How to verify Certificate Pinning?
Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps.
Take a popular shopping app “X” for example, If “X” does not meet the requirement of “Certificate Pinning”, we could definitely use proxy tool like Burp Suite to intercept any confidential between mobile device and servers.
- Run Burp Suite on my laptop and my laptop becomes a proxy server. (Don’t foreget to change policy of firewall to allow connection to its proxy server listening port.)
- Download Certificate from Burp Suite and install this cert file into my mobile phone.
- Setup the proxy server ip and port in my mobile phone’s wifi settings.(Of course the ip is my laptop’s ip; the port number is the listening port of proxy server on my laptop)
- Make sure Burp suite is ready to intercept packets.
Now we could run this app “X” and start to login. Let’s see what data Burp could intercept. To my surprise “nothing” found in intercept tab.
The “Alert” tab turns orange means something happens. It looks like “X” could meet the requirement of certificate pinning.
Don’t jump to conclusions too soon. Let’s take a look at account registry. Input some data such as ID, username , password, phone number, e-mail and click “Submit”. Guess what? Those confidential data being intercepted by Burp suite.
“X” still need to do certificate pinning to avoid the risk of MITM. Now my friends know how to verify certificate pinning by using proxy.
How to verify Certificate Pinning?的更多相关文章
- 008_ssl Certificate Pinning
证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书, ...
- 证书锁定Certificate Pinning技术
证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证 ...
- Mobile game analysis
Let's take a look at a very popular mobile game "Garena 传说对决" . It would be very interesti ...
- Mobile game forensics
My friend Carrie'd like to know "Garena 传说对决" violates any mobile risks such as insecure d ...
- About certificate
证书spec, X509, 类似规定了一个目录结构.其中重要内容包括 issuer: who isued this certificate subject: the ID of this certif ...
- 证书锁定SSL/TLS Pinning
前言 APP端抓包中, 设置抓包代理后会发现部分APP(如app store.Facebook)直接无法访问,其他部分app又功能正常,为什么呢?这涉及 ssl-pinning,证书锁定. 证书锁定( ...
- IP, TCP, and HTTP--reference
IP, TCP, and HTTP Issue #10 Syncing Data, March 2014 By Daniel Eggert When an app communicates with ...
- Android 1.5-7.0(持续更新)安全机制一览
Android 1.5 ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary ...
- OkHttp 官方Wiki【设计思想】
官方Wiki之Calls 原文位置:https://github.com/square/okhttp/wiki/Calls The HTTP client's job is to accept you ...
随机推荐
- BZOJ 3640: JC的小苹果 [概率DP 高斯消元 矩阵求逆]
3640: JC的小苹果 题意:求1到n点权和\(\le k\)的概率 sengxian orz的题解好详细啊 容易想到\(f[i][j]\)表示走到i点权为j的概率 按点权分层,可以DP 但是对于\ ...
- BZOJ 4514: [Sdoi2016]数字配对 [费用流 数论]
4514: [Sdoi2016]数字配对 题意: 有 n 种数字,第 i 种数字是 ai.有 bi 个,权值是 ci. 若两个数字 ai.aj 满足,ai 是 aj 的倍数,且 ai/aj 是一个质数 ...
- CentOS 6.5 Web服务器搭建
安装MySQL 首先,进入终端,输入 [root@localhost ~]# yum install mysql mysql-server 即可安装Mysql 按照成功以后,让MySQL随系统启动 [ ...
- NIO下_使用示例
一.分散与聚集 1.分散读取(Scattering Reads):将通道中的数据分散到多个缓冲区中 2.聚集写入(Gathering Writes):将多个缓冲区中的数据聚集到通道中 public v ...
- C++ Primer Plus阅读笔记
cin进行文本输入 使用cin获取字符的基本方式 char ch; cin >> ch; cin读取char值时将忽略空格和换行符.此外,发送给cin的输入被缓冲.这意味着只有在用户按下回 ...
- 记录一次CentOS环境升级Python2.6到Python2.7并安装最新版pip
背景介绍 一次实验中需要安装python-etcd包.安装这个包时要求的python和pip版本比目前系统的版本高. 系统是centos6.6 64位 1 2 3 4 5 6 7 [root@m ...
- PHPUnit-附录 B. 标注
[http://www.phpunit.cn/manual/5.7/zh_cn/appendixes.annotations.html] 所谓标注,是指某些编程语言中允许加在源代码中的一种特殊格式的语 ...
- C/C++语言的特点
一.支持数据封装和数据隐藏 在C++中,类是支持数据封装的工具,对象则是数据封装的实现.C++通过建立用户定义类支持数据封装和数据隐藏. 在面向对象的程序设计中,将数据和对该数据进行合法操作的函数封装 ...
- 使用nodejs搭建api的mock服务
1. 介绍 公司的业务开发都是静态页面,开发前期总是避免不了获取api的问题.在vue中有一些mockjs的方案,方案都是注入性质的,和最终部署总是有差别,而且业务大部分还在zepto下,很难找到合适 ...
- spring 完成multipart数据上传
spring中多媒体文件的上传,通过配置 MultipartResolver 实现. MultipartResolver 的实现类有两个:一.StandardServletMultipartResol ...