Dynamic Application Testing - Part 1
Last updated
Was this helpful?
Last updated
Was this helpful?
Used to check security over network communication
Creates a proxy between the app and the server
Uses MITM to intercept, monitor, modify, and retransmit the traffic
Vulnerabilities like SQL injection, authentication flaws
Download and install Burp Suite on workstation
Create proxy
Download target application
Starting application server
Download and install Burp Suite
Create a proxy listener in Burp Suite
Go to Proxy
Proxy Settings
Click on Add under Proxy listener option
Enter 5555 in the Bind to port field
In the Bind to address option select All interfaces or Select Specific address
Install an intentionally vulnerable application.
Configure device proxy
Direct proxy setup over Wi-Fi
Using third-party proxy/VPN applications
Install certificates on device (Root)
Go Wi-Fi Settings
Long press on the connected device
Click on Modify network
Select Advanced options
Set the Proxy from None to Manual
Set hostname and port as added on the burp suite proxy settings previously
Test the connection by opening a browser in the android device and visit: http://burp
Click on the CA Certificate button in the http://burp webpage
Rename the Certificate extension from .der to .cer
Install the Certificate on the device by clicking on it and give it a name and Ok
adb install InsecureBankv2.apk
Open burp suite and android emulator side by side
Turn on the intercept in burp suite and open the vulnerable banking application in the android device
Enter a login username and password and then press on Login
You can see that the request has been caputed by burp suite
Right click on the request and send it to the intruder
Setup the payloads and positions and start the attack
Login to the application using the previously gained username and password
Click on Change Password
Enter a new password and click on Change Password button
Right click on the request and send it to Repeater
We can change the username to any other valid username.
