In this article, we will see how a developer can perform basic checks to programmatically detect if the app is running on an emulator and stop executing the app if an emulator is detected. We will then see how an attacker can easily bypass these checks by using some […]
In this article, we will discuss broken cryptography in Android applications. Broken cryptography attacks come into the picture when an app developer wants to take advantage of encryption in his application. This article covers the possible ways where vulnerabilities associated with broken cryptography may be introduced in Android apps. […]
In this part of the Website Hacking series we are going to take a look at how to minimize damages from XSS attacks considering our web application can at some point become vulnerable to this type of attacks (HttpOnly cookies are going to be discussed). We are going to […]
Sony Pictures corporate network compromised by a major cyber attack
At the end of November, computer systems at the corporate network of Sony Pictures were breached and taken offline by a malware-based attack. TheNextWeb portal was one of first outlets to publish the news. Sony Pictures Entertainment manages distribution of […]
We have seen various vulnerabilities in Android apps in the previous articles. Before moving ahead with other vulnerabilities in Android applications in this series of articles, I would like to introduce an awesome tool named Drozer.
Drozer is a framework for Android security assessments developed by MWR Labs. It is […]
In Part IV of the Website Hacking series, we are going to look at:
Storing your email address and telephone number in <a href=mailto:*> and <a href=”tel:*> and the inherent drawbacks of these methods
Shortcomings of disguising email in markup to avoid spam and other malicious requests (disguise such as mail […]
To view Part I of the article series, please open: http://resources.infosecinstitute.com/website-hacking-101/
To view Part II of the article series, please open: http://resources.infosecinstitute.com/website-hacking-101-part-ii/
In this part of the Website Hacking 101 series, we are going to discuss controlling access to directories (if access is not controlled by key directories like include/includes, the […]
Traffic light systems security issues
We often see movie scenes in which hackers are able to hack systems for the control of traffic lights, with catastrophic consequences, unfortunately we must be conscious that threat actors are really able these complex infrestructures causing serious problems.
Trafﬁc lights were originally designed as standalone […]
To view Part I of this article, please visit http://resources.infosecinstitute.com/website-hacking-101/.
In this Part, we are going to briefly introduce Path Traversal, usage of Delimiters, and Information Disclosure attack.
We are going to present simple solutions to simplified problems involving the attacks.
Exercise 8: Path Traversal
Figure : A simple webpage in which you […]
Websites are used daily by a large part of the world’s population to carry sensitive data from a person to an entity with online-based presence. In websites containing materials that are shown after authentication only, forms transfer data containing user credentials to server-side scripts. Users store their credit card […]
In one of the previous articles, we have seen how developers implement Shared Preferences in Android applications. We have also seen how one can compromise the sensitive data stored in Shared Preferences if proper security controls are not enforced. In this article, we shall discuss how we can secure […]
This article explains how to start performing black box assessments on Android applications using Introspy. Introspy is one of the important tools in an Android pentester’s arsenal.
As per their official Github page, we can use the “Blackbox tool to help understand what an Android application is doing at runtime […]
In this tutorial, we’ll take a look at how we can hack clients in local network by using WPAD (Web Proxy Auto-Discovery). The WPAD protocol allows automatic discovery of web proxy configuration and is primarily used in networks where clients are only allowed to communicate to the outside world […]
Given the massive spread of the Internet and Internet-related activities in recent times, there is an equal spread in silent activities behind the web too. These silent activities might relate to port scanning, vulnerability scanning, finding publicly available technical and non-technical information about target organizations, and so on. At […]
In the previous article, we discussed shared preferences and its security under local data storage. In this article, we will discuss other storage methods being used by Android developers.
Fill out the form below to download the files associated with this article:
SQLite databases are lightweight file-based databases. They usually […]
In the previous article, we discussed the common techniques of how application developers check for a rooted device and then how an attacker can bypass some of the techniques used by the developers. In this article, we will discuss different methods being used by Android developers to store data […]
Nmap Cheat Sheet: From Discovery to Exploits, Part 2: Advance Port Scanning with Nmap And Custom Idle Scan
This is our second installment of Nmap cheat sheet. Basically, we will discuss some advanced techniques for Nmap scanning and we will conduct a Man In The Middle Attack (MITM). Let’s start our game now.
TCP SYN Scan
SYN scan is the default and most popular scan option, for good reasons. […]
The SQL Truncation vulnerability is a very interesting flaw in the database. The successful exploitation of this issue leads to user account compromise, as it means an attacker can access any users account with his own password. Sounds interesting!
First we will see why this issue occurs in the database. […]
This article walks the readers through debugging Java programs using a command line tool called JDB. Though this article doesn’t touch Android concepts, this is a prerequisite to understand the next article coming in the series, which is “Exploiting Debuggable Android Applications”.
What is JDB?
JDB is a Java debugger, a […]