Proxying Android Traffic through Burp Suite (incl credential fuzzing & IDORs)

Опубликовано: 11 Май 2023
на канале: Intigriti

18,005

336

📱🐛 Learn the basics of Mobile Hacking (Android). In this video, we'll setup a proxy on a virtual android device (AVD), emulated via android studio. The process will allow us to intercept android application traffic with burp suite. First, we'll need to configure the burp proxy and install the certificate on the phone. Once everything is working as expected, we'll try and fuzz login credentials and exploit IDORs on the InsecureBankv2 APK; an intentionally vulnerable app, designed for learning how to exploit common vulnerabilities in mobile applications 😎 #BugBounty #EthicalHacking #Mobile #Android #Tutorial

Check the full video playlist HERE: • Mobile Hacking

Overview:
0:00 Intro
1:02 Deploy InsecureBankv2 (backend server)
2:58 Android studio recap (and config fixes)
4:56 Configure burp suite proxy
6:51 Export burp certificate (.cer)
7:34 Install cert on android device
9:56 Review "adb shell" approach (ChatGPT)
10:34 Intercept requests with burp
11:15 Fuzzing usernames (intruder)
13:06 Fuzzing passwords (intruder)
14:15 Explore app functionality
15:30 Experiment with IDORs
18:43 Issues with SSL cert pinning
19:40 Conclusion

Looking to try android hacking and score some bug bounties? check out the active programs on Intigriti 💜

🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register

👾 Join our Discord - https://go.intigriti.com/discord

🎙️ This show is hosted by / _cryptocat ( ‪@_CryptoCat‬ ) & / intigriti

👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com

📚 Video-specific Resources 🤓
https://portswigger.net/burp/document...
https://github.com/dineshshetty/Andro...
https://github.com/xtiankisutsa/aweso...