How to verify Certificate Pinning?
Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps.
Take a popular shopping app “X” for example, If “X” does not meet the requirement of “Certificate Pinning”, we could definitely use proxy tool like Burp Suite to intercept any confidential between mobile device and servers.
- Run Burp Suite on my laptop and my laptop becomes a proxy server. (Don’t foreget to change policy of firewall to allow connection to its proxy server listening port.)
- Download Certificate from Burp Suite and install this cert file into my mobile phone.
- Setup the proxy server ip and port in my mobile phone’s wifi settings.(Of course the ip is my laptop’s ip; the port number is the listening port of proxy server on my laptop)
- Make sure Burp suite is ready to intercept packets.
Now we could run this app “X” and start to login. Let’s see what data Burp could intercept. To my surprise “nothing” found in intercept tab.
The “Alert” tab turns orange means something happens. It looks like “X” could meet the requirement of certificate pinning.
Don’t jump to conclusions too soon. Let’s take a look at account registry. Input some data such as ID, username , password, phone number, e-mail and click “Submit”. Guess what? Those confidential data being intercepted by Burp suite.
“X” still need to do certificate pinning to avoid the risk of MITM. Now my friends know how to verify certificate pinning by using proxy.
How to verify Certificate Pinning?的更多相关文章
- 008_ssl Certificate Pinning
证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书, ...
- 证书锁定Certificate Pinning技术
证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证 ...
- Mobile game analysis
Let's take a look at a very popular mobile game "Garena 传说对决" . It would be very interesti ...
- Mobile game forensics
My friend Carrie'd like to know "Garena 传说对决" violates any mobile risks such as insecure d ...
- About certificate
证书spec, X509, 类似规定了一个目录结构.其中重要内容包括 issuer: who isued this certificate subject: the ID of this certif ...
- 证书锁定SSL/TLS Pinning
前言 APP端抓包中, 设置抓包代理后会发现部分APP(如app store.Facebook)直接无法访问,其他部分app又功能正常,为什么呢?这涉及 ssl-pinning,证书锁定. 证书锁定( ...
- IP, TCP, and HTTP--reference
IP, TCP, and HTTP Issue #10 Syncing Data, March 2014 By Daniel Eggert When an app communicates with ...
- Android 1.5-7.0(持续更新)安全机制一览
Android 1.5 ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary ...
- OkHttp 官方Wiki【设计思想】
官方Wiki之Calls 原文位置:https://github.com/square/okhttp/wiki/Calls The HTTP client's job is to accept you ...
随机推荐
- Linux修改IP永久生效
修改IP永久生效按以下方法: 1)修改配置文件vi /etc/sysconfig/network-scripts/ifcfg-eth0(eth0,第一块网卡,如果是第二块则为eth1) 按如下修改ip ...
- iconfont 怎么在项目中使用图标库
iconfont是很多设计以及前后端人员编写页面时经常用到的网站,阿里不仅为我们提供了免费的图标库,并且有一套完整的图标库体系.很多初学者只知道从图标库中下载图标放入项目中,但在实际项目应用中,过多的 ...
- eclipse的maven项目中找不到Maven Dependencies
菜菜的我又来了,笨鸟不一定要先飞,但一定要坚持 今天记录一个初级错误 比如我们在eclipse创建maven项目来运行我们的web项目 搭建完工程后发现javax-servlet包全部报错 到这里我还 ...
- elasticsearch例子(crud + 分页)
概述 基于elasticsearch2.3.3写的入门demo,含有创建index,删除index,录入数据,查询.以及分页,并且使用流行的ik分词器.测试方式:使用 JNUIT TEST 来运行. ...
- php+redis 学习 一 连接
<?php header('content-type:text/html;chaeset=utf-8'); $redis = new Redis(); $redis->connect('1 ...
- XAMPP的配置与使用
XAMPP的配置与使用 一.起因 一开始,我在本地手动DIY安装了WAMPP环境,其中经历了很长时间的折腾,原因是独立安装Apache和MySQL,以及PHP的时候,屡次遇到版本兼容问题,我主要的时间 ...
- mdb导入SqlServer
弄了一份医案数据库,打开一看...命名全中文,好吧,导入SQLServer走起 SQL: SELECT * INTO newtable FROM OPENDATASOURCE ('Microsoft. ...
- C# Swagger 生成接口文档
一直听说Swagger是做Web API文档的好工具,这次手里暂时没什么事,类体验下它的强大之处.下面是使用Swashbuckle.net 给asp.net web API添加文档的简要步骤. 参考地 ...
- ASP.NET Core的身份认证框架IdentityServer4--(3)令牌服务配置访问控制跟UI添加
使用密码保护API OAuth 2.0 资源所有者密码授权允许一个客户端发送用户名和密码到IdentityServer并获得一个表示该用户的可以用于访问api的Token. 该规范建议仅对" ...
- 业余草分享100套精选1000G架构师资料课程(超1T的IT学习资料免费送)
业余草分享100套精选1000G架构师资料课程(超1T的IT学习资料免费送). 超过1024G的IT学习资料免费领取,你值得拥有! 领取资源方式,关注“业余草”公众号,回复对应的关键字 01.回复”我 ...