Once I had all of the numerous strings snagged in mitmproxy, I was able to then load the POST requests complete with the expected HTTP header fields into Postman - an API client capable of sending requests to an API server allowing the user to inspect the response for further analysis or debugging. Thus began my adventures into finding a more creative way of finding the correct API calls manually by intercepting the traffic between my mobile phone and the bank's API server. A HTTP POST is a type of HTTP request that instructs the receiving web server to accept and store the contents found in the body of the HTTP request, often times a file upload or user input to the fields of a web form. While I was able to successfully reverse engineer the Android app using MobSF, I wasn't so successful in finding the numerous POST and GET requests the mobile app uses when communicating with the bank. In a recent penetration test of a large bank, I was able to transfer money to any account and change any customer's ATM debit card PIN with no authentication through the bank's API servers the mobile application communicates with. “Abashed the devil stood and felt how awful goodness is and saw Virtue in her shape how lovely: and pined his loss” -John Milton
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |