Beruflich Dokumente
Kultur Dokumente
Security Testing
Approaches and Examples using OWASP MSTG
Carlos Holguera
$ whoami
Area of expertise:
– Mobile & Automotive Security Testing
– Security Testing Automation
@grepharder
Index
1 Why?
2 From the Standard to the Guide
3 Vulnerability Analysis
4 Information Gathering
6 Penetration Testing
7 Final Demos
1 Why?
Why? Online videos,
articles,
trainings ??
Trustworthy sources?
Right Methodology?
Latest Techniques?
How? MSTG
From the Standard to the Guide
OWASP Mobile Application Security Verification Standard
MASVS Refs. on
each chapter
3 Vulnerability Analysis
Vulnerability Analysis
Open on GitHub
Vulnerability Analysis
Manual Code Review
* OWASP iGoat A Learning Tool for iOS App Pentesting and Security, 2018 (iGoat)
Vulnerability Analysis
Manual Code Review
General Information
Sensitive Information
Let me google
that for you…
Information Gathering
Mapping Exploitation
Exploit the vulnerabilities identified
Based on all previous information
during the previous phase
Use the MSTG
UNDERSTAND the target
Find the true positives
LIST potential vulnerabilities
DRAW sensitive data flow
DESIGN a test plan, use MASVS
However
03 2X XX XX XX X5 55
04 FX XX XX XX XF FF
CAN Bluetooth
Mobile
03 2X XX XX XX X5 55 Apps
04 FX XX XX XX XF FF
6 Demo 1 Mobile Penetration
Testing
unpack it
Dex to jar
decompile google
What do you want? The plain text? hooking The plain text
Demo 1
Demo 1
6 Demo 2 Mobile Penetration
Testing
debug
Inspect the code Find stuff: keys, classes
What do you want? The crypto keys hooking The crypto keys
Demo 2
Download the app
unpack it
Dex to jar
decompile google
What do you want? The crypto keys hooking The crypto keys
Demo 2
Demo 2
Demo 2
Takeaways
OWASP iGoat - A Learning Tool for iOS App Pentesting and Security
https://github.com/OWASP/igoat