Dynamic Application Testing - Part 1

Burp Suite

  • Used to check security over network communication

  • Creates a proxy between the app and the server

  • Uses MITM to intercept, monitor, modify, and retransmit the traffic

  • Vulnerabilities like SQL injection, authentication flaws

Burp Suite Setup on Workstation

  • Download and install Burp Suite on workstation

  • Create proxy

  • Download target application

  • Starting application server

Step 1

Download and install Burp Suite

LogoDownload Burp Suite Community Edition - PortSwiggerBurp_Suite

Step 2

Create a proxy listener in Burp Suite

  • Go to Proxy

  • Proxy Settings

  • Click on Add under Proxy listener option

  • Enter 5555 in the Bind to port field

  • In the Bind to address option select All interfaces or Select Specific address

Step 3

Install an intentionally vulnerable application.

LogoGitHub - dineshshetty/Android-InsecureBankv2: Vulnerable Android application for developers and security enthusiasts to learn about Android insecuritiesGitHub

Install the Requirements

pip3 install -r requirements.txt

Start the Server

python3 app.py

Burp Suite Setup on the Test Device (Emulator)

Setup Device

  • Configure device proxy

    • Direct proxy setup over Wi-Fi

    • Using third-party proxy/VPN applications

  • Install certificates on device (Root)

Proxy setup over Wi-Fi

  • Go Wi-Fi Settings

  • Long press on the connected device

  • Click on Modify network

  • Select Advanced options

  • Set the Proxy from None to Manual

  • Set hostname and port as added on the burp suite proxy settings previously

  • Test the connection by opening a browser in the android device and visit: http://burp

Configure Certificates

  • Click on the CA Certificate button in the http://burp webpage

  • Rename the Certificate extension from .der to .cer

  • Install the Certificate on the device by clicking on it and give it a name and Ok

Application Testing : Brute Force

Push the apk on the emulator

  • adb install InsecureBankv2.apk

Brute Force

  • Open burp suite and android emulator side by side

  • Turn on the intercept in burp suite and open the vulnerable banking application in the android device

  • Enter a login username and password and then press on Login

  • You can see that the request has been caputed by burp suite

  • Right click on the request and send it to the intruder

  • Setup the payloads and positions and start the attack

Application Testing : Password Change

  • Login to the application using the previously gained username and password

  • Click on Change Password

  • Enter a new password and click on Change Password button

  • Right click on the request and send it to Repeater

  • We can change the username to any other valid username.

PreviousStatic Application TestingNextPlatform Interaction Testing

Last updated