Proxying Android Traffic through Burp Suite (incl credential fuzzing & IDORs)

Рет қаралды 15,506

Күн бұрын

📱🐛 Learn the basics of Mobile Hacking (Android). In this video, we'll setup a proxy on a virtual android device (AVD), emulated via android studio. The process will allow us to intercept android application traffic with burp suite. First, we'll need to configure the burp proxy and install the certificate on the phone. Once everything is working as expected, we'll try and fuzz login credentials and exploit IDORs on the InsecureBankv2 APK; an intentionally vulnerable app, designed for learning how to exploit common vulnerabilities in mobile applications 😎 #BugBounty #EthicalHacking #Mobile #Android #Tutorial
Check the full video playlist HERE: • Mobile Hacking
Overview:
0:00 Intro
1:02 Deploy InsecureBankv2 (backend server)
2:58 Android studio recap (and config fixes)
4:56 Configure burp suite proxy
6:51 Export burp certificate (.cer)
7:34 Install cert on android device
9:56 Review "adb shell" approach (ChatGPT)
10:34 Intercept requests with burp
11:15 Fuzzing usernames (intruder)
13:06 Fuzzing passwords (intruder)
14:15 Explore app functionality
15:30 Experiment with IDORs
18:43 Issues with SSL cert pinning
19:40 Conclusion
Looking to try android hacking and score some bug bounties? check out the active programs on Intigriti 💜
🧑💻 Sign up and start hacking right now - go.intigriti.com/register
👾 Join our Discord - go.intigriti.com/discord
🎙️ This show is hosted by / _cryptocat ( ‪@_CryptoCat‬ ) & / intigriti
👕 Do you want some Intigriti Swag? Check out swag.intigriti.com
📚 Video-specific Resources 🤓
portswigger.net/burp/document...
github.com/dineshshetty/Andro...
github.com/xtiankisutsa/aweso...

Пікірлер: 31

@camelotenglishtuition6394 Жыл бұрын

Fantastic work as always ladies and gentlemen ..

@intigriti Жыл бұрын

🙏🥰

@PinkDraconian Жыл бұрын

Once again, an amazing video! This is pure gold! 🥇

@intigriti Жыл бұрын

Awwww thanks mate 🙏🥰

@tan.nicolas 9 ай бұрын

top notch!

@intigriti 8 ай бұрын

🙏🥰

@snowden-IT Жыл бұрын

This is so amazing!! Thank you very much!!!

@srcybersec1736 Жыл бұрын

❤❤❤

@intigriti Жыл бұрын

💜💜💜

@camelotenglishtuition6394 6 ай бұрын

Great video, but I had a random question: do you find that sometimes apps don't work with the proxy and what do you do in that instance? Cheers! example: chrome will proxy just fine, http and https traffic but youtube (the app) won't. Do you have apps that sometimes just don't work well with the proxy? If yes, how did you get around it? Thanks :)

@intigriti 6 ай бұрын

Hmmm good question! I haven't checked the YT app but I can understand why they would invest resources to prevent proxying traffic - after all, that's how adblocking apps would be developed. In many cases, it might just be that the app uses cert pinning, which you could try and get around using frida.

@camelotenglishtuition6394 6 ай бұрын

@intigriti that was my next logical step, thanks so much! Wishing you a great 2024. 👍 also it's mack_the_ripper, thank you so much for helping me out before. Looking forward to getting back on the platform next week. (Recovering from surgery)

@intigriti 6 ай бұрын

Same to you mate! Hope your recovery goes well, take it easy 💜

@camelotenglishtuition6394 6 ай бұрын

@intigriti cheers geez

@gwnbw 11 ай бұрын

Got my setup working and immediately found a bug in an app where I could set my own coins, list users, user and email, first + lastname. But they were not in a bug bounty, should I email the devs?

@intigriti 11 ай бұрын

There's no harm in emailing devs if you think you've found an issue. However, if they specifically excluded it from bug bounty, there's a strong chance they are aware already (can't/won't fix).

@novianindy887 10 ай бұрын

does this overcome the Certificate Pinning technique that prevents android app proxying ? and is there anything we, android app developers, can do to prevent this burpsuite proxying? please.

@intigriti 10 ай бұрын

No, you would still need to deal with cert pinning for apps that require it (you can use frida to do this, similar to the root bypass video but I am meaning to get round to a separate video on this - probably showing HackTheBox's "pinned" challenge walkthrough). Honestly, I don't think there's much you can do to prevent users proxying traffic.. You could make the barrier higher by adding root detection and anti-frida techniques but a motivated hacker will find a way.

@novianindy887 10 ай бұрын

@@intigriti nice, yes we need videos on how to bypass the cert pinning , please 🙏👍

@AbdAlkarimTube 9 ай бұрын

Hello, The system in works fine with the proxy I can capture the requests throw webView etc.. But I can't intercept with any app ? What could it be ?

@intigriti 8 ай бұрын

Not too sure what you mean 🤔 are you using the same app / config as the video?

@AbdAlkarimTube 8 ай бұрын

@@intigriti same config but diff app

@djos0 Ай бұрын

~Great demo, would you mind sharing the passwords file you are using for bruteforcing

@intigriti Ай бұрын

Can you remind me what it's called in the video? It probably came from github.com/danielmiessler/SecLists

@arkidgaming7133 6 ай бұрын

how about application that wont open with manual proxy?

@intigriti 6 ай бұрын

Probably a cert pinning issue, you could check: www.netspi.com/blog/technical/mobile-application-penetration-testing/four-ways-bypass-android-ssl-verification-certificate-pinning