How to verify Certificate Pinning?
Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps.
Take a popular shopping app “X” for example, If “X” does not meet the requirement of “Certificate Pinning”, we could definitely use proxy tool like Burp Suite to intercept any confidential between mobile device and servers.
- Run Burp Suite on my laptop and my laptop becomes a proxy server. (Don’t foreget to change policy of firewall to allow connection to its proxy server listening port.)
- Download Certificate from Burp Suite and install this cert file into my mobile phone.
- Setup the proxy server ip and port in my mobile phone’s wifi settings.(Of course the ip is my laptop’s ip; the port number is the listening port of proxy server on my laptop)
- Make sure Burp suite is ready to intercept packets.
Now we could run this app “X” and start to login. Let’s see what data Burp could intercept. To my surprise “nothing” found in intercept tab.
The “Alert” tab turns orange means something happens. It looks like “X” could meet the requirement of certificate pinning.
Don’t jump to conclusions too soon. Let’s take a look at account registry. Input some data such as ID, username , password, phone number, e-mail and click “Submit”. Guess what? Those confidential data being intercepted by Burp suite.
“X” still need to do certificate pinning to avoid the risk of MITM. Now my friends know how to verify certificate pinning by using proxy.
How to verify Certificate Pinning?的更多相关文章
- 008_ssl Certificate Pinning
证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书, ...
- 证书锁定Certificate Pinning技术
证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证 ...
- Mobile game analysis
Let's take a look at a very popular mobile game "Garena 传说对决" . It would be very interesti ...
- Mobile game forensics
My friend Carrie'd like to know "Garena 传说对决" violates any mobile risks such as insecure d ...
- About certificate
证书spec, X509, 类似规定了一个目录结构.其中重要内容包括 issuer: who isued this certificate subject: the ID of this certif ...
- 证书锁定SSL/TLS Pinning
前言 APP端抓包中, 设置抓包代理后会发现部分APP(如app store.Facebook)直接无法访问,其他部分app又功能正常,为什么呢?这涉及 ssl-pinning,证书锁定. 证书锁定( ...
- IP, TCP, and HTTP--reference
IP, TCP, and HTTP Issue #10 Syncing Data, March 2014 By Daniel Eggert When an app communicates with ...
- Android 1.5-7.0(持续更新)安全机制一览
Android 1.5 ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary ...
- OkHttp 官方Wiki【设计思想】
官方Wiki之Calls 原文位置:https://github.com/square/okhttp/wiki/Calls The HTTP client's job is to accept you ...
随机推荐
- BZOJ 4555: [Tjoi2016&Heoi2016]求和 [分治FFT 组合计数 | 多项式求逆]
4555: [Tjoi2016&Heoi2016]求和 题意:求\[ \sum_{i=0}^n \sum_{j=0}^i S(i,j)\cdot 2^j\cdot j! \\ S是第二类斯特林 ...
- Apache Hadoop配置Kerberos指南
通常,一个Hadoop集群的安全使用kerberos来进行保障.在启用Kerberos后,需要用户进行身份验证.用户通过验证后可以使用GRANT/REVOKE语句来进行基于角色的访问控制.本文介绍一下 ...
- 数据分析之pandas教程-----概念篇
目录 1 pandas基本概念 1.1 pandas数据结构剖析 1.1.1 Series 1.1.2 DataFrame 1.1.3 索引 1.1.4 pandas基本操作 1.1.4. ...
- 《Web Scraping With Python》Chapter 2的学习笔记
You Don't Always Need a Hammer When Michelangelo was asked how he could sculpt a work of art as mast ...
- c++中对于json的key不带双引号的问题修复
在引用了第三方数据时,数据源通过转义,将json的key上双引号给去掉了. 在PHP开发时,可以通过正则表达式替换方式来补充丢失的双引号,处理代码如下 function ex_json_decode( ...
- Docker镜像管理
镜像是docker的三大核心概念之一.可以用来创建容器. Docker的镜像实际上由一层一层的文件系统组成,这种层级的文件系统被称为UnionFS.镜像可以基于Dockerfile构建,Dockerf ...
- linux目录结构 简单讲解
1./- 根每一个文件和目录从根目录开始.只有root用户具有该目录下的写权限.请注意,/root是root用户的主目录,这与/.不一样 2./bin中 - 用户二进制文件包含二进制可执行文件.在单用 ...
- 使用performance进行网页性能监控
由于项目需要, 需要对网页的一些性能进行监控, 接触到了performance, window.performance 提供了一组精确的数据,经过简单的计算就能得出一些网页性能数据, 将这些数据存储为 ...
- Javascript获取数组中的最大值和最小值方法汇总
方法一 sort()方法 b-a从大到小,a-b从小到大 var max2 = arr.sort(function(a,b){ return b-a; })[0]; console.log(max2) ...
- Nginx调用远程php-fpm
在Nginx服务器的情况下,当我们输入 http://localhost:8080/index.php回车的时候 浏览器会将请求发送给Nginx,Nginx会根据我们所配置的以.php结尾的PHP的文 ...