Man-in-the-Browser in Google Chrome: Part 2 – Locating SSL_Write and SSL_Read

This second part of the Chromium Man-in-the-Browser series will take into consideration higher level wrappers such as SSL_Write and SSL_Read which are targeted by attackers to tamper secure SSL/TLS communications, respectively, before they get encrypted and after they get decrypted. Targeting those wrappers in favour of lower-level ones discussed in part 1 have proved to be a successful strategy for malware developers as the SSL VMT structure can change at any time, making automatic lookup ineffective. The order of the methods contained in it can change, methods can be replaced…

Read More

Man-in-the-Browser in Google Chrome: Part 1 – Locating the SSL VMT

The financial services sector has become one of the main targets of cyber-attacks worldwide with the advent of e-banking. One of the most sophisticated and effective method used to conduct fraud is the man-in-the-browser attack, which infects the web-browser and is able to change the content of web pages and tamper network traffic without the victim noticing, even with security controls in place such as SSL/TLS. To conduct such type of attacks, malware authors target specific internal browser functions which are responsible of handling network traffic and redirect the execution…

Read More

Extracting cipher key from WhatsApp on Android >= 7 without root

The software which I will introduce in this post, called WhatsDump, is a multi-platform tool that can be run by command line and is able to forensically acquire the cipher key needed to decrypt WhatsApp‘s msgstore.db.crypt*. You might be familiar with the well-known WhatsApp-Key-DB-Extractor which basically does the same thing but does not support Android Nougat and above devices. This is because it exploits a procedure called APK Downgrade in which the WhatsApp application is temporary replaced by an older version so that the private key can be extracted; the…

Read More

How to bypass Instagram SSL Pinning on Android (v78)

My goal was to take a look at the HTTP requests that Instagram was making but, after setting an HTTP proxy, I couldn’t see anything. Turns out that Instagram is protected against MITM attacks using a technique called certificate validation (SSL Pinning) which compares the certificate provided by server in the TLS handshake with a trusted one embedded in APK. This article is based on Instagram APK version 78.0.0.11.104 (x86) which you can download here. I am also using an Android 8.0 emulator with adb running as root. Disclaimer The…

Read More

Defeating CSRF token using XSS and HTTP Parameter Pollution

Cross-Site Request Forgery is a type of malicious website/exploit where attacker commands are executed on a website in behalf of an authenticated user. CSRF attacks specifically target state-changing requests since attacker has no way to see the response of the forged request thanks to Same-origin Policy. Nowadays most web application frameworks offer built-in protection against CSRF attacks by forcing the use of the so called CSRF tokens. Before rendering the page which contains the form, the server generates a unique token which is required to submit data to the server. The…

Read More