Extracting cipher key from WhatsApp on Android >= 7 without root

The software which I will introduce in this post, called WhatsDump, is a multi-platform tool that can be run by command line and is able to forensically acquire the cipher key needed to decrypt WhatsApp‘s msgstore.db.crypt*. You might be familiar with the well-known WhatsApp-Key-DB-Extractor which basically does the same thing but does not support Android Nougat and above devices. This is because it exploits a procedure called APK Downgrade in which the WhatsApp application is temporary replaced by an older version so that the private key can be extracted; the…

Read More

How to bypass Instagram SSL Pinning on Android (v78)

My goal was to take a look at the HTTP requests that Instagram was making but, after setting an HTTP proxy, I couldn’t see anything. Turns out that Instagram is protected against MITM attacks using a technique called certificate validation (SSL Pinning) which compares the certificate provided by server in the TLS handshake with a trusted one embedded in APK. This article is based on Instagram APK version 78.0.0.11.104 (x86) which you can download here. I am also using an Android 8.0 emulator with adb running as root. Disclaimer The…

Read More

Defeating CSRF token using XSS and HTTP Parameter Pollution

Cross-Site Request Forgery is a type of malicious website/exploit where attacker commands are executed on a website in behalf of an authenticated user. CSRF attacks specifically target state-changing requests since attacker has no way to see the response of the forged request thanks to Same-origin Policy. Nowadays most web application frameworks offer built-in protection against CSRF attacks by forcing the use of the so called CSRF tokens. Before rendering the page which contains the form, the server generates a unique token which is required to submit data to the server. The…

Read More