTPUT Web Request DB
Fuzzing REST APIs !   Why most web scanners suck at API Testing? !   We have knowledge about the application and generic API routes (Login, Logout, Register). !   So we use more of Whitebox approach than Blackbox approach. !   Detects vulnerabilities like IDOR, SSRF and XXE.
What We Detect !   XXE !   SSRF !   IDOR !   Directory Traversal or Path Traversal !   Logical and Session Related !   API Rate Limiting
How we Detect
SSRF & XXE API Server Web API Fuzzer MobSF Cloud Server Cloud Server: APITester/cloud/cloud_server.py
Insecure Direct Object Reference (IDOR) !   Without Credentials. !   With multiple user credentials (needs two login attempts) Web API Fuzzer API Server Request with Auth Header/ Cookie Request without Auth Header/ Cookie API Server Web API Fuzzer Request with User1’s Auth Header/Cookie Repeat the Request with a User2’s Auth Header/Cookie
Session Related Checks Web API Fuzzer API Server Calls Logout API Access Resource with expired Auth Header/Cookie Access Resource with Auth Header/Cookie
Rate Limiter Web API Fuzzer API Server Brute force Login API and Register API
Other Checks !   Security Headers and Info Gathering !   Directory/ Path Traversal
DEMO
What's Coming Soon? !   Windows App Security Analyzer. !   iOS App Dynamic Analysis. !   API Fuzzer to support detection of SQLi and RCE. !   Export Proxy logs to BurpSuite/IronWASP/ZAP
Stakeholders !   Looks like people are interested! !   Bugs opened and Closed
Useful Links !   Source: https://github.com/ajinabraham/Mobile-Security-Framework !   Issues: https://github.com/ajinabraham/Mobile-Security-Framework/ issues !   Documentation: https://github.com/ajinabraham/Mobile-Security-Framework- MobSF/wiki !   Video Course: https://opsecx.com/index.php/product/automated-mobile- application-security-assessment-with-mobsf/
QA @ajinabraham ajin25@gmail.com Thanks & Credits •  Sachinraj Shetty •  Kamaiah Nadavala •  Bharadwaj Machiraju •  Yashin Mehboobe •  Anto Joseph •  Tim Brown •  Thomas Abraham •  Graphics/Image Owners

Recomendados

Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 

Recomendados

Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
apidays
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
Deepu S Nath
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Fadi Abdulwahab
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
Jose Manuel Ortega Candel
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android App
Abhilash Venkata
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
Florian Roth
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDC
Thinqloud
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
Priyanka Aash
 
mobsf.pdf
mobsf.pdfmobsf.pdf
mobsf.pdf
Taseen Ali
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
 

Mais conteúdo relacionado

Mais procurados

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 

Mais procurados (20)

Security testing
Security testingSecurity testing
Security testing
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Application Security
Application SecurityApplication Security
Application Security
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android App
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Security testing
Security testingSecurity testing
Security testing
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDC
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
 

Semelhante a Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)

Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 

Semelhante a Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF) (20)

mobsf.pdf
mobsf.pdfmobsf.pdf
mobsf.pdf
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
 
Triangle Node Meetup : APIs in Minutes with Node.js
Triangle Node Meetup : APIs in Minutes with Node.jsTriangle Node Meetup : APIs in Minutes with Node.js
Triangle Node Meetup : APIs in Minutes with Node.js
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
 
Acunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability ScannerAcunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability Scanner
 
Hybrid vs Native vs Web Apps
Hybrid vs Native vs Web AppsHybrid vs Native vs Web Apps
Hybrid vs Native vs Web Apps
 
Cyber security
Cyber securityCyber security
Cyber security
 

Mais de Ajin Abraham

Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
Ajin Abraham
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
Ajin Abraham
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
Ajin Abraham
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
Ajin Abraham
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
Ajin Abraham
 
Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012 Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012
Ajin Abraham
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 

Mais de Ajin Abraham (20)

Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Abusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox AddonsAbusing Exploiting and Pwning with Firefox Addons
Abusing Exploiting and Pwning with Firefox Addons
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Abusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control CenterAbusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control Center
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
Exploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginnersExploit Research and Development Megaprimer: Buffer overflow for beginners
Exploit Research and Development Megaprimer: Buffer overflow for beginners
 
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
OWASP Xenotix XSS Exploit Framework v3 : Nullcon Goa 2013
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
 
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
Abusing, Exploiting and Pwning with Firefox Add-ons: OWASP Appsec 2013 Presen...
 
Abusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-onsAbusing, Exploiting and Pwning with Firefox Add-ons
Abusing, Exploiting and Pwning with Firefox Add-ons
 
Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012 Xenotix XSS Exploit Framework: Clubhack 2012
Xenotix XSS Exploit Framework: Clubhack 2012
 
Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+Wi-Fi Security with Wi-Fi P+
Wi-Fi Security with Wi-Fi P+
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Phishing With Data URI
Phishing With Data URIPhishing With Data URI
Phishing With Data URI
 

Último

Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Cara Menggugurkan Kandungan 087776558899
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
nishacall1
 
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
nishacall1
 

Último (6)

Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdf
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
 

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile Security Framework (MobSF)

  • 1. Ajin Abraham Automated Mobile Application Security Testing with Mobile Security Framework
  • 2. About Me !   Security Consultant @ Yodlee !   Security Engineering @ IMMUNIO !   Next Gen Runtime Application Self Protection (RASP) !   Author of OWASP Xenotix XSS Exploit Framework, Mobile Security Framework. !   Teach Security via https://opsecx.com !   Blog about Security: http://opensecurity.in
  • 3.
  • 4. The Takeaways !   A FREE and Open Source Security Tool for Mobile App Security Assessment. !   Mobile App Pentesters/Mobile Malware Analysts - How to make your job easier with MobSF. !   Developers – Build secure mobile Apps identifying vulnerabilities at all stages of development. (SDLC Integration) !   Web Pentesters – REST API Fuzzer capable of detecting vulnerabilities like SSRF, XXE, IDOR etc.
  • 5. Agenda !   What is MobSF? !   MobSF Architecture !   Static Analyzer !   Dynamic Analyzer !   Web API Fuzzer !   Static Analysis !   Static Analysis & some Statistics !   Top Indian Bank Mobile Apps !   Top Indian Wallet Mobile Apps !   Observations !   Dynamic Analysis !   Dynamic SSL Testing !   Exported Activity Tester !   Challenges in Dynamic Analysis !   Dynamic Analysis on Custom VM/ Rooted Android Device. !   Web API Fuzzer !   Vulnerabilities API Fuzzer detects. !   Explains the API Fuzzer Logic. !   Conclusion
  • 6. What is MobSF? Mobile Security Framework is an open source mobile application (Android/iOS) automated pentesting framework capable of performing end to end security testing of mobile Apps. Android iOS
  • 7. Hosted in your environment. Your application and data is never send to the cloud.
  • 9. Static Analyzer Mobile Security Framework INPUT OUTPUT REPORT
  • 10. Demo Static Analysis & Report Generation (Diva)
  • 11. Static Analysis & Some Statistics !   Static Analysis on Top Financial Apps - Criteria !   SSL bypass in Native Code !   SSL bypass in WebView !   Remote Web View Debugging !   Hardcoded Secrets
  • 12. Top Indian Bank Apps Analyzed
  • 14. Top Indian Wallet Apps Analyzed
  • 15. Observations !   State of Mobile App Security, Not evolved as Web Security. !   Most common issue is SSL Bypass in (Both Native Code and WebView) !   SSL Error bypassed in WebViews are really really bad.
  • 17. Dynamic Analyzer Mobile Security Framework INPUT Android VM Or Android Device REPORT OUTPUT
  • 18. Dynamic Analyzer - Architecture Dynamic Analyzer AGENTS Install and Run APK HTTP(S) Proxy Invoke Agents in VM Results HTTP(S) Traffic Android VM/Device Application Data Agent Collected Information Start HTTP(S) Web Proxy
  • 20. Dynamic SSL Testing !   Dynamically verify if SSL connections are securely implemented. !   Disable JustTrustMe and Remove MobSF Root CA. !   If you can still access the decrypted HTTPS Web Traffic then that means the app is bypassing SSL errors.
  • 21. Exported Activity Tester !   Android Exported Activities. DEMO
  • 22. Challenges in Dynamic Analysis !   Some Android Apps are built with security in mind. !  Anti VM Detection !  Anti Root Detection !  Anti MITM with Certificate Pinning. !  Some Apps / Malwares have sophisticated methods to detect Virtual Machines.
  • 23. How to deal with these Challenges !   API overriding with Xposed Framework !  Anti VM Detection Bypass –> Android Blue Pill !  Anti Root Detection Bypass -> RootCloak !  Anti MITM Certificate Pinning Bypass -> JustTrustMe !   APK smali Patching. !   For sophisticated apps and malware, Use a real device for dynamic analysis.
  • 24. Dynamic Analysis on Device ! MobSFy Script – Convert your VM/ Device to support MobSF Dynamic Analysis !   Documentation here: https://github.com/ajinabraham/Mobile-Security-Framework- MobSF/wiki/2.-Configure-MobSF-Dynamic-Analysis- Environment-in-your-Android-Device-or-VM !   DEMO : Weak Crypto !   Java - String hashCode() Method !   s[0]*31^(n-1) + s[1]*31^(n-2) + ... + s[n-1]
  • 25. Web API Fuzzer •  Login API •  Pin API •  Register API •  Logout API Select •  Select Scope URLs of Scan •  Select Scope Vulnerabilities Web API Fuzzing Logic REPORT OUTPUT Web Request DB
  • 26. Fuzzing REST APIs !   Why most web scanners suck at API Testing? !   We have knowledge about the application and generic API routes (Login, Logout, Register). !   So we use more of Whitebox approach than Blackbox approach. !   Detects vulnerabilities like IDOR, SSRF and XXE.
  • 27. What We Detect !   XXE !   SSRF !   IDOR !   Directory Traversal or Path Traversal !   Logical and Session Related !   API Rate Limiting
  • 29. SSRF & XXE API Server Web API Fuzzer MobSF Cloud Server Cloud Server: APITester/cloud/cloud_server.py
  • 30. Insecure Direct Object Reference (IDOR) !   Without Credentials. !   With multiple user credentials (needs two login attempts) Web API Fuzzer API Server Request with Auth Header/ Cookie Request without Auth Header/ Cookie API Server Web API Fuzzer Request with User1’s Auth Header/Cookie Repeat the Request with a User2’s Auth Header/Cookie
  • 31. Session Related Checks Web API Fuzzer API Server Calls Logout API Access Resource with expired Auth Header/Cookie Access Resource with Auth Header/Cookie
  • 32. Rate Limiter Web API Fuzzer API Server Brute force Login API and Register API
  • 33. Other Checks !   Security Headers and Info Gathering !   Directory/ Path Traversal
  • 34. DEMO
  • 35. What's Coming Soon? !   Windows App Security Analyzer. !   iOS App Dynamic Analysis. !   API Fuzzer to support detection of SQLi and RCE. !   Export Proxy logs to BurpSuite/IronWASP/ZAP
  • 36. Stakeholders !   Looks like people are interested! !   Bugs opened and Closed
  • 37. Useful Links !   Source: https://github.com/ajinabraham/Mobile-Security-Framework !   Issues: https://github.com/ajinabraham/Mobile-Security-Framework/ issues !   Documentation: https://github.com/ajinabraham/Mobile-Security-Framework- MobSF/wiki !   Video Course: https://opsecx.com/index.php/product/automated-mobile- application-security-assessment-with-mobsf/
  • 38. QA @ajinabraham ajin25@gmail.com Thanks & Credits •  Sachinraj Shetty •  Kamaiah Nadavala •  Bharadwaj Machiraju •  Yashin Mehboobe •  Anto Joseph •  Tim Brown •  Thomas Abraham •  Graphics/Image Owners