Posts

Source Code Review for ASP .NET MVC

Image
 Hi guys. Been a while since I last share something. So, for today I would like to share some knowledge regarding source code review.  *I'm still beginner in doing source code review. Recently I've been tasked with doing source code review for some organization and the language used for the application is ASP .NET MVC 5.0. As you all know that this language is now EOL. The last update is on 28 November 2018. This is my first time encountering this language. Before that, below is the list of tools commonly used when doing source code review that is completely free:- 1) Visual Code Grepper (VCG) - https://github.com/nccgroup/VCG 2) Sublime Text - https://www.sublimetext.com/ 3) Notepad++ - https://notepad-plus-plus.org/downloads/ Surprisingly, when running tools such as VCG, I did not found any sql query in the file. I did some research on how the language handle sql query. Also my colleague point out that the sql query is normally handle by .dll file for the language. It was a n

Setting up RMS in Ubuntu 18.04

Image
Hi peeps, It's been a while since my last post. Been busy. So, for today I would like to share on how to setup RMS (Runtime Security Mobile) in Ubuntu 18.04. RMS -  https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security "Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime." "You can easily dump all the loaded classes and relative methods, hook everything on the fly, trace methods args and return value, load custom scripts and many other useful stuff." This is a continuation of my post here  https://faudhzanrahman.blogspot.com/2019/09/setting-up-mobsf-in-ubuntu-1804.html  where I did a setup on MobSF.  I'm currently trying to set a box where it contains all sort of testing tools specifically for mobile . Now I have both MobSF and RMS setup in this box which is the Ubuntu 18.04. The same reason of setting RMS in this box is because the requirements fits Ubuntu 18.04. T

Introduction on Testing Mobile Application (Android)

Hi guys, Today I will share some of the tools used by me when testing Mobile Application for Android. These are the application that you might need when testing Mobile Application. Currently I'm using physical device (Nexus 5x). The apps used and how to use them might differ depending on whether you are using physical device or emulator. Below are the apps used:- Magisk Manager - to root phone or hide root from application Root Checker - to check root status RootCloak - to hide root status from application apk-signer - to sign apk after compile/decompile process SSLUnpinning - to bypass SSL pinning on application APK Editor - to edit the apk to bypass SSL pinning or root detection Xposed Framework - to add modules sqlite (Titanium Backup) - to read local database All-in-one " Frida " - multipurpose superb application that covers most of the above functions Most of the time, we need rooted device to install all of the above application. So, yo

Dealing With Encryption In Mobile Application (Android)

Image
Hi guys. It's been awhile since I post something. Today I will share some insight on dealing with encryption on mobile application. As you all know, these days every mobile application have some sort of encryption in order to " secure " it. In most cases, encryption only been used to divert the main issue. For example, the developer does not practice secure coding that pretty much ends up with a lots of security issue in the application. So, to solve this issue, they simply use encryption to simplify their work instead of fixing the code.   In some cases, the developer might expose the secret key or hard-coded the key in the application. The secret key can be used to decrypt the data. Now, lets see some of the example. *Do note that this can only be done if you have the key 1 ) When dealing with android application ( apk file ), we can use jadx to decompile the apk and search for the key. Below is the example of the key.   2 ) After getting the key, we ca

Setting up MobSF in Ubuntu 18.04

Image
Hi guys, It's been a while since I last updated the blog. Been busy. So, for today I will be giving guide on how to setup MobSF in Ubuntu 18.04 . There is a lot of guide out there about how to setup MobSF. I'm here to give out step by step guide to set it up as per my own experience. The main reason of using Ubuntu 18.04 is because it has a built-in Python 3.6 and pip3 version 9.0.1 which is the requirements to setup MobSF. It's pretty much simplify the process of setting up MobSF. *Note that this is a guide to setup MobSF for static analysis. For dynamic analysis, you can refer to MobSF page in github. MobSF also known as Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing. Can further read about MobSF here:  https://github.com/MobSF/Mobile-Security-Framework-MobSF For Ubuntu 18.04 can be downloaded

My 1st ever CVE ID

Image
Hi guys, I am really excited for my 1st ever CVE ID. So today, I will share the breakdown of the process for getting the CVE ID. Maybe there are other blogs or websites sharing this process, but I wanted to share my journey on getting it. I'm relatively new in this field so pardon for my little knowledge that I have. I'm doing this for my own experience and knowledge. Also for the love of anything related to security. Below are the steps I've taken for the process. 1) Find vulnerability on your target. You can check whether your target is on the list of participating CNA . If it is not under any CNA , you can request it at  MITRE Corporation . You can check the list of participating CNA here:  https://cve.mitre.org/cve/request_id.html 2) After that, you can request it via web form here:  https://cveform.mitre.org/ The process is quite simple. You simply fill in the form with required information and in 24 hours, they will respond to your email. 3) You wi

Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.

Image
Hi All, Today I will share POC on vulnerability found during pentest. As per the title, I recently found SQL Injection vulnerability on a thick client.  To read more about thick client, click here :  https://techterms.com/definition/thickclient Thick clients, also called heavy clients, are full-featured computers that are connected to a network.  While a thick client is fully functional without a network connection, it is only a "client" when it is connected to a server. The server may provide the thick client with programs and files that are not stored on the local machine's hard drive.   Exploit Title:   Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form. Details & Description :   SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL