Mobile App Hacking In A Nutshell

Aug 25, 20182 likes244 views

The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).

Mobile App Hacking In A Nutshell presentation at Mobile Conf 25 Aug 2018, BKK, Thailand
Content is available under Creative Commons Attribution-ShareAlike unless otherwise noted.
Mobile app hacking
in a nutshell
Prathan Phongthiproek
2600 Thailand

1
The
MistakenSecurity Through
Obscurity

Manipulating request/response
over secure channel
SSL/TLS

Mobile Application Hacking Diary Ep.1
https://www.exploit-db.com/papers/26620/
Internet

Quick Wins !!
o Secure coding and configuration practices (e.g. OWASP) on server-side:
• REST Security Cheatsheet
• Authentication Cheatsheet
• Session Management Cheatsheet
• Cryptographic Storage Cheatsheet
• Password Storage Cheatsheet
• Transaction Authorization Cheatsheet
• Access Control Cheatsheet
o SSL Pinning Implementation(End-to-end encryption is preferred)
o Code Obfuscation

OWASP MASVS
https://github.com/OWASP/owasp-masvs

The document discusses the Mobile Application Security Verification Standard (MASVS) project from OWASP. It provides an overview of the MASVS levels and describes the eight verification requirements areas: 1) Architecture, Design and Threat Modeling; 2) Data Storage and Privacy; 3) Cryptography; 4) Authentication and Session Management; 5) Network Communication; 6) Platform Interaction; 7) Code Quality and Build Setting; and 8) Resilience. Each verification requirement area includes example requirements and references related information. The goal of MASVS is to provide a standard way to verify the security of mobile apps and help developers build more secure apps.

OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek

Mobile Defense-in-Dev (Depth)Prathan Phongthiproek

This document outlines various mobile application security vulnerabilities and methods for assessing mobile application security. It discusses insecure network protocols, cryptographic weaknesses, privacy issues related to data storage, authentication and session management vulnerabilities, environmental interaction risks, and challenges of securing mobile applications against reverse engineering. It provides examples of specific vulnerabilities discovered in mobile applications and frameworks. The document promotes applying a defense-in-depth approach to mobile application security based on the OWASP Mobile Application Security Verification Standard (MASVS).

Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek

The document discusses various techniques for exploiting web applications, beginning with older techniques like exploiting default admin paths, uploading web shells, and SQL injection, and progressing to more modern attacks against content management systems and frameworks. It provides examples of each technique and emphasizes exploiting vulnerabilities like file inclusion and stored procedures to achieve remote code execution. The instructor profile indicates extensive security experience and certifications. The organization Secure D Center is introduced as focusing on cybersecurity services across Southeast Asia.

OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek

This document discusses penetration testing methodologies and best practices. It emphasizes that penetration testing involves more than just tools - it requires following a proper methodology, managing risks, and providing targeted recommendations to clients. It provides examples of penetration testing case studies and highlights the importance of going beyond automated scans to conduct manual testing of authentication, authorization, business logic, and client-side vulnerabilities. The document stresses that penetration testers should think creatively and "outside the box" to identify security issues rather than just trusting scan results.

OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek

The document summarizes the key findings of a report analyzing 126 popular mobile health and finance apps. It found that while consumers and executives believe their apps are secure, 90% of apps tested had at least two of the top 10 mobile security risks as defined by OWASP. Specifically, 98% lacked binary protections and 83% had insufficient transport layer protection. The document then outlines the 10 most critical mobile security risks according to OWASP, including improper platform usage, insecure data storage, insecure communication, and extraneous functionality.

Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek

The document discusses vulnerabilities in point-of-sale (POS) systems, including data in memory, data at rest, data in transit, and application code/configuration vulnerabilities. It describes different POS deployment models and their pros and cons in terms of security. A case study examines physical and network security issues found during a pentest of a retail store's POS system, including sensitive data exposure over the network. Recommended protections include minimizing data exposure, encryption of data in memory, in transit, and at rest, and avoiding storage of sensitive data.

Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek

Prathan Phongthiproek, a manager at KPMG Thailand, gave a presentation on mobile application attacks at the Cyber Defense Initiative Conference (CDIC) 2016. The presentation covered various attack vectors for both Android and iOS applications, including user input attacks, abusing application components, insecure data storage, manipulating binary and storage files, bypassing root/jailbreak detection, and intercepting network traffic. For each attack vector, the presentation estimated the potential damage level and threat level. The goal was to help organizations better understand mobile application security risks and implement proper countermeasures.

OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner

Owasp mobile top 10Pawel Rzepa

OWASP Mobile Top 10NowSecure

OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions

Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker

You think your mobile app is secure, but is it really? In this session from Xamarin Evolve 2016 in Orlando, Alec will give you the Top 10 mobile threats to be aware of and take an in-depth look at how to mitigate some of these threats using Xamarin and the OWASP Mobile Security Project. A video of the talk is available here: https://youtu.be/rCT9kiA7SE0?list=PLM75ZaNQS_Fb7I6E9MDnMgwW1GGZIijf_

CDIC 2013-Mobile Application Pentest WorkshopPrathan Phongthiproek

The document summarizes a presentation on advanced mobile penetration testing. It discusses attacking three surfaces: the client software on mobile devices, the communications channel, and server-side infrastructure. It provides examples of exploiting iOS and Android applications, such as decompiling code, intercepting traffic with proxies, and accessing embedded data and databases. The presentation emphasizes fast, hands-on techniques and tools for assessing mobile application security.

85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure

Originally presented on January 23, 2018 A comprehensive analysis of iOS and Android apps found that a staggering 85% of those apps fail one or more of the OWASP Mobile Top 10 criteria. Given that the average mobile device has over 89 mobile apps on it, what are the odds your employees have one or more of the apps and what’s the real risk to your business? Mobile apps power productivity in the modern business; don’t let a few bad apps bring it down.

Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava

Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava

Mobile Threats and Owasp Top 10 RisksSantosh Satam

Owasp Mobile Top 10 – 2014n|u - The Open Security Community

The document discusses the OWASP Mobile Top 10 security risks for 2014. It begins by introducing the OWASP Mobile Security Project and its goal of maintaining a list of the most critical risks for mobile applications. The document then lists the top 10 risks for both 2012 and 2014, providing more details on each of the 2014 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. It also recommends some vulnerable mobile apps that can be used for hands-on practice.

Owasp Mobile Top 10 - M7 & M85h1vang

M7 discusses client side injection vulnerabilities like SQL injection, XSS, and local file injection. M8 discusses security decisions made via untrusted inputs like cookies, URLs, and intents. These can allow privilege escalation, data exfiltration, and consuming paid resources. Prevention includes input validation, prepared statements, and disabling unnecessary capabilities. Abusing URL schemes on iOS and intents on Android can launch apps or actions without permission by spoofing requests. Checking permissions and user authorization at input boundaries helps prevent these attacks.

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure

API Abuse - The Anatomy of An AttackNordic APIs

This document discusses API abuse and how to prevent it. It defines API abuse as misusing API functions for malicious activities like server raids or sending excessive requests. There are two main types: remote client impersonation and API flaw exploitation. It provides examples of API abuse at companies like Uber and Voi. To prevent API abuse, the document recommends authenticating that requests come from legitimate apps, checking the app and runtime environment, and using a cloud service to verify authentication rather than checking in the app. App authentication can serve as an additional security factor to prevent API abuse.

The Ultimate Security Checklist Before Launching Your Android AppAppknox

Are you an Android developer or an enterprise ready to launch your Android App? Then wait! Did you check for the security risks that your mobile app can is exposed to? According to a Forbes 2014 report, Android malware rose from 238 threats in 2012 to 2.5 times in 2013. With the lack of strict security measures, cyber attacks have only increased with each passing year. To avoid being a victim of any malware, enterprises and developers should ensure a complete security check before they launch their Android apps. In this deck, We have shared 21 most essential security measures that any Android app developer or security professional should follow.

[OPD 2019] Inter-application vulnerabilitiesOWASP

This document discusses hunting for vulnerabilities across interconnected applications. It describes two cases where the author found multiple vulnerabilities by exploring dependencies between applications. In the first case, they discovered vulnerabilities by interacting with a desktop application and related web applications from the same company, finding 5 vulnerabilities including XSS issues and information disclosures. In the second case, they used a single sign-on system across multiple applications to introduce persistent XSS vulnerabilities. The document advocates considering how applications integrate and interact to uncover "inter-application vulnerabilities" that may not be found through isolated testing.

API Security: the full story42Crunch

apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays

apidays LIVE Singapore 2021 - Digitisation, Connected Services and Embedded Finance April 21 & 22, 2021 Securing the Open Source supply chain Liran Tal, Director of Developer Advocacy at Snyk ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Mobile Application Pentest [Fast-Track]Prathan Phongthiproek

The document discusses security issues related to mobile applications. It describes how mobile apps now offer many more services than basic phone calls and texts. This expanded functionality introduces new attack surfaces, including the client software on the device, the communication channel between the app and server, and server-side infrastructure. Some common vulnerabilities discussed are insecure data storage on the device, weaknesses in data encryption, SQL injection, and insecure transmission of sensitive data like credentials over the network. The document also provides examples of techniques for analyzing app security like reverse engineering the app code and using a proxy like Burp Suite to intercept network traffic.

Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure

This is Episode 1 of a trilogy on mobile penetration testing - forensic analysis of data at rest on the device. Episode 2 - Return of the Network/Back-end http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-ii-attack-of-the-code Episode 3 - Attack of the Code http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-iii-attack-of-the-code

Mobile App Security: Best Practices for Protecting User DataJohnParker598570

In the current creator-dependent world, application security on mobile devices has never been more significant. The developers of mobile applications should ensure enhanced security since cyber threats are rapidly changing. At TechoSquare, we not only design feature-rich, user-friendly mobile apps but also implement best practices in mobile app security to protect user information and build trust. In this blog, we'll discuss essential security practices that need to be integrated during the mobile app development process to ensure effective user data protection.

Web API SecurityStefaan

More Related Content

What's hot (20)

OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner

Owasp mobile top 10Pawel Rzepa

OWASP Mobile Top 10NowSecure

OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions

Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker

CDIC 2013-Mobile Application Pentest WorkshopPrathan Phongthiproek

85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure

Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava

Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava

Mobile Threats and Owasp Top 10 RisksSantosh Satam

Owasp Mobile Top 10 – 2014n|u - The Open Security Community

Owasp Mobile Top 10 - M7 & M85h1vang

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure

API Abuse - The Anatomy of An AttackNordic APIs

The Ultimate Security Checklist Before Launching Your Android AppAppknox

[OPD 2019] Inter-application vulnerabilitiesOWASP

API Security: the full story42Crunch

apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays

Mobile Application Pentest [Fast-Track]Prathan Phongthiproek

Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure

OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner

Owasp mobile top 10Pawel Rzepa

OWASP Mobile Top 10NowSecure

OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions

Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker

CDIC 2013-Mobile Application Pentest WorkshopPrathan Phongthiproek

85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure

Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava

Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava

Mobile Threats and Owasp Top 10 RisksSantosh Satam

Owasp Mobile Top 10 – 2014n|u - The Open Security Community

Owasp Mobile Top 10 - M7 & M85h1vang

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure

API Abuse - The Anatomy of An AttackNordic APIs

The Ultimate Security Checklist Before Launching Your Android AppAppknox

[OPD 2019] Inter-application vulnerabilitiesOWASP

API Security: the full story42Crunch

apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays

Mobile Application Pentest [Fast-Track]Prathan Phongthiproek

Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure

Similar to Mobile App Hacking In A Nutshell (20)

Mobile App Security: Best Practices for Protecting User DataJohnParker598570

Web API SecurityStefaan

Mobile - Your API Security Blindspot by David Stewart, Approovapidays

Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud

This document discusses securing APIs and mobile applications from threats. It covers API security topics like OAuth, mutual TLS, rate limiting and intrusion detection. For mobile security, it addresses threats involving developer screens, hardcoded keys, bypassing purchases and demoing Bluebox mobile security solutions. The key takeaways are to follow best practices for API and mobile security, use edge policies to protect backends, and augment mobile data security with solutions like Bluebox.

Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...Hitachi, Ltd. OSS Solution Center.

Web Servislerinin Hacklenmesi, Ömer ÇıtakNetsparker Türkiye

This document provides an overview of web service hacking presented by Ömer Çıtak at BILMÖK in 2017. It begins with introductions and then defines key vocabulary related to APIs, REST, authentication methods, and status codes. It also lists the OWASP Mobile Top 10 security risks and provides brief explanations of "Insecure Data Storage", "Insecure Communication", and other categories. Screenshots are included from a demo on RESTful routes. The presentation emphasizes the importance of security when developing web services and APIs.

Mule iON - OSS ESB to iPaaSAli Sadat

OWASPAPISecurityJie Liau

Jie Liau gave a presentation on API security. The presentation covered how APIs have become a primary attack vector, the OWASP API Security Top 10 risks, real world API attacks on companies like Coinbase, T-Mobile, and Instagram, and tools for testing API security like Postman and Burpsuite. It also provided details on API security issues like broken authentication, authorization, inventory management, and server side request forgery. The goal was to educate attendees on the growing API attack surface and best practices for securing APIs.

The Four Horsemen of Mobile SecuritySkycure

apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays

This document discusses the importance of API security and how AI can be used to augment API security. It notes that cyber threats are evolving quickly and becoming more sophisticated. API usage has increased access points for potential hackers. The document then outlines how the Accenture APIQ platform uses AI and machine learning for automated API assessment and security. It analyzes API configurations and behavior patterns to provide insights, detect anomalies, monitor APIs, and provide real-time remediation to protect digital assets.

Protecting Your APIs Against Attack & Hijack CA API Management

Secure Enterprise APIs for Mobile, Cloud & Open Web APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed. By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data. You Will Learn How APIs increase the attack surface What key types of risk are introduced by APIs How enterprises can mitigate each of these risks Why it is crucial to separate API implementation and security into distinct tiers Presented By Scott Morrison, CTO, Layer 7 Technologies

Protecting Microservices APIs with 42Crunch API Firewall42Crunch

In loosely coupled architectures, we must put in place application level security, should it be for client traffic (North-South) or intra-microservices traffic (East-West). In this webinar, we show you how the 42Crunch API firewall can be used to put API threat protection in place automatically, as early as design time. We’ll use a mix of slides and demos to present: (1) The various elements of security to consider in order to cover the full API security scope (infrastructure vs application level security) (2) Which threat protections must be put in place in a microservices architecture, and where (3) How to leverage OpenAPI (aka Swagger) to configure threat protection from design time (4) How to automate threat protection deployment

SAE 2014 - Cyber Security: Mission Critical for the Internet of CarsAndreas Mai

Mobile Application Security Threats through the Eyes of the Attackerbugcrowd

API SECURITYTubagus Rizky Dharmawan

This document discusses API security and provides examples of common API attacks and defenses. It covers API fingerprinting and discovery, debugging APIs using proxies, different authentication methods like basic auth, JWTs, and OAuth, and risks of attacking deprecated or development APIs. Specific attacks explained include parameter tampering, bypassing JWT signature validation, OAuth login flows being vulnerable to CSRF, and chaining multiple issues to perform account takeovers. The document emphasizes the importance of API security and provides mitigation strategies like input validation, secret management, rate limiting, and updating old APIs.

API Security in a Microservices World42Crunch

A microservice architecture brings new challenges to API Security and careful design needs to be applied at operations and development level to ensure corporate data is properly protected from unwanted access. In this session we explain what API security encompasses, why API security needs to be considered as early as possible in the lifecycle of the microservices, how known standards such as OAuth and OpenID Connect can be leveraged to authenticate and authorize access to microservices and give practical examples and recommendations for the design and deployment of microservice architectures.

IstioMichael Frembs

The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash

Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems. (Source: RSA USA 2016-San Francisco)

Building Secure Apps in the CloudAtlassian

As companies move towards offering SaaS products in the cloud, it becomes increasingly important to ensure these products are secured by default. This is because customers are no longer in control of their data, but data now resides on a third-party cloud provider. Security is everyone's responsibility. It is now imperative that these cloud products be built with security in mind from the beginning. In this session, Anshuman Bhartiya will discuss ways to build secure applications in the cloud.

Mobile App Security: Best Practices for Protecting User DataJohnParker598570

Web API SecurityStefaan

Mobile - Your API Security Blindspot by David Stewart, Approovapidays

Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud

Exploring Best Practices for Implementing Authn and Authz in a Cloud-Native E...Hitachi, Ltd. OSS Solution Center.

Web Servislerinin Hacklenmesi, Ömer ÇıtakNetsparker Türkiye

Mule iON - OSS ESB to iPaaSAli Sadat

OWASPAPISecurityJie Liau

The Four Horsemen of Mobile SecuritySkycure

apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays

Protecting Your APIs Against Attack & Hijack CA API Management

Protecting Microservices APIs with 42Crunch API Firewall42Crunch

SAE 2014 - Cyber Security: Mission Critical for the Internet of CarsAndreas Mai

Mobile Application Security Threats through the Eyes of the Attackerbugcrowd

API SECURITYTubagus Rizky Dharmawan

API Security in a Microservices World42Crunch

IstioMichael Frembs

The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash

Building Secure Apps in the CloudAtlassian

More from Prathan Phongthiproek (20)

The CARzyPire - Another Red Team OperationPrathan Phongthiproek

This document discusses a project called CARzyPire that involves using a Raspberry Pi Zero W, Crazyradio PA, and PowerShell Empire installed on a remote-controlled car to conduct penetration testing. It provides instructions on setting up the necessary hardware and software, including customizing a PowerShell Empire payload to bypass Windows Defender and creating a Duckyscript to deliver the payload. The payload would then be delivered to targets using the remote-controlled car and Crazyradio PA's ability to hijack wireless keyboards and mice. Control of any successful implants would be maintained using PowerShell Empire's web interface.

The Hookshot: Runtime ExploitationPrathan Phongthiproek

Understanding ransomwarePrathan Phongthiproek

The document discusses the WannaCry ransomware attack of May 2017. It begins with an overview of ransomware, including what it is, how it spreads, and examples like CryptoLocker and WannaCry. It then details the global WannaCry attack, how it exploited the EternalBlue vulnerability to encrypt files and demand ransom payments in Bitcoin. Key lessons are around patching systems promptly, having backups, and following best practices to prevent ransomware infection and limit damage. The timeline shows the lead up to WannaCry, from the Shadow Brokers leak of NSA tools to Microsoft releasing an emergency patch once the attacks began.

Owasp Top 10 Mobile RisksPrathan Phongthiproek

Hack and Slash: Secure CodingPrathan Phongthiproek

The document discusses common web application vulnerabilities like SQL injection, cross-site scripting (XSS), file inclusion, and remote code execution. It provides examples of each vulnerability type and how they can be exploited. Methods for detecting and preventing these vulnerabilities are also covered, including input validation, output encoding, limiting dangerous functions, and using tools like RIPS scanner to detect vulnerabilities.

Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek

This document introduces Web Application Firewall (WAF) and discusses techniques for bypassing WAF protections, including SQL injection, cross-site scripting, file inclusion, HTTP parameter contamination, and HTTP pollution attacks. It provides examples of bypassing specific WAF vendors and open source WAFs like ModSecurity and PHPIDS. While WAFs can block some attacks, the document argues they cannot eliminate all vulnerabilities and proper secure coding is still needed. It concludes that WAFs may succeed or fail depending on configurations and imaginative attacks.

Layer8 exploitation: Lock'n Load TargetPrathan Phongthiproek

The document discusses security and privacy challenges in the digital age, focusing on client-side or "layer 8" hacking techniques that target human vulnerabilities. It describes how hackers gather information on targets from social media, documents, and email to craft spear phishing attacks. The document also outlines automated exploitation techniques using known vulnerabilities in browsers, plugins and applications, demonstrating how hackers can easily compromise systems without any user interaction. It emphasizes the importance of user awareness training, security policies, and sanitizing public documents and files to reduce the risks of these client-side attacks.

Advanced Malware AnalysisPrathan Phongthiproek

The document discusses security challenges posed by modern malware and web-based attacks. It provides examples of next-generation malware that bypass antivirus detection using techniques like embedding malicious code in Office documents or PDF files. It also discusses how web-based malware has evolved from defacements and DDoS tools to more advanced drive-by download attacks using exploit kits. The document aims to demonstrate malware analysis techniques and how to detect web server backdoors through tools and manual source code reviews. It concludes with a challenge to practice security skills safely.

Tisa mobile forensicPrathan Phongthiproek

This document provides an overview of mobile phone forensic analysis, focusing on analysis of the iPhone. It discusses jailbreaking iPhones to allow forensic acquisition and analysis of file systems. It also discusses analyzing iTunes backup files from iPhones, which can contain data like call history, SMS messages, photos and more. Tools are presented for extracting and analyzing data from both jailbroken iPhones and iTunes backup files. The document emphasizes the importance of forensic soundness when acquiring data from mobile devices.

Tisa-Social Network and Mobile SecurityPrathan Phongthiproek

This document summarizes advanced social network and mobile attacks. It discusses threats like malware spam, drive-by downloads, malicious applications, and session hijacking on social networks. It also outlines threats to mobile devices, including vulnerabilities in mobile web browsers, content provider leaks on Android, and zero-day attacks using Google Latitude. Examples are provided of spyware targeting BlackBerry and iPhone users.

Tisa social and mobile securityPrathan Phongthiproek

Operation outbreakPrathan Phongthiproek

The document summarizes a hacking attack on a company called mBank. The attack involved scanning the website for vulnerabilities, finding credentials in PHP files that allowed accessing the MySQL database, and uploading a PHP shell to gain remote access. Key steps included SQL injection to find files on the server, extracting credentials from the configuration file to access the database as the root user, and using the database to upload a web shell.

The Operation CloudBurst AttackPrathan Phongthiproek

The document discusses techniques for hacking into Microsoft SQL and Oracle databases. It begins by outlining scanning and enumeration methods for MSSQL databases using Metasploit modules like mssql_login to identify accessible databases. It then discusses gaining access to databases by exploiting blank passwords or known vulnerabilities. The document continues explaining how to escalate privileges within databases and then moves on to discuss the "Operation CloudBurst" attack and references.

The Art of Grey-Box AttackPrathan Phongthiproek

The document discusses techniques for conducting a "grey-box" attack on Windows and Linux systems. It covers scanning and enumeration of open ports and services using Nmap to identify vulnerabilities. It then discusses methods for gaining initial access, including exploiting the null session vulnerability in Windows 2000 to enumerate user accounts. It also discusses privilege escalation techniques to gain full control of compromised systems. The document provides examples using Nmap and Metasploit to automate vulnerability scanning and exploitation.

Full MSSQL Injection PWNagePrathan Phongthiproek

This document provides an overview of SQL injection attacks and techniques for exploiting Microsoft SQL Server databases. It discusses the basics of SQL injection vulnerabilities and how they can be used to bypass authentication, evade audit logs, and search for vulnerable websites. The document then covers normal SQL injection attacks on MSSQL, including using HAVING/GROUP BY, CONVERT functions, and UNION queries. It also discusses blind SQL injection techniques, more advanced attacks using extended stored procedures, and SQL injection worm attacks. Countermeasures are suggested, and the document provides references and greetings.

Wi-Foo Ninjitsu ExploitationPrathan Phongthiproek

LFI to RCE Exploit with Perl ScriptPrathan Phongthiproek

This document summarizes techniques for exploiting local file inclusion (LFI) vulnerabilities to achieve remote command execution (RCE). It begins by explaining LFI and how it can be used to read local files. It then describes how LFI can be used to inject code into log files or environment variables to execute commands remotely. The document provides an introduction to using Perl sockets and libraries for creating HTTP requests, and gives an example Perl exploit script that uses log file injection to execute code via LFI. It concludes with recommendations for preventing LFI vulnerabilities.

Rock'n Roll in Database SPrathan Phongthiproek

This document profiles Prathan Phongthiproek, a security consultant and instructor. It discusses various database exploitation techniques, including: - Exploiting MySQL vulnerabilities like outfile and load_file functions to write a shell script from a SQL injection in a web application. - Escalating privileges in Oracle using vulnerabilities like DBMS_JVM_EXP_PERMS to grant Java permissions and execute operating system commands for remote code execution. - Attacking default or guessable MSSQL 'sa' credentials and enabling xp_cmdshell to run operating system commands on the target machine.

The Dynamite of Next Generation (Y) AttackPrathan Phongthiproek

Tactical AssassinsPrathan Phongthiproek

The document discusses various client-side attack techniques, including exploiting Microsoft Office macros and malicious PDF files to execute code on targets' machines. It also covers USB-based attacks, SQL injection worms, and wireless evil twin attacks. The speaker advocates using "black hat" tactics like these during penetration tests to think outside the box and effectively compromise systems. An example operation called "CloudBurst" is described that starts with client-side attacks and pivots to a local kernel exploit and internal pass-the-hash attacks to fully compromise the target network.

The CARzyPire - Another Red Team OperationPrathan Phongthiproek

The Hookshot: Runtime ExploitationPrathan Phongthiproek

Understanding ransomwarePrathan Phongthiproek

Owasp Top 10 Mobile RisksPrathan Phongthiproek

Hack and Slash: Secure CodingPrathan Phongthiproek

Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek

Layer8 exploitation: Lock'n Load TargetPrathan Phongthiproek

Advanced Malware AnalysisPrathan Phongthiproek

Tisa mobile forensicPrathan Phongthiproek

Tisa-Social Network and Mobile SecurityPrathan Phongthiproek

Tisa social and mobile securityPrathan Phongthiproek

Operation outbreakPrathan Phongthiproek

The Operation CloudBurst AttackPrathan Phongthiproek

The Art of Grey-Box AttackPrathan Phongthiproek

Full MSSQL Injection PWNagePrathan Phongthiproek

Wi-Foo Ninjitsu ExploitationPrathan Phongthiproek

LFI to RCE Exploit with Perl ScriptPrathan Phongthiproek

Rock'n Roll in Database SPrathan Phongthiproek

The Dynamite of Next Generation (Y) AttackPrathan Phongthiproek

Tactical AssassinsPrathan Phongthiproek

Mobile App Hacking In A Nutshell

1. Mobile App Hacking In A Nutshell presentation at Mobile Conf 25 Aug 2018, BKK, Thailand Content is available under Creative Commons Attribution-ShareAlike unless otherwise noted. Mobile app hacking in a nutshell Prathan Phongthiproek 2600 Thailand

2. Chapter one The Attitude

3. 1 The MistakenHacker Point of View

4. 1 The MistakenSecurity Through Obscurity

5. Chapter two init 1

6. What is Mobile app ?

7. Attack Surface on Web Application

8. Attack Surface on Mobile Application

9. Why does it matter ?

12. Runtime Manipulation

13. Root/Jailbreak Detection

14. Runtime Manipulation Binary Patching

15. Patch Them All - Android

16. Patch Them All - iOS

17. Is secure channel enough ? SSL/TLS

18. The SSL Pinning Rises

19. SuperSU SSL Pinning

20. Manipulating request/response over secure channel SSL/TLS

21. Attacking on API

22. Mobile Application Hacking Diary Ep.1 https://www.exploit-db.com/papers/26620/ Internet

23. Chapter three Shields Up

24. Quick Wins !! o Secure coding and configuration practices (e.g. OWASP) on server-side: • REST Security Cheatsheet • Authentication Cheatsheet • Session Management Cheatsheet • Cryptographic Storage Cheatsheet • Password Storage Cheatsheet • Transaction Authorization Cheatsheet • Access Control Cheatsheet o SSL Pinning Implementation(End-to-end encryption is preferred) o Code Obfuscation

25. OWASP MASVS https://github.com/OWASP/owasp-masvs

26. Thank you init 0