Collaborate Disseminate
I’m a pentester and this is my first question here. I’ve managed to circumvent the ssl certificate pinning implementation on a few mobile apps.
Frankly, the applications I test are critical bank applications and I can listen to the traffic… Continue reading Is SSL pinning bypass considered a vulnerability? If yes, what are the tightening/solution suggestions?
I tried sniffing TLS web traffic on my own network and I always run against the following complications:
I need to install an additional root cert on my devices
I need to root my phone to do certificate pinning bypass
For a government th… Continue reading How can authoritarian governments sniff TLS encrypted traffic on mass scale?
I have the following scenario:
When the leaf certificate expires, the intermediate certificate is checked and if the intermediate is not expired, the application will keep running and will not be affected, while the leaf is getting updated… Continue reading Could certificate pinning work if one checks the intermediate certificate when the leaf certificate already expired?
I have a pki infrastructure for internal company use.
In this pki there are multiple registration authorities whose responsibility is to.
receive certificate issuance requests
verify the identity of the user/device/entity requesting the c… Continue reading What is the best practice for relying parties to selectively trust certificates in a corporate pki hierarchy?
I found an x509 certificate hardcoded in an application and after looking into the code I found that is used to validate certificates(SSL pinning). Can I bypass SSL pinning with the certificate that I found?
Continue reading Can I bypass SSL pinning If I found the certificate hardcoded in the application
I’m try bypass ssl pinning for windows app. I have looked everywhere but i cant find any tool for bypass ssl pinning for windows app. I found so many docs for bypass android, ios, macos but there is no windows app doc.
Continue reading Is There Any App or Script For Windows SSL Pinning
Information Protection Officer at my work requested me to produce a version of our Android App (quote) "…without SSL pinning for our.backend.domain.name.com" for vulnerability scanning purpose.
What does this mean? How can I pr… Continue reading Request to produce Android APK without ‘certificate pinning’
I have implemented Certificate Pinning in a prototype of an android app. Here are the steps I followed:
Converted .crt file to .bks file
Added the .bks file to the asset folder in project structure
Loaded the above file during API call us… Continue reading Insufficient SSL certificate pinning in an native Android app
I have followed this and this video. Following is my understanding.
Before sending a request/response, sending-host (could be server or client) generates a pair of asymmetric cryptographic keys, then takes hash (called Digest) of the pack… Continue reading Is my understanding of Digital Certificates, Digital Signatures and their role in security of flowing traffic correct
I´m pentesting my first mobile application. I have a rooted android device and followed the steps here and here to install the certificate to proxy the traffic through Burp on my Laptop.
But no requests show up. When I´m opening the app I … Continue reading Intercepting app with Burp shows no requests