From b12f25e8863b530f33d160e640e8ea23edf85db8 Mon Sep 17 00:00:00 2001 From: Jeroen Beckers Date: Mon, 12 Aug 2024 14:29:46 +0200 Subject: [PATCH] Fixes #2824 (#2873) Co-authored-by: Jeroen Beckers --- techniques/android/MASTG-TECH-0012.md | 3 ++- tools/generic/MASTG-TOOL-0032.md | 10 +++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/techniques/android/MASTG-TECH-0012.md b/techniques/android/MASTG-TECH-0012.md index 32e51d4464..ddfb507c29 100644 --- a/techniques/android/MASTG-TECH-0012.md +++ b/techniques/android/MASTG-TECH-0012.md @@ -13,7 +13,6 @@ This section describes various ways to bypass SSL Pinning and gives guidance abo There are several ways to bypass certificate pinning for a black box test, depending on the frameworks available on the device: -- Cydia Substrate: Install the [Android-SSL-TrustKiller](https://github.com/iSECPartners/Android-SSL-TrustKiller "Android-SSL-TrustKiller") package. - Frida: Use the [frida-multiple-unpinning](https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/ "Project: frida-multiple-unpinning") script. - Objection: Use the `android sslpinning disable` command. - Xposed: Install the [TrustMeAlready](https://github.com/ViRb3/TrustMeAlready "TrustMeAlready") or [SSLUnpinning](https://github.com/ac-pm/SSLUnpinning_Xposed "SSLUnpinning") module. @@ -30,6 +29,8 @@ Here's an example of the output: See also [Objection's help on Disabling SSL Pinning for Android](https://github.com/sensepost/objection/blob/master/objection/console/helpfiles/android.sslpinning.disable.txt) for further information and inspect the [pinning.ts](https://github.com/sensepost/objection/blob/master/agent/src/android/pinning.ts "pinning.ts") file to understand how the bypass works. +Note that the frida-multiple-unpinning script from @MASTG-TOOL-0032 covers more scenarios than the Objection script. + ## Bypass Custom Certificate Pinning Statically Somewhere in the application, both the endpoint and the certificate (or its hash) must be defined. After decompiling the application, you can search for: diff --git a/tools/generic/MASTG-TOOL-0032.md b/tools/generic/MASTG-TOOL-0032.md index 83dd7737d0..c5ca6d54b8 100644 --- a/tools/generic/MASTG-TOOL-0032.md +++ b/tools/generic/MASTG-TOOL-0032.md @@ -4,12 +4,16 @@ platform: generic source: https://codeshare.frida.re/ --- -[Frida CodeShare](https://codeshare.frida.re/ "Frida CodeShare") is a repository containing a collection of ready-to-run Frida scripts which can enormously help when performing concrete tasks both on Android as on iOS as well as also serve as inspiration to build your own scripts. Two representative examples are: +[Frida CodeShare](https://codeshare.frida.re/ "Frida CodeShare") is a repository containing a collection of ready-to-run Frida scripts which can enormously help when performing concrete tasks both on Android as on iOS as well as also serve as inspiration to build your own scripts. Some examples of useful scripts: -- Universal Android SSL Pinning Bypass with Frida - +- Frida Multiple Unpinning - +- Disable Flutter TLS verification - - ObjC method observer - +- JNI Trace - +- Dump dynamically loaded DEX - +- Enable iOS WebInspector - -Using them is as simple as including the `--codeshare ` flag and a handler when using the Frida CLI. For example, to use "ObjC method observer", enter the following: +Using them is as simple as including the `--codeshare