How to verify Certificate Pinning?
Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps.
Take a popular shopping app “X” for example, If “X” does not meet the requirement of “Certificate Pinning”, we could definitely use proxy tool like Burp Suite to intercept any confidential between mobile device and servers.
- Run Burp Suite on my laptop and my laptop becomes a proxy server. (Don’t foreget to change policy of firewall to allow connection to its proxy server listening port.)
- Download Certificate from Burp Suite and install this cert file into my mobile phone.
- Setup the proxy server ip and port in my mobile phone’s wifi settings.(Of course the ip is my laptop’s ip; the port number is the listening port of proxy server on my laptop)
- Make sure Burp suite is ready to intercept packets.
Now we could run this app “X” and start to login. Let’s see what data Burp could intercept. To my surprise “nothing” found in intercept tab.
The “Alert” tab turns orange means something happens. It looks like “X” could meet the requirement of certificate pinning.
Don’t jump to conclusions too soon. Let’s take a look at account registry. Input some data such as ID, username , password, phone number, e-mail and click “Submit”. Guess what? Those confidential data being intercepted by Burp suite.
“X” still need to do certificate pinning to avoid the risk of MITM. Now my friends know how to verify certificate pinning by using proxy.
How to verify Certificate Pinning?的更多相关文章
- 008_ssl Certificate Pinning
证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书, ...
- 证书锁定Certificate Pinning技术
证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证 ...
- Mobile game analysis
Let's take a look at a very popular mobile game "Garena 传说对决" . It would be very interesti ...
- Mobile game forensics
My friend Carrie'd like to know "Garena 传说对决" violates any mobile risks such as insecure d ...
- About certificate
证书spec, X509, 类似规定了一个目录结构.其中重要内容包括 issuer: who isued this certificate subject: the ID of this certif ...
- 证书锁定SSL/TLS Pinning
前言 APP端抓包中, 设置抓包代理后会发现部分APP(如app store.Facebook)直接无法访问,其他部分app又功能正常,为什么呢?这涉及 ssl-pinning,证书锁定. 证书锁定( ...
- IP, TCP, and HTTP--reference
IP, TCP, and HTTP Issue #10 Syncing Data, March 2014 By Daniel Eggert When an app communicates with ...
- Android 1.5-7.0(持续更新)安全机制一览
Android 1.5 ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary ...
- OkHttp 官方Wiki【设计思想】
官方Wiki之Calls 原文位置:https://github.com/square/okhttp/wiki/Calls The HTTP client's job is to accept you ...
随机推荐
- PHP码农在Golang压力下的生存之道-PHP性能优化实践
随着国内Golang的火爆,phper的生存压力越来越大,在一次内部技术讨论中,gopher甚至提出,要什么php,写php的全部开掉,唉,码农何苦为难码农. 本文试图寻找一种有效实践,减少php w ...
- python入门学习笔记(一)
写在开头: A:python的交互式环境 ...
- HDU 5056
题意略. 巧妙的尺取法.我们来枚举每个字符str[i],计算以str[i]为结尾的符合题意的串有多少个.那么我们需要处理出str[i]的左边界j,在[j,i]之间的串均为符合题意的 串,那么str[i ...
- ubuntu17 安装中文输入法
在此说的是intelligent pinyin.我首先尝试的是搜狗输入法,虽然最终安装成功了,但还是直接卸载了.因为它不仅需要fcitx框架,在安装成功后,标题栏上面还会出现两个输入法图标.真正不能让 ...
- centos7 yum与Python3冲突
虽然标题不严谨,但是,我自己尝试了多次,在安装了Python3.6后,yum无法同步Python.所以采用网上抄来抄去的做法,将yum指定使用Python2,凡是需要安装与Python相关的模块,使用 ...
- Python接口测试,Requests模块讲解:GET、POST、Cookies、Session等
文章最下方有对应课程的视频链接哦^_^ 一.安装.GET,公共方法 二.POST 三.Cookies 四.Session 五.认证 六.超时配置.代理.事件钩子 七.错误异常
- 一个逼格很低的appium自动化测试框架
Github地址: https://github.com/wuranxu 使用说明 1. 安装配置Mongo数据库 下载地址 mongo是用来存放元素定位的,截图如下: 通过case_id区分每个ca ...
- 后台模拟请求 HttpHelper 序列化 MD5 时间戳
使用场景 C# 服务器后台调用其他服务器并处理 场景 /// <summary> /// 获取用户信息 /// </summary> /// <param name=&q ...
- hi3531串口波特率计算
波特率配置 通过配置寄存器UART_IBRD 和UART_FBRD 可以设置UART 工作的波特率,波特率 计算公式为: 当前波特率=UART 参考时钟频率(1/2 总线时钟频率)/(16 x 分频系 ...
- FusionCharts封装-单系列图
ColumnChart.java: /** * @Title:ColumnChart.java * @Package:com.fusionchart.model * @Description:柱形图 ...