Penetration testing checklist based on OWASP Top 10 Mobile
来源:互联网 发布:微博用户数据 编辑:程序博客网 时间:2024/06/06 03:39
0x01 Client Side - Static and Dynamic analysis
Androidmanifest.xmlM5AndroidIssueCryptographic Based Storage StrengthIdentify insecure/deprecated cryptographic algorithms (RC4, MD5, SHA1) on sourcecodejdgui, YSO, Qark, AndroBugsM6AndroidIssuePoor key management processIdentify hardcoded key in application or Keys may be intercepted via Binary attacksjdgui, YSO, Qark, AndroBugsM6AndroidIssueUse of custom encryption protocolsIdentify implementing their own protocol jdgui, YSO, Qark, AndroBugsM6AndroidIssueUnrestricted Backup fileCheck "android:allowBackup" attribute which should be set to "false"apktool
Androidmanifest.xmlM2AndroidIssueUnencrypted Database filesCheck encryption on database filesadb, idb, iFunboxM2AllIssueInsecure Shared StorageIdentify Sensitive Data on Shared Storage, SD card storage encryption, Shared preferences MODE_WORLD_READABLEadb, keychaindumperM2AllIssueInsecure Application Data StorageIdentify Sensitive Data in application files (application log, Cache file, Cookie)adb, idb, iFunbox,BinaryCookieReaderM2AllIssueInformation Disclosure through Logcat/Apple System Log (ASL)Identify sensitive information through application logCatLog, idb, Snoop-itM4AllIssueApplication Backgrounding (Screenshot)Identify application snapshot/screenshot backgroundingadb, iFunboxM4AllIssueURL Caching (HTTP Request and Response) on cache.dbIdentify HTTP caching which is stored in Cache.dbidb, iFunboxM4iOSIssueKeyboard Press CachingIdentify keyboard cache file located in: /var/mobile/Library/Keyboardidb, iFunboxM4iOSIssueCopy/Paste Buffer CachingIdentify disabling Copy/Paste function for sensitive part of the application on EditText/UITextFieldidb, iFunboxM4AllIssueRemember Credentials Functionality (Persistent authentication)Identify user's password or sessions on the deviceidb, iFunboxM5AllIssueClient Side Based Authentication FlawsPerform binary attacks against the mobile app in order to bypass offline authenticationadb, Drozer, Cycript, Snoop-it, BurpsuiteM5AllIssueClient Side Authorization BreachesPerform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilegeadb, Drozer, Cycript, Snoop-it, BurpsuiteM5AllIssueInsufficient WebView hardening (XSS)Identify misconfiguration on "android.webkit.WebSettings"
(Javascript/File access/Plugins), XSS through UIWebviewjdgui, BurpsuiteM7AllIssueContent Providers: SQL Injection and Local File InclusionIdentify SQLi and LFI on Content provider componentDrozerM7AndroidIssueInjection (SQLite Injection, XML Injection)Identify SQLi and XMLi on applicationadb, iFunbox, BurpsuiteM7AllIssueLocal File Inclusion through NSFileManager or WebviewsCheck LFI on application(../ , ../../blah\0) Webviews FileAccess attack through setAllowFileAccessiDevice, DrozerM7AllIssueAbusing Android Components through IPC intents ("exported" and "intent-filter")Identify android exported componentsapktool
Androidmanifest.xmlM8AndroidIssueAbusing iOS URL schemesIdentify URL schemes through info.plist and Clutch+Strings to obtain URL scheme structuresiFunbox, Clutch, StringsM8iOSIssueUnauthorized Code ModificationBinary attack through run-time manipulation and code modificationapktool, Frida, cycript, snoop-itM10AllIssueDebug the application behavior through runtime analysisIdentify "android:debuggable" attribute
Using GDB/LLDB attach to applicationadb jdwp, jdb, GDB, LLDBM10AllIssue
0x02 Communication Channel
Check setAllowsAnyHTTPSCertificate(iOS) and AllowAllHostnameVerifier(Android)jdgui, YSO, Qark, AndroBugsM3AllIssueExposing Device Specific Identifiers in Attacker Visible ElementsObserve the device's network traffic through a proxy that Device's information (UDID) is sent during the transmission or not.BurpsuiteM4AllIssue
0x03 Server Side - Webservices and API
(Anonymous<->User, User A<->User B, Timeout)BurpsuiteM9AllIssueToken CreationThey should be standard algorithm, sufficiently long, complex, and pseudo-random so as to be resistant to guessing/anticipation attacks.BurpsuiteM9AllIssue
欢迎大家分享更好的思路,热切期待^^_^^
0 0
- Penetration testing checklist based on OWASP Top 10 Mobile
- OWASP Top 10 penetration testing software
- 2016 OWASP Mobile TOP 10 中文版
- OWASP TOP 10 (2013)
- OWASP TOP 10概述
- OWASP TOP 10
- OWASP TOP 10
- OWASP Top 10 2017
- Penetration Testing 渗透测试
- Wardriving & Wireless Penetration Testing
- Penetration Testing IPsec VPNs
- penetration testing report
- Penetration testing guide
- Penetration Testing 渗透测试
- 渗透测试(Penetration Testing)
- Penetration Testing : Applications
- OWASP Top 10 2010 十大安全隐患
- OWASP Top 10 Tools and Tactics
- CSS实现猎豹浏览器首页标签切换效果
- Intel Code Challenge Elimination Round (Div.1 + Div.2, combined)D. Generating Sets(贪心)
- Linux下安装Git
- 八皇后问题(递归)
- C# 创建和写入文件
- Penetration testing checklist based on OWASP Top 10 Mobile
- 链表反转算法
- eclipse查看jar包源代码乱码问题解决
- 大数据系列修炼-Scala课程68
- C++学习笔记--对象创建
- hdu 2098 素数打表
- Android 微信分享与QQ分享功能
- 代理模式
- sizeof与strlen用法详解(结构体对齐)