Proxying Android Traffic through Burp Suite (incl credential fuzzing & IDORs)

Рет қаралды 20,021

Intigriti

Күн бұрын

Пікірлер: 31

@camelotenglishtuition6394 Жыл бұрын

Fantastic work as always ladies and gentlemen ..

@intigriti Жыл бұрын

🙏🥰

@PinkDraconian Жыл бұрын

Once again, an amazing video! This is pure gold! 🥇

@intigriti Жыл бұрын

Awwww thanks mate 🙏🥰

@tan.nicolas Жыл бұрын

top notch!

@intigriti Жыл бұрын

🙏🥰

@srcybersec1736 Жыл бұрын

❤❤❤

@intigriti Жыл бұрын

💜💜💜

@waterlord6969 Жыл бұрын

This is so amazing!! Thank you very much!!!

@novianindy887 Жыл бұрын

does this overcome the Certificate Pinning technique that prevents android app proxying ? and is there anything we, android app developers, can do to prevent this burpsuite proxying? please.

@intigriti Жыл бұрын

No, you would still need to deal with cert pinning for apps that require it (you can use frida to do this, similar to the root bypass video but I am meaning to get round to a separate video on this - probably showing HackTheBox's "pinned" challenge walkthrough). Honestly, I don't think there's much you can do to prevent users proxying traffic.. You could make the barrier higher by adding root detection and anti-frida techniques but a motivated hacker will find a way.

@novianindy887 Жыл бұрын

@@intigriti nice, yes we need videos on how to bypass the cert pinning , please 🙏👍

@gwnbw Жыл бұрын

Got my setup working and immediately found a bug in an app where I could set my own coins, list users, user and email, first + lastname. But they were not in a bug bounty, should I email the devs?

@intigriti Жыл бұрын

There's no harm in emailing devs if you think you've found an issue. However, if they specifically excluded it from bug bounty, there's a strong chance they are aware already (can't/won't fix).

@AbdAlkarimTube Жыл бұрын

Hello, The system in works fine with the proxy I can capture the requests throw webView etc.. But I can't intercept with any app ? What could it be ?

@intigriti Жыл бұрын

Not too sure what you mean 🤔 are you using the same app / config as the video?

@AbdAlkarimTube Жыл бұрын

@@intigriti same config but diff app

@itsm3dud39 Жыл бұрын

is there any problem using lower version android ?

@intigriti Жыл бұрын

Probably not.. In fact, in the rootAVD video I found that I had to use less than API 28 (PIE) for the app to work: github.com/newbit1/rootAVD#notes

@itsm3dud39 Жыл бұрын

what if an app doesnt support pie or lower version ?@@intigriti

@arkidgaming7133 Жыл бұрын

how about application that wont open with manual proxy?

@intigriti Жыл бұрын

Probably a cert pinning issue, you could check: www.netspi.com/blog/technical/mobile-application-penetration-testing/four-ways-bypass-android-ssl-verification-certificate-pinning

@camelotenglishtuition6394 Жыл бұрын

Great video, but I had a random question: do you find that sometimes apps don't work with the proxy and what do you do in that instance? Cheers! example: chrome will proxy just fine, http and https traffic but youtube (the app) won't. Do you have apps that sometimes just don't work well with the proxy? If yes, how did you get around it? Thanks :)

@intigriti Жыл бұрын

Hmmm good question! I haven't checked the YT app but I can understand why they would invest resources to prevent proxying traffic - after all, that's how adblocking apps would be developed. In many cases, it might just be that the app uses cert pinning, which you could try and get around using frida.

@camelotenglishtuition6394 Жыл бұрын

@intigriti that was my next logical step, thanks so much! Wishing you a great 2024. 👍 also it's mack_the_ripper, thank you so much for helping me out before. Looking forward to getting back on the platform next week. (Recovering from surgery)

@intigriti Жыл бұрын

Same to you mate! Hope your recovery goes well, take it easy 💜

@camelotenglishtuition6394 Жыл бұрын

@intigriti cheers geez