Documente Academic
Documente Profesional
Documente Cultură
Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when
untrusted data is sent to an interpreter as part of a command or query. The
attackers hostile data can trick the interpreter into executing unintended
commands or accessing data without proper authorization.
==A5-Security Misconfiguration
Good security requires having a secure configuration defined and deployed for
the application, frameworks, application server, web server, database server, platform,
etc. Secure settings should be defined, implemented, and maintained, as defaults are
often insecure. Additionally, software should be kept up to date.
applications often involve rich client applications and APIs, such as JavaScript in
the browser and mobile apps, that connect to an API of some kind (SOAP/XML,
REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous
vulnerabilities.
- No cache
- No store
no storage
Clickjacking
Token length
Session Time-out
Cookie configuration:
path - In addition to the domain, the URL path that the cookie is valid for can be
specified. If the domain and path match, then the cookie will be sent in the
request. Just as with the domain attribute, if the path attribute is set too loosely,
then it could leavethe application vulnerable to attacks by other applications on
the
same server.
For example, if the path attribute was set to the web server root
/, then the application cookies will be sent to every application
within the same domain.
Directory Traversal
Lfi - RFI
Web Service:
Web Service:
1) It is a SOAP based service and returns data as XML.
5) It requires a SOAP protocol to receive and send data over the network,
so it is not a light-weight architecture.
Web API:
1) A Web API is a HTTP based service and returns JSON or XML data by
default.
2) It supports the HTTP protocol.
Plist files
however, the applications may use Plist files to store clear text
usernames, passwords and session related information. So
/Library/Preference
Keychain
/private/var/Keychains/keychain-2.db
SQLite storage
Unencrypted sensitive information stored in a SQLite file
can be stolen easily by gaining physical access to the
device or from the device backup. I
Cache
Cookies.binarycookies
. Most of the iOS applications do not want to prompt the
user for login every time. So, they create persistent
cookies and store them in cookies.binarycookies file on
the applications home directory. During the penetration
test, investigate the cookies.binarycookies file for
sensitive information, and to find session management
issues. Cookies.binarycookies is a binary file and the
content is not in readable format. Therefore, I wrote a
python script BinaryCookieReader.py that can read the
cookie file and display the content on the screen.
Keyboard Cache
In an effort to learn how users type, iOS devices utilize a
feature called Auto Correction to populate a local
keyboard cache on the device. The keyboard cache is
designed to autocomplete the predictive common words.
The problem with this feature is, it records everything
that a user types in text fields. The cache keeps a list of
approximately 600 words. The keyboard cache is located
at Library/Keyboard/en_GB-dynamic-text.dat file. To
view the Keyboard cache, copy the en_GB-dynamic-
text.dat file to a computer over SSH and open the file
using a Hex Editor. Below is the screenshot of a
keyboard cache Hex view.
Library/Keyboard/en_GB-dynamic-text.dat
Snapshot Storage
Pressing the iPhone home button shrinks the iOS
application and moves it to the background with a nice
effect. To create that shrinking effect, iOS takes a
screenshot of the application and stores it in the
Library/Caches/Snapshots folder in the respective
applications home directory. This might result in storing
the users sensitive information on the device without
users knowledge. Snapshots stored on the iPhone will
automatically clear after the device is rebooted.
Library/Caches/Snapshots
app background in
home button press
Error Logs
iPhone configuration utility to view logs
https://github.com/iSECPartners/ios-ssl-kill-switch
dpkg -i <package>.deb
https://github.com/nabla-c0d3/ssl-kill-switch2
ssl-killer