** | Display the memory as byte. |
-| **print object (po)** | This will print the object referenced by the param
po $raw
{
dnsChanger = {
"affiliate" = "";
"blacklist_dns" = ();
Note that most of Apple’s Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use x/b
|
+| **print object (po)** | This will print the object referenced by the param
po $raw
{
dnsChanger = {
"affiliate" = "";
"blacklist_dns" = ();
Note that most of Apple’s Objective-C APIs or methods return objects, and thus should be displayed via the “print object” (po) command. If po doesn't produce a meaningful output use x/b
|
| **memory write** | memory write 0x100600000 -s 4 0x41414141 #Write AAAA in that address |
{% hint style="info" %}
-When calling the **`objc_sendMsg`** function, the **rsi** register holds the **name of the method **as a null-terminated (“C”) string. To print the name via lldb do:
+When calling the **`objc_sendMsg`** function, the **rsi** register holds the **name of the method** as a null-terminated (“C”) string. To print the name via lldb do:
`(lldb) x/s $rsi: 0x1000f1576: "startMiningWithPort:password:coreCount:slowMemory:currency:"`
@@ -217,16 +217,16 @@ When calling the **`objc_sendMsg`** function, the **rsi** register holds the **n
* It's also possible to find **if a process is being debugged** with a simple code such us:
* `if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)){ //process being debugged }`
* It can also invoke the **`ptrace`** system call with the **`PT_DENY_ATTACH`** flag. This **prevents** a deb**u**gger from attaching and tracing.
- * You can check if the **`sysctl` **or**`ptrace`** function is being **imported** (but the malware could import it dynamically)
+ * You can check if the **`sysctl` ** or**`ptrace`** function is being **imported** (but the malware could import it dynamically)
* As noted in this writeup, “[Defeating Anti-Debug Techniques: macOS ptrace variants](https://alexomara.com/blog/defeating-anti-debug-techniques-macos-ptrace-variants/)” :\
- “_The message Process # exited with **status = 45 (0x0000002d)** is usually a tell-tale sign that the debug target is using **PT_DENY_ATTACH**_”
+ “_The message Process # exited with **status = 45 (0x0000002d)** is usually a tell-tale sign that the debug target is using **PT\_DENY\_ATTACH**_”
## Fuzzing
### [ReportCrash](https://ss64.com/osx/reportcrash.html#:\~:text=ReportCrash%20analyzes%20crashing%20processes%20and%20saves%20a%20crash%20report%20to%20disk.\&text=ReportCrash%20also%20records%20the%20identity,when%20a%20crash%20is%20detected.)
ReportCrash **analyzes crashing processes and saves a crash report to disk**. A crash report contains information that can **help a developer diagnose** the cause of a crash.\
-For applications and other processes** running in the per-user launchd context**, ReportCrash runs as a LaunchAgent and saves crash reports in the user's `~/Library/Logs/DiagnosticReports/`\
+For applications and other processes **running in the per-user launchd context**, ReportCrash runs as a LaunchAgent and saves crash reports in the user's `~/Library/Logs/DiagnosticReports/`\
For daemons, other processes **running in the system launchd context** and other privileged processes, ReportCrash runs as a LaunchDaemon and saves crash reports in the system's `/Library/Logs/DiagnosticReports`
If you are worried about crash reports **being sent to Apple** you can disable them. If not, crash reports can be useful to **figure out how a server crashed**.
@@ -251,7 +251,7 @@ While fuzzing in a MacOS it's important to not allow the Mac to sleep:
#### SSH Disconnect
-If you are fuzzing via a SSH connection it's important to make sure the session isn't going to day. So change the sshd_config file with:
+If you are fuzzing via a SSH connection it's important to make sure the session isn't going to day. So change the sshd\_config file with:
* TCPKeepAlive Yes
* ClientAliveInterval 0
@@ -264,7 +264,7 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
### Internal Handlers
-[**Checkout this section**](./#file-extensions-apps)** **to find out how you can find which app is responsible of **handling the specified scheme or protocol**.
+[**Checkout this section**](./#file-extensions-apps) **** to find out how you can find which app is responsible of **handling the specified scheme or protocol**.
### Enumerating Network Processes
diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
index 602e12b8d..dfcbc62c2 100644
--- a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
+++ b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md
@@ -4,7 +4,7 @@
### What is MDM (Mobile Device Management)?
-[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile_device_management) (MDM) is a technology commonly used to **administer end-user computing devices** such as mobile phones, laptops, desktops and tablets. In the case of Apple platforms like iOS, macOS and tvOS, it refers to a specific set of features, APIs and techniques used by administrators to manage these devices. Management of devices via MDM requires a compatible commercial or open-source MDM server that implements support for the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf).
+[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile\_device\_management) (MDM) is a technology commonly used to **administer end-user computing devices** such as mobile phones, laptops, desktops and tablets. In the case of Apple platforms like iOS, macOS and tvOS, it refers to a specific set of features, APIs and techniques used by administrators to manage these devices. Management of devices via MDM requires a compatible commercial or open-source MDM server that implements support for the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf).
* A way to achieve **centralized device management**
* Requires an **MDM server** which implements support for the MDM protocol
@@ -12,7 +12,7 @@
### Basics What is DEP (Device Enrolment Program)?
-The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP_Guide.pdf) (DEP) is a service offered by Apple that **simplifies** Mobile Device Management (MDM) **enrollment** by offering **zero-touch configuration** of iOS, macOS, and tvOS devices. Unlike more traditional deployment methods, which require the end-user or administrator to take action to configure a device, or manually enroll with an MDM server, DEP aims to bootstrap this process, **allowing the user to unbox a new Apple device and have it configured for use in the organization almost immediately**.
+The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP\_Guide.pdf) (DEP) is a service offered by Apple that **simplifies** Mobile Device Management (MDM) **enrollment** by offering **zero-touch configuration** of iOS, macOS, and tvOS devices. Unlike more traditional deployment methods, which require the end-user or administrator to take action to configure a device, or manually enroll with an MDM server, DEP aims to bootstrap this process, **allowing the user to unbox a new Apple device and have it configured for use in the organization almost immediately**.
Administrators can leverage DEP to automatically enroll devices in their organization’s MDM server. Once a device is enrolled, **in many cases it is treated as a “trusted”** device owned by the organization, and could receive any number of certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).
@@ -21,7 +21,7 @@ Administrators can leverage DEP to automatically enroll devices in their organiz
* Can also be useful for **reprovisioning** workflows (**wiped** with fresh install of the OS)
{% hint style="danger" %}
-Unfortunately, if an organization has not taken additional steps to** protect their MDM enrollment**, a simplified end-user enrollment process through DEP can also mean a simplified process for** attackers to enroll a device of their choosing in the organization’s MDM** server, assuming the "identity" of a corporate device.
+Unfortunately, if an organization has not taken additional steps to **protect their MDM enrollment**, a simplified end-user enrollment process through DEP can also mean a simplified process for **attackers to enroll a device of their choosing in the organization’s MDM** server, assuming the "identity" of a corporate device.
{% endhint %}
### Basics What is SCEP (Simple Certificate Enrolment Protocol)?
@@ -106,7 +106,7 @@ It follows a few steps to get the Activation Record performed by **`MCTeslaConfi
5. Make the request
1. POST to [https://iprofiles.apple.com/macProfile](https://iprofiles.apple.com/macProfile) sending the data `{ "action": "RequestProfileConfiguration", "sn": "" }`
2. The JSON payload is encrypted using Absinthe (**`NACSign`**)
- 3. All requests over HTTPs, built-in root certificates are used
+ 3. All requests over HTTPs, built-in root certificates are used
 (1).png>)
@@ -121,7 +121,7 @@ The response is a JSON dictionary with some important data like:
* Request sent to **url provided in DEP profile**.
* **Anchor certificates** are used to **evaluate trust** if provided.
- * Reminder: the **anchor_certs** property of the DEP profile
+ * Reminder: the **anchor\_certs** property of the DEP profile
* **Request is a simple .plist** with device identification
* Examples: **UDID, OS version**.
* CMS-signed, DER-encoded
diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md b/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
index 67dcf0507..288cf3a68 100644
--- a/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
+++ b/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md
@@ -2,10 +2,10 @@
## Intro
-As** **[**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
+As **** [**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\
Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected.
-**The following research is taken from **[**https://duo.com/labs/research/mdm-me-maybe**](https://duo.com/labs/research/mdm-me-maybe)****
+**The following research is taken from** [**https://duo.com/labs/research/mdm-me-maybe**](https://duo.com/labs/research/mdm-me-maybe)****
## Reversing the process
@@ -47,7 +47,7 @@ rsi = @selector(sendConfigurationInfoToRemote);
rsi = @selector(sendFailureNoticeToRemote);
```
-Since the **Absinthe** scheme is what appears to be used to authenticate requests to the DEP service, **reverse engineering **this scheme would allow us to make our own authenticated requests to the DEP API. This proved to be **time consuming**, though, mostly because of the number of steps involved in authenticating requests. Rather than fully reversing how this scheme works, we opted to explore other methods of inserting arbitrary serial numbers as part of the _Activation Record_ request.
+Since the **Absinthe** scheme is what appears to be used to authenticate requests to the DEP service, **reverse engineering** this scheme would allow us to make our own authenticated requests to the DEP API. This proved to be **time consuming**, though, mostly because of the number of steps involved in authenticating requests. Rather than fully reversing how this scheme works, we opted to explore other methods of inserting arbitrary serial numbers as part of the _Activation Record_ request.
### MITMing DEP Requests
@@ -60,7 +60,7 @@ sn": "
}
```
-Since the API at _iprofiles.apple.com_ uses [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) (TLS), we needed to enable SSL Proxying in Charles for that host to see the plain text contents of the SSL requests.
+Since the API at _iprofiles.apple.com_ uses [Transport Layer Security](https://en.wikipedia.org/wiki/Transport\_Layer\_Security) (TLS), we needed to enable SSL Proxying in Charles for that host to see the plain text contents of the SSL requests.
However, the `-[MCTeslaConfigurationFetcher connection:willSendRequestForAuthenticationChallenge:]` method checks the validity of the server certificate, and will abort if server trust cannot be verified.
@@ -82,7 +82,7 @@ ManagedClient.app/Contents/Resources/English.lproj/Errors.strings
```
-The _Errors.strings_ file can be [printed in a human-readable format](https://duo.com/labs/research/mdm-me-maybe#error_strings_output) with the built-in `plutil` command.
+The _Errors.strings_ file can be [printed in a human-readable format](https://duo.com/labs/research/mdm-me-maybe#error\_strings\_output) with the built-in `plutil` command.
```
$ plutil -p /System/Library/CoreServices/ManagedClient.app/Contents/Resources/English.lproj/Errors.strings
@@ -118,7 +118,7 @@ One of the benefits of this method over modifying the binaries and re-signing th
**System Integrity Protection**
-In order to instrument system binaries, (such as `cloudconfigurationd`) on macOS, [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) must be disabled. SIP is a security technology that protects system-level files, folders, and processes from tampering, and is enabled by default on OS X 10.11 “El Capitan” and later. [SIP can be disabled](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) by booting into Recovery Mode and running the following command in the Terminal application, then rebooting:
+In order to instrument system binaries, (such as `cloudconfigurationd`) on macOS, [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) must be disabled. SIP is a security technology that protects system-level files, folders, and processes from tampering, and is enabled by default on OS X 10.11 “El Capitan” and later. [SIP can be disabled](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System\_Integrity\_Protection\_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) by booting into Recovery Mode and running the following command in the Terminal application, then rebooting:
```
csrutil enable --without debug
@@ -415,7 +415,7 @@ Although some of this information might be publicly available for certain organi
#### Rogue DEP Enrollment
-The [Apple MDM protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf) supports - but does not require - user authentication prior to MDM enrollment via [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). **Without authentication, all that's required to enroll a device in an MDM server via DEP is a valid, DEP-registered serial number**. Thus, an attacker that obtains such a serial number, (either through [OSINT](https://en.wikipedia.org/wiki/Open-source_intelligence), social engineering, or by brute-force), will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server. Essentially, if an attacker is able to win the race by initiating the DEP enrollment before the real device, they're able to assume the identity of that device.
+The [Apple MDM protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf) supports - but does not require - user authentication prior to MDM enrollment via [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic\_access\_authentication). **Without authentication, all that's required to enroll a device in an MDM server via DEP is a valid, DEP-registered serial number**. Thus, an attacker that obtains such a serial number, (either through [OSINT](https://en.wikipedia.org/wiki/Open-source\_intelligence), social engineering, or by brute-force), will be able to enroll a device of their own as if it were owned by the organization, as long as it's not currently enrolled in the MDM server. Essentially, if an attacker is able to win the race by initiating the DEP enrollment before the real device, they're able to assume the identity of that device.
Organizations can - and do - leverage MDM to deploy sensitive information such as device and user certificates, VPN configuration data, enrollment agents, Configuration Profiles, and various other internal data and organizational secrets. Additionally, some organizations elect not to require user authentication as part of MDM enrollment. This has various benefits, such as a better user experience, and not having to [expose the internal authentication server to the MDM server to handle MDM enrollments that take place outside of the corporate network](https://docs.simplemdm.com/article/93-ldap-authentication-with-apple-dep).
diff --git a/macos/macos-security-and-privilege-escalation/macos-protocols.md b/macos/macos-security-and-privilege-escalation/macos-protocols.md
index 384995d62..1be12bdbf 100644
--- a/macos/macos-security-and-privilege-escalation/macos-protocols.md
+++ b/macos/macos-security-and-privilege-escalation/macos-protocols.md
@@ -2,7 +2,7 @@
## Bonjour
-**Bonjour** is an Apple-designed technology that enables computers and **devices located on the same network to learn about services offered **by other computers and devices. It is designed such that any Bonjour-aware device can be plugged into a TCP/IP network and it will **pick an IP address** and make other computers on that network** aware of the services it offers**. Bonjour is sometimes referred to as Rendezvous, **Zero Configuration**, or Zeroconf.\
+**Bonjour** is an Apple-designed technology that enables computers and **devices located on the same network to learn about services offered** by other computers and devices. It is designed such that any Bonjour-aware device can be plugged into a TCP/IP network and it will **pick an IP address** and make other computers on that network **aware of the services it offers**. Bonjour is sometimes referred to as Rendezvous, **Zero Configuration**, or Zeroconf.\
Zero Configuration Networking, such as Bonjour provides:
* Must be able to **obtain an IP Address** (even without a DHCP server)
@@ -12,7 +12,7 @@ Zero Configuration Networking, such as Bonjour provides:
The device will get an **IP address in the range 169.254/16** and will check if any other device is using that IP address. If not, it will keep the IP address. Macs keeps an entry in their routing table for this subnet: `netstat -rn | grep 169`
For DNS the **Multicast DNS (mDNS) protocol is used**. [**mDNS** **services** listen in port **5353/UDP**](../../pentesting/5353-udp-multicast-dns-mdns.md), use **regular DNS queries** and use the **multicast address 224.0.0.251** instead of sending the request just to an IP address. Any machine listening these request will respond, usually to a multicast address, so all the devices can update their tables.\
-Each device will **select its own name** when accessing the network, the device will choose a name **ended in .local** (might be based on the hostname or a completely random one).
+Each device will **select its own name** when accessing the network, the device will choose a name **ended in .local** (might be based on the hostname or a completely random one).
For **discovering services DNS Service Discovery (DNS-SD)** is used.
@@ -77,5 +77,5 @@ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.p
## References
-* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt_other?\_encoding=UTF8\&me=\&qid=)****
+* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=)****
* ****[**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)****
diff --git a/macos/macos-security-and-privilege-escalation/macos-red-teaming.md b/macos/macos-security-and-privilege-escalation/macos-red-teaming.md
index 3a48b1cd5..8e3dd3f05 100644
--- a/macos/macos-security-and-privilege-escalation/macos-red-teaming.md
+++ b/macos/macos-security-and-privilege-escalation/macos-red-teaming.md
@@ -5,7 +5,7 @@
* JAMF Pro: `jamf checkJSSConnection`
* Kandji
-If you manage to** compromise admin credentials** to access the management platform, you can **potentially compromise all the computers** by distributing your malware in the machines.
+If you manage to **compromise admin credentials** to access the management platform, you can **potentially compromise all the computers** by distributing your malware in the machines.
For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work:
@@ -35,7 +35,7 @@ In some occasions you will find that the **MacOS computer is connected to an AD*
[pentesting-kerberos-88](../../pentesting/pentesting-kerberos-88/)
{% endcontent-ref %}
-Some **local MacOS tool **that may also help you is `dscl`:
+Some **local MacOS tool** that may also help you is `dscl`:
```bash
dscl "/Active Directory/[Domain]/All Domains" ls /
diff --git a/misc/basic-python/bypass-python-sandboxes/README.md b/misc/basic-python/bypass-python-sandboxes/README.md
index f8cf69901..4f54c1471 100644
--- a/misc/basic-python/bypass-python-sandboxes/README.md
+++ b/misc/basic-python/bypass-python-sandboxes/README.md
@@ -45,7 +45,7 @@ Remember that the _**open**_ and _**read**_ functions can be useful to **read fi
**Python2 input()** function allows to execute python code before the program crashes.
{% endhint %}
-Python try to **load libraries from the current directory first **(the following command will print where is python loading modules from): `python3 -c 'import sys; print(sys.path)'`
+Python try to **load libraries from the current directory first** (the following command will print where is python loading modules from): `python3 -c 'import sys; print(sys.path)'`
.png>)
@@ -54,7 +54,7 @@ Python try to **load libraries from the current directory first **(the following
### Default packages
You can find a **list of pre-installed** packages here: [https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html](https://docs.qubole.com/en/latest/user-guide/package-management/pkgmgmt-preinstalled-packages.html)\
-Note that from a pickle you can make the python env** import arbitrary libraries** installed in the system.\
+Note that from a pickle you can make the python env **import arbitrary libraries** installed in the system.\
For example the following pickle, when loaded, is going to import the pip library to use it:
```python
@@ -131,7 +131,7 @@ __builtins__.__dict__['__import__']("os").system("ls")
### No Builtins
When you don't have `__builtins__` you are not going to be able to import anything nor even read or write files as **all the global functions** (like `open`, `import`, `print`...) **aren't loaded**.\
-However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous **functionalities inside of them that can be accessed to gain even **arbitrary code execution**.
+However, **by default python import a lot of modules in memory**. This modules may seem benign, but some of them are **also importing dangerous** functionalities inside of them that can be accessed to gain even **arbitrary code execution**.
In the following examples you can observe how to **abuse** some of this "**benign**" modules loaded to **access** **dangerous** **functionalities** inside of them.
@@ -175,7 +175,7 @@ get_flag.__globals__['__builtins__']
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "builtins" in x.__init__.__globals__ ][0]["builtins"]
```
-[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds **of **places **were you can find the **builtins**.
+[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **builtins**.
#### Python2 and Python3
@@ -223,11 +223,11 @@ class_obj.__init__.__globals__
[, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ]
```
-[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds **of **places **were you can find the **globals**.
+[**Below there is a bigger function**](./#recursive-search-of-builtins-globals) to find tens/**hundreds** of **places** were you can find the **globals**.
## Discover Arbitrary Execution
-Here I want to explain how to easily discover** more dangerous functionalities loaded **and propose more reliable exploits.
+Here I want to explain how to easily discover **more dangerous functionalities loaded** and propose more reliable exploits.
#### Accessing subclasses with bypasses
@@ -267,13 +267,13 @@ For example, knowing that with the library **`sys`** it's possible to **import a
['_ModuleLock', '_DummyModuleLock', '_ModuleLockManager', 'ModuleSpec', 'FileLoader', '_NamespacePath', '_NamespaceLoader', 'FileFinder', 'zipimporter', '_ZipImportResourceReader', 'IncrementalEncoder', 'IncrementalDecoder', 'StreamReaderWriter', 'StreamRecoder', '_wrap_close', 'Quitter', '_Printer', 'WarningMessage', 'catch_warnings', '_GeneratorContextManagerBase', '_BaseExitStack', 'Untokenizer', 'FrameSummary', 'TracebackException', 'CompletedProcess', 'Popen', 'finalize', 'NullImporter', '_HackedGetData', '_localized_month', '_localized_day', 'Calendar', 'different_locale', 'SSLObject', 'Request', 'OpenerDirector', 'HTTPPasswordMgr', 'AbstractBasicAuthHandler', 'AbstractDigestAuthHandler', 'URLopener', '_PaddedFile', 'CompressedValue', 'LogRecord', 'PercentStyle', 'Formatter', 'BufferingFormatter', 'Filter', 'Filterer', 'PlaceHolder', 'Manager', 'LoggerAdapter', '_LazyDescr', '_SixMetaPathImporter', 'MimeTypes', 'ConnectionPool', '_LazyDescr', '_SixMetaPathImporter', 'Bytecode', 'BlockFinder', 'Parameter', 'BoundArguments', 'Signature', '_DeprecatedValue', '_ModuleWithDeprecations', 'Scrypt', 'WrappedSocket', 'PyOpenSSLContext', 'ZipInfo', 'LZMACompressor', 'LZMADecompressor', '_SharedFile', '_Tellable', 'ZipFile', 'Path', '_Flavour', '_Selector', 'JSONDecoder', 'Response', 'monkeypatch', 'InstallProgress', 'TextProgress', 'BaseDependency', 'Origin', 'Version', 'Package', '_Framer', '_Unframer', '_Pickler', '_Unpickler', 'NullTranslations']
```
-There are a lot, and** we just need one** to execute commands:
+There are a lot, and **we just need one** to execute commands:
```python
[ x.__init__.__globals__ for x in ''.__class__.__base__.__subclasses__() if "wrapper" not in str(x.__init__) and "sys" in x.__init__.__globals__ ][0]["sys"].modules["os"].system("ls")
```
-We can do the same thing with** other libraries** that we know can be used to** execute commands**:
+We can do the same thing with **other libraries** that we know can be used to **execute commands**:
```python
#os
@@ -331,7 +331,7 @@ pdb:
"""
```
-Moreover, if you think **other libraries** may be able to** invoke functions to execute commands**, we can also **filter by functions names** inside the possible libraries:
+Moreover, if you think **other libraries** may be able to **invoke functions to execute commands**, we can also **filter by functions names** inside the possible libraries:
```python
bad_libraries_names = ["os", "commands", "subprocess", "pty", "importlib", "imp", "sys", "builtins", "pip", "pdb"]
@@ -496,7 +496,7 @@ You can check the output of this script in this page:
## Python Format String
-If you **send **a **string **to python that is going to be **formatted**, you can use `{}` to access **python internal information. **You can use the previous examples to access globals or builtins for example.
+If you **send** a **string** to python that is going to be **formatted**, you can use `{}` to access **python internal information.** You can use the previous examples to access globals or builtins for example.
{% hint style="info" %}
However, there is a **limitation**, you can only use the symbols `.[]`, so you **won't be able to execute arbitrary code**, just to read information. \
@@ -523,7 +523,7 @@ st = "{people_obj.__init__.__globals__[CONFIG][KEY]}"
get_name_for_avatar(st, people_obj = people)
```
-Note how you can **access attributes **in a normal way with a **dot **like `people_obj.__init__` and **dict element **with **parenthesis **without quotes `__globals__[CONFIG]`
+Note how you can **access attributes** in a normal way with a **dot** like `people_obj.__init__` and **dict element** with **parenthesis** without quotes `__globals__[CONFIG]`
Also note that you can use `.__dict__` to enumerate elements of an object `get_name_for_avatar("{people_obj.__init__.__globals__[os].__dict__}", people_obj = people)`
@@ -730,7 +730,7 @@ dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x0
## Compiling Python
Now, lets imagine that somehow you can **dump the information about a function that you cannot execute** but you **need** to **execute** it.\
-Like in the following example, you **can access the code object **of that function, but just reading the disassemble you **don't know how to calculate the flag** (_imagine a more complex `calc_flag` function_)
+Like in the following example, you **can access the code object** of that function, but just reading the disassemble you **don't know how to calculate the flag** (_imagine a more complex `calc_flag` function_)
```python
def get_flag(some_input):
@@ -770,7 +770,7 @@ function_type(code_obj, mydict, None, None, None)("secretcode")
### Recreating a leaked function
{% hint style="warning" %}
-In the following example we are going to take all the data needed to recreate the function from the function code object directly. In a** real example**, all the **values** to execute the function **`code_type`** is what **you will need to leak**.
+In the following example we are going to take all the data needed to recreate the function from the function code object directly. In a **real example**, all the **values** to execute the function **`code_type`** is what **you will need to leak**.
{% endhint %}
```python
@@ -830,7 +830,7 @@ f(42)
## Decompiling Compiled Python
-Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com)** **one can **decompile** given compiled python code
+Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code
## References
diff --git a/misc/basic-python/magic-methods.md b/misc/basic-python/magic-methods.md
index efd43787f..23d479b43 100644
--- a/misc/basic-python/magic-methods.md
+++ b/misc/basic-python/magic-methods.md
@@ -2,11 +2,11 @@
## Class Methods
-You can access the **methods **of a **class **using **\__dict\_\_.**
+You can access the **methods** of a **class** using **\_\_dict\_\_.**
.png>)
-You can access the functions
+You can access the functions
.png>)
@@ -14,23 +14,23 @@ You can access the functions
### **Attributes**
-You can access the **attributes of an object** using** \__dict\_\_**. Example:
+You can access the **attributes of an object** using **\_\_dict\_\_**. Example:
.png>)
### Class
-You can access the **class **of an object using **\__class\_\_**
+You can access the **class** of an object using **\_\_class\_\_**
.png>)
-You can access the **methods **of the **class **of an **object chainning **magic functions:
+You can access the **methods** of the **class** of an **object chainning** magic functions:
.png>)
## Server Side Template Injection
-Interesting functions to exploit this vulnerability
+Interesting functions to exploit this vulnerability
```
__init__.__globals__
@@ -39,7 +39,7 @@ __class__.__init__.__globals__
Inside the response search for the application (probably at the end?)
-Then **access the environment content** of the application where you will hopefully find **some passwords **of interesting information:
+Then **access the environment content** of the application where you will hopefully find **some passwords** of interesting information:
```
__init__.__globals__[].config
@@ -54,5 +54,5 @@ __class__.__init__.__globals__[].__dict__.config
* [https://rushter.com/blog/python-class-internals/](https://rushter.com/blog/python-class-internals/)
* [https://docs.python.org/3/reference/datamodel.html](https://docs.python.org/3/reference/datamodel.html)
-* [https://balsn.tw/ctf_writeup/20190603-facebookctf/#events](https://balsn.tw/ctf_writeup/20190603-facebookctf/#events)
+* [https://balsn.tw/ctf\_writeup/20190603-facebookctf/#events](https://balsn.tw/ctf\_writeup/20190603-facebookctf/#events)
* [https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0](https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0) (events)
diff --git a/mobile-apps-pentesting/android-app-pentesting/README.md b/mobile-apps-pentesting/android-app-pentesting/README.md
index 2630cc535..79aaf77b5 100644
--- a/mobile-apps-pentesting/android-app-pentesting/README.md
+++ b/mobile-apps-pentesting/android-app-pentesting/README.md
@@ -143,11 +143,11 @@ A good way to test this is to try to capture the traffic using some proxy like B
### Broken Cryptography
-#### Poor Key Management Processes
+#### Poor Key Management Processes
Some developers save sensitive data in the local storage and encrypt it with a key hardcoded/predictable in the code. This shouldn't be done as some reversing could allow attackers to extract the confidential information.
-#### Use of Insecure and/or Deprecated Algorithms
+#### Use of Insecure and/or Deprecated Algorithms
Developers shouldn't use **deprecated algorithms** to perform authorisation **checks**, **store** or **send** data. Some of these algorithms are: RC4, MD4, MD5, SHA1... If **hashes** are used to store passwords for example, hashes brute-force **resistant** should be used with salt.
@@ -169,7 +169,7 @@ Read the following page to learn how to easily access javascript code of React a
### Xamarin Applications
-**Xamarin** apps are written in **C#**, in order to access the C# code **decompressed, **you need to get the files from the **apk**:
+**Xamarin** apps are written in **C#**, in order to access the C# code **decompressed,** you need to get the files from the **apk**:
```bash
7z r app.apk #Or any other zip decompression cmd
@@ -181,13 +181,13 @@ Then, decompress all the DLsL using [**xamarin-decompress**](https://github.com/
python3 xamarin-decompress.py -o /path/to/decompressed/apk
```
- and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to** read C# code** from the DLLs.
+ and finally you can use [**these recommended tools**](../../reversing/reversing-tools-basic-methods/#net-decompiler) to **read C# code** from the DLLs.
### Automated Static Code Analysis
The tool [**mariana-trench**](https://github.com/facebook/mariana-trench) is capable of finding **vulnerabilities** by **scanning** the **code** of the application. This tool contains a series of **known sources** (that indicates to the tool the **places** where the **input** is **controlled by the user**), **sinks** (which indicates to the tool **dangerous** **places** where malicious user input could cause damages) and **rules**. These rules indicates the **combination** of **sources-sinks** that indicates a vulnerability.
-With this knowledge,** mariana-trench will review the code and find possible vulnerabilities on it**.
+With this knowledge, **mariana-trench will review the code and find possible vulnerabilities on it**.
### Other interesting functions
@@ -223,7 +223,7 @@ You can use some **emulator** like:
* [**Android Studio**](https://developer.android.com/studio) **(**You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator).
* If you want to try to **install** an **image** and then you want to **delete it** you can do that on Windows:`C:\Users\\AppData\Local\Android\sdk\system-images\` or Mac: `/Users/myeongsic/Library/Android/sdk/system-image`
* This is the **main emulator I recommend to use and you can**[ **learn to set it up in this page**](avd-android-virtual-device.md).
-* [**Genymotion**](https://www.genymotion.com/fun-zone/) **(\_Free version: **Personal Edition**, you need to **create** an **account.\_)
+* [**Genymotion**](https://www.genymotion.com/fun-zone/) **(\_Free version:** Personal Edition**, you need to** create **an** account.\_)
* [Nox](https://es.bignox.com) (Free, but it doesn't support Frida or Drozer).
{% hint style="info" %}
@@ -263,12 +263,12 @@ Anyway, it's still recommended to **not log sensitive information**.
Android provides **clipboard-based** framework to provide copy-paste function in android applications. But this creates serious issue when some **other application** can **access** the **clipboard** which contain some sensitive data. **Copy/Paste** function should be **disabled** for **sensitive part** of the application. For example, disable copying credit card details.
-#### Crash Logs
+#### Crash Logs
If an application **crashes** during runtime and it **saves logs** somewhere then those logs can be of help to an attacker especially in cases when android application cannot be reverse engineered. Then, avoid creating logs when applications crashes and if logs are sent over the network then ensure that they are sent over an SSL channel.\
As pentester, **try to take a look to these logs**.
-#### Analytics Data Sent To 3rd Parties
+#### Analytics Data Sent To 3rd Parties
Most of the application uses other services in their application like Google Adsense but sometimes they **leak some sensitive data** or the data which is not required to sent to that service. This may happen because of the developer not implementing feature properly. You can **look by intercepting the traffic** of the application and see whether any sensitive data is sent to 3rd parties or not.
diff --git a/mobile-apps-pentesting/android-app-pentesting/adb-commands.md b/mobile-apps-pentesting/android-app-pentesting/adb-commands.md
index 5e6e1a0ba..2965e61f2 100644
--- a/mobile-apps-pentesting/android-app-pentesting/adb-commands.md
+++ b/mobile-apps-pentesting/android-app-pentesting/adb-commands.md
@@ -10,7 +10,7 @@ C:\Users\\AppData\Local\Android\sdk\platform-tools\adb.exe
/Users//Library/Android/sdk/platform-tools/adb
```
-**Information obtained from: **[**http://adbshell.com/**](http://adbshell.com)****
+**Information obtained from:** [**http://adbshell.com/**](http://adbshell.com)****
## Connection
@@ -18,7 +18,7 @@ C:\Users\\AppData\Local\Android\sdk\platform-tools\adb.exe
adb devices
```
-This will list the connected devices; if "_**unathorised**_" appears, this means that you have to **unblock **your **mobile **and **accept **the connection.
+This will list the connected devices; if "_**unathorised**_" appears, this means that you have to **unblock** your **mobile** and **accept** the connection.
This indicates to the device that it has to start and adb server in port 5555:
@@ -59,7 +59,7 @@ root
### Port Tunneling
-In case the **adb** **port** is only **accessible** from **localhost** in the android device but **you have access via SSH**, you can** forward the port 5555** and connect via adb:
+In case the **adb** **port** is only **accessible** from **localhost** in the android device but **you have access via SSH**, you can **forward the port 5555** and connect via adb:
```bash
ssh -i ssh_key username@10.10.10.10 -L 5555:127.0.0.1:5555 -p 2222
@@ -280,7 +280,7 @@ flashing/restoring Android update.zip packages.
### Logcat
-To** filter the messages of only one application**, get the PID of the application and use grep (linux/macos) or findstr (windows) to filter the output of logcat:
+To **filter the messages of only one application**, get the PID of the application and use grep (linux/macos) or findstr (windows) to filter the output of logcat:
```
adb logcat | grep 4526
diff --git a/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md b/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md
index b7003fab0..17b5dc478 100644
--- a/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md
+++ b/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md
@@ -18,13 +18,13 @@
### Sandboxing
-The **Android Application Sandbox **allows to run **each application** as a **separate process under a separate user ID**. Each process has its own virtual machine, so an app’s code runs in isolation from other apps.\
+The **Android Application Sandbox** allows to run **each application** as a **separate process under a separate user ID**. Each process has its own virtual machine, so an app’s code runs in isolation from other apps.\
From Android 5.0(L) **SELinux** is enforced. Basically, SELinux denied all process interactions and then created policies to **allow only the expected interactions between them**.
### Permissions
-When you installs an **app and it ask for permissions**, the app is asking for the permissions configured in the **`uses-permission`** elements in the **AndroidManifest.xml **file. The **uses-permission** element indicates the name of the requested permission inside the **name** **attribute. **It also has the **maxSdkVersion** attribute which stops asking for permissions on versions higher than the one specified.\
-Note that android applications don't need to ask for all the permissions at the beginning, they can also **ask for permissions dynamically **but all the permissions must be **declared** in the **manifest.**
+When you installs an **app and it ask for permissions**, the app is asking for the permissions configured in the **`uses-permission`** elements in the **AndroidManifest.xml** file. The **uses-permission** element indicates the name of the requested permission inside the **name** **attribute.** It also has the **maxSdkVersion** attribute which stops asking for permissions on versions higher than the one specified.\
+Note that android applications don't need to ask for all the permissions at the beginning, they can also **ask for permissions dynamically** but all the permissions must be **declared** in the **manifest.**
When an app exposes functionality it can limit the **access to only apps that have a specified permission**.\
A permission element has three attributes:
@@ -39,7 +39,7 @@ A permission element has three attributes:
## Pre-Installed Applications
-These apps are generally found in the **`/system/app`** or **`/system/priv-app`** directories and some of them are **optimised **(you may not even find the `classes.dex` file). Theses applications are worth checking because some times they are **running with too many permissions** (as root).
+These apps are generally found in the **`/system/app`** or **`/system/priv-app`** directories and some of them are **optimised** (you may not even find the `classes.dex` file). Theses applications are worth checking because some times they are **running with too many permissions** (as root).
* The ones shipped with the **AOSP** (Android OpenSource Project) **ROM**
* Added by the device **manufacturer**
@@ -50,7 +50,7 @@ These apps are generally found in the **`/system/app`** or **`/system/priv-app`*
In order to obtain root access into a physical android device you generally need to **exploit** 1 or 2 **vulnerabilities** which use to be **specific** for the **device** and **version**.\
Once the exploit has worked, usually the Linux `su` binary is copied into a location specified in the user's PATH env variable like `/system/xbin`.
-Once the su binary is configured, another Android app is used to interface with the `su` binary and **process requests for root access **like **Superuser** and **SuperSU **(available in Google Play store).
+Once the su binary is configured, another Android app is used to interface with the `su` binary and **process requests for root access** like **Superuser** and **SuperSU** (available in Google Play store).
{% hint style="danger" %}
Note that the rooting process is very dangerous and can damage severely the device
@@ -61,17 +61,17 @@ Note that the rooting process is very dangerous and can damage severely the devi
It's possible to **replace the OS installing a custom firmware**. Doing this it's possible to extend the usefulness of an old device, bypass software restrictions or gain access to the latest Android code.\
**OmniROM** and **LineageOS** are two of the most popular firmwares to use.
-Note that **not always is necessary to root the device** to install a custom firmware. **Some manufacturers allow **the unlocking of their bootloaders in a well-documented and safe manner.
+Note that **not always is necessary to root the device** to install a custom firmware. **Some manufacturers allow** the unlocking of their bootloaders in a well-documented and safe manner.
### Implications
Once a device is rooted, any app could request access as root. If a malicious application gets it, it can will have access to almost everything and it will be able to damage the phone.
-## Android Application Fundamentals
+## Android Application Fundamentals
This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html](https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html)
-### Fundamentals Review
+### Fundamentals Review
* Android applications are in the _APK file format_. **APK is basically a ZIP file**. (You can rename the file extension to .zip and use unzip to open and see its contents.)
* APK Contents (Not exhaustive)
@@ -127,9 +127,9 @@ Improper implementation could result in data leakage, restricted functions being
An Intent Filter specify the **types of Intent that an activity, service, or Broadcast Receiver can respond to**. It specifies what an activity or service can do and what types of broadcasts a Receiver can handle. It allows the corresponding component to receive Intents of the declared type. Intent Filters are typically **defined via the AndroidManifest.xml file**. For **Broadcast Receiver** it is also possible to define them in **coding**. An Intent Filter is defined by its category, action and data filters. It can also contain additional metadata.
-In Android, an activity/service/content provider/broadcast receiver is **public **when **`exported`** is set to **`true`** but a component is **also public** if the **manifest specifies an Intent filter** for it. However,\
+In Android, an activity/service/content provider/broadcast receiver is **public** when **`exported`** is set to **`true`** but a component is **also public** if the **manifest specifies an Intent filter** for it. However,\
developers can **explicitly make components private** (regardless of any intent filters)\
-by setting the** `exported` attribute to `false`** for each component in the manifest file.\
+by setting the ** `exported` attribute to `false`** for each component in the manifest file.\
Developers can also set the **`permission`** attribute to **require a certain permission to access** the component, thereby restricting access to the component.
### Implicit Intents
@@ -175,7 +175,7 @@ context.startService(intent);
### Pending Intents
-These allow other applications to **take actions on behalf of your application**, using your app's identity and permissions. Constructing a Pending Intent it should be **specified an intent and the action to perform**. If the **declared intent isn't Explicit** (doesn't declare which intent can call it) a** malicious application could perform the declared action** on behalf of the victim app. Moreover,** if an action ins't specified**, the malicious app will be able to do **any action on behalf the victim**.
+These allow other applications to **take actions on behalf of your application**, using your app's identity and permissions. Constructing a Pending Intent it should be **specified an intent and the action to perform**. If the **declared intent isn't Explicit** (doesn't declare which intent can call it) a **malicious application could perform the declared action** on behalf of the victim app. Moreover, **if an action ins't specified**, the malicious app will be able to do **any action on behalf the victim**.
### Broadcast Intents
@@ -185,7 +185,7 @@ Alternatively it's also possible to **specify a permission when sending the broa
There are **two types** of Broadcasts: **Normal** (asynchronous) and **Ordered** (synchronous). The **order** is base on the **configured priority within the receiver** element. **Each app can process, relay or drop the Broadcast.**
-It's possible to **send** a **broadcast** using the function **`sendBroadcast(intent, receiverPermission)` **from the `Context` class.\
+It's possible to **send** a **broadcast** using the function **`sendBroadcast(intent, receiverPermission)` ** from the `Context` class.\
You could also use the function **`sendBroadcast`** from the **`LocalBroadCastManager`** ensures the **message never leaves the app**. Using this you won't even need to export a receiver component.
### Sticky Broadcasts
@@ -198,7 +198,7 @@ If you find functions containing the word "sticky" like **`sendStickyBroadcast`*
## Deep links / URL schemes
-**Deep links allow to trigger an Intent via URL**. An application can declare an **URL schema **inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called:
+**Deep links allow to trigger an Intent via URL**. An application can declare an **URL schema** inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called:
.png>)
@@ -252,7 +252,7 @@ These include: **Activities, Services, Broadcast Receivers and Providers.**
An **Android activity** is one screen of the **Android** app's user interface. In that way an **Android activity** is very similar to windows in a desktop application. An **Android** app may contain one or more activities, meaning one or more screens.
-The **launcher activity** is what most people think of as the **entry point **to an Android application. The launcher activity is the activity that is started when a user clicks on the icon for an application. You can determine the launcher activity by looking at the application’s manifest. The launcher activity will have the following MAIN and LAUNCHER intents listed.
+The **launcher activity** is what most people think of as the **entry point** to an Android application. The launcher activity is the activity that is started when a user clicks on the icon for an application. You can determine the launcher activity by looking at the application’s manifest. The launcher activity will have the following MAIN and LAUNCHER intents listed.
Keep in mind that not every application will have a launcher activity, especially apps without a UI. Examples of applications without a UI (and thus a launcher activity) are pre-installed applications that perform services in the background, such as voicemail.
@@ -325,7 +325,7 @@ Note that **Ordered Broadcasts can drop the Intent received or even modify it**
Content Providers are the way **apps share structured data**, such as relational databases. Therefore, it's very important to use **permissions** and set the appropriate protection level to protect them.\
Content Providers can use the **`readPermission`** and **`writePermission`** attributes to specify which permissions an app must have. **These permissions take precedence over the permission attribute**.\
-Moreover, they can also **allow temporary exceptions **by setting the **`grantUriPermission`** to true and then configuring the appropriate parameters in the **`grant-uri-permission`** element within the provider element inside the manifest file.
+Moreover, they can also **allow temporary exceptions** by setting the **`grantUriPermission`** to true and then configuring the appropriate parameters in the **`grant-uri-permission`** element within the provider element inside the manifest file.
The **`grant-uri-permission`** has three attributes: path, pathPrefix and pathPattern:
@@ -349,7 +349,7 @@ It's **important to validate and sanitise the received input** to avoid potentia
#### FileProvider
-This is a type of Content Provider that will** share files **from a folder. You can declare a file provider like this:
+This is a type of Content Provider that will **share files** from a folder. You can declare a file provider like this:
```markup
@@ -370,8 +370,8 @@ Note that the configuration `android:resource="@xml/filepaths"` is indicating th
```
-Sharing something like **`path="."`** could be **dangerous **even if the provider isn't exported if there is other vulnerability in some part of the code that tried to access this provider.\
-You could **access **an **image **inside that folder with `content://com.example.myapp.fileprovider/myimages/default_image.jpg`
+Sharing something like **`path="."`** could be **dangerous** even if the provider isn't exported if there is other vulnerability in some part of the code that tried to access this provider.\
+You could **access** an **image** inside that folder with `content://com.example.myapp.fileprovider/myimages/default_image.jpg`
The `` element can have multiple children, each specifying a different directory to share. In addition to the **``** element, you can use the **``** element to share directories in **external storage**, and the **``** element to share directories in your **internal cache directory**.\
[For more information about specific file providers attributes go here.](https://developer.android.com/reference/androidx/core/content/FileProvider)
@@ -401,9 +401,9 @@ If **`true`** is passed to **`setAllowContentAccess`**, **WebViews will be able
By default, local files can be accessed by WebViews via file:// URLs, but there are several ways to prevent this behaviour:
-* Passing **`false`** to **`setAllowFileAccess`**, prevents the access to the filesystem with the exception of assets via `file:///android_asset`_ and _`file:///android_res`. These paths should be used only for non-sensitive data (like images) so this should be safe.
+* Passing **`false`** to **`setAllowFileAccess`**, prevents the access to the filesystem with the exception of assets via `file:///android_asset` _and_ `file:///android_res`. These paths should be used only for non-sensitive data (like images) so this should be safe.
* The method **`setAllowFileAccess`** indicates if a path from a `file://` URL should be able to access the content from other file scheme URLs.
-* The method **`setAllowUniversalAccessFromFileURLs`** indicates if a path from a `file:// `URL should be able to access content from any origin.
+* The method **`setAllowUniversalAccessFromFileURLs`** indicates if a path from a `file://` URL should be able to access content from any origin.
## Other App components
@@ -421,6 +421,6 @@ By default, local files can be accessed by WebViews via file:// URLs, but there
## Mobile Device Management
-MDM or Mobile Device Management are software suits that are used to **ensure a control and security requirements **over mobile devices. These suites use the features referred as Device Administration API and require an Android app to be installed.
+MDM or Mobile Device Management are software suits that are used to **ensure a control and security requirements** over mobile devices. These suites use the features referred as Device Administration API and require an Android app to be installed.
Generally the MDM solutions perform functions like enforcing password policies, forcing the encryption of storage and enable remote wiping of device data.
diff --git a/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md b/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md
index e13226162..71320a745 100644
--- a/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md
+++ b/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md
@@ -1,6 +1,6 @@
# Burp Suite Configuration for Android
-**This tutorial was taken from: **[**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)****
+**This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)****
## Add a proxy in Burp Suite to listen.
@@ -24,7 +24,7 @@ Testing connection over http and https using devices browser.
1. http:// (working) tested — [http://ehsahil.com](http://ehsahil.com)
-
+
2\. https:// certificate error — https://google.com
@@ -42,7 +42,7 @@ Click on **CA certificate download the certificate.**
The downloaded certificate is in cacert.der extension and Android 5.\* does not recognise it as certificate file.
-You can download the cacert file using your desktop machine and rename it from cacert.der to cacert.crt and drop it on Android device and certificate will be automatically added into **file:///sd_card/downloads.**
+You can download the cacert file using your desktop machine and rename it from cacert.der to cacert.crt and drop it on Android device and certificate will be automatically added into **file:///sd\_card/downloads.**
**Installing the downloaded certificate.**
diff --git a/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md b/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md
index 92fb78768..957478047 100644
--- a/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md
+++ b/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md
@@ -36,7 +36,7 @@ Android usually manages several tasks
### Task affinity and Launch Modes
**Task affinity** is an attribute that is defined in each `` tag in the `AndroidManifest.xml` file. It describes which Task an Activity prefers to join.\
-By default, every activity has the same affinity as the **package **name.
+By default, every activity has the same affinity as the **package** name.
We'll be using this when creating our PoC app.
@@ -65,7 +65,7 @@ When the launchMode is set to `singleTask`, the Android system evaluates three p
The victim needs to have the **malicious** **app** **installed** in his device. Then, he needs to **open** **it** **before** opening the **vulnerable** **application**. Then, when the **vulnerable** application is **opened**, the **malicious** **application** will be **opened** **instead**. If this malicious application presents the **same** **login** as the vulnerable application the **user won't have any means to know that he is putting his credentials in a malicious application**.
-**You can find an attack implemented here: **[**https://github.com/az0mb13/Task_Hijacking_Strandhogg**](https://github.com/az0mb13/Task_Hijacking_Strandhogg)****
+**You can find an attack implemented here:** [**https://github.com/az0mb13/Task\_Hijacking\_Strandhogg**](https://github.com/az0mb13/Task\_Hijacking\_Strandhogg)****
## Preventing task hijacking
diff --git a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md b/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
index 4d4ed55d6..284ef6b5b 100644
--- a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
+++ b/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
@@ -13,9 +13,9 @@ Just **download** the **latest** version and execute it from the _**bin**_ folde
jadx-gui
```
-Using the GUI you can perform **text search**, go to the **functions definitions** (_CTRL + left click_ on the function) and cross refs (_right click _-->_ Find Usage_)
+Using the GUI you can perform **text search**, go to the **functions definitions** (_CTRL + left click_ on the function) and cross refs (_right click_ --> _Find Usage_)
-If you **only want** the **java code **but without using a GUI a very easy way is to use the jadx cli tool:
+If you **only want** the **java code** but without using a GUI a very easy way is to use the jadx cli tool:
```
jadx app.apk
@@ -40,12 +40,12 @@ GDA is also a powerful and fast reverse analysis platform. Which does not only s
### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
-Another **interesting tool to make a Static analysis is**: [**bytecode-viewer**](https://github.com/Konloch/bytecode-viewer/releases)**.** It allows you to decompile the APK using** several decompilers at the same time**. Then, you can see for example, 2 different Java decompilers and one Smali decompiler. It allows you also to **modify **the code:
+Another **interesting tool to make a Static analysis is**: [**bytecode-viewer**](https://github.com/Konloch/bytecode-viewer/releases)**.** It allows you to decompile the APK using **several decompilers at the same time**. Then, you can see for example, 2 different Java decompilers and one Smali decompiler. It allows you also to **modify** the code:
.png>)
If you modify the code, then you can **export it**.\
-One bad thing of bytecode-viewer is that it **doesn't have references** or** cross-references.**
+One bad thing of bytecode-viewer is that it **doesn't have references** or **cross-references.**
### ****[**Enjarify**](https://github.com/Storyyeller/enjarify)****
@@ -54,7 +54,7 @@ Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode.
### [CFR](https://github.com/leibnitz27/cfr)
-CFR will decompile modern Java features - [including much of Java ](https://www.benf.org/other/cfr/java9observations.html)[9](https://github.com/leibnitz27/cfr/blob/master/java9stringconcat.html), [12](https://www.benf.org/other/cfr/switch_expressions.html) & [14](https://www.benf.org/other/cfr/java14instanceof_pattern), but is written entirely in Java 6, so will work anywhere! ([FAQ](https://www.benf.org/other/cfr/faq.html)) - It'll even make a decent go of turning class files from other JVM languages back into java!
+CFR will decompile modern Java features - [including much of Java ](https://www.benf.org/other/cfr/java9observations.html)[9](https://github.com/leibnitz27/cfr/blob/master/java9stringconcat.html), [12](https://www.benf.org/other/cfr/switch\_expressions.html) & [14](https://www.benf.org/other/cfr/java14instanceof\_pattern), but is written entirely in Java 6, so will work anywhere! ([FAQ](https://www.benf.org/other/cfr/faq.html)) - It'll even make a decent go of turning class files from other JVM languages back into java!
That JAR file can be used as follows:
diff --git a/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md b/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md
index d93a533b0..8b6dfa30b 100644
--- a/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md
+++ b/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md
@@ -4,7 +4,7 @@ Thank you very much to [**@offsecjay**](https://twitter.com/offsecjay) for his h
## What is
-Android Studio allows to** run virtual machines of Android that you can use to test APKs**. In order to use them you will need:
+Android Studio allows to **run virtual machines of Android that you can use to test APKs**. In order to use them you will need:
* The **Android SDK tools** - [Download here](https://developer.android.com/studio/releases/sdk-tools).
* Or **Android Studio** (with Android SDK tools) - [Download here](https://developer.android.com/studio).
@@ -23,25 +23,25 @@ brew install openjdk@8
### Prepare Virtual Machine
-If you installed Android Studio, you can just open the main project view and access: _**Tools **_--> _**AVD Manager.**_
+If you installed Android Studio, you can just open the main project view and access: _**Tools**_ --> _**AVD Manager.**_
.png>)
-Then, click on _**Create Virtual Device**_, _**select **the phone you want to use_ and click on _**Next.**_\
+Then, click on _**Create Virtual Device**_, _**select** the phone you want to use_ and click on _**Next.**_\
_****_In the current view you are going to be able to **select and download the Android image** that the phone is going to run:
.png>)
-So, select it and click on _**Download **_**(**now wait until the image is downloaded).\
-Once the image is downloaded, just select _**Next **_and _**Finish**_.
+So, select it and click on _**Download**_** (**now wait until the image is downloaded).\
+Once the image is downloaded, just select _**Next**_ and _**Finish**_.
.png>)
-The virtual machine will be created. Now** every time that you access AVD manager it will be present**.
+The virtual machine will be created. Now **every time that you access AVD manager it will be present**.
### Run Virtual Machine
-In order to **run **it just press the _**Start button**_.
+In order to **run** it just press the _**Start button**_.
.png>)
@@ -111,7 +111,7 @@ Once you have decide the name of the device you want to use, you need to **decid
C:\Users\\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat --list
```
-And **download **the one (or all) you want to use with:
+And **download** the one (or all) you want to use with:
```bash
C:\Users\\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat "platforms;android-28" "system-images;android-28;google_apis;x86_64"
@@ -141,8 +141,8 @@ At this moment you have decided the device you want to use and you have download
C:\Users\\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat -v create avd -k "system-images;android-28;google_apis;x86_64" -n "AVD9" -d "Nexus 5X"
```
-In the last command **I created a VM named **"_AVD9_" using the **device **"_Nexus 5X_" and the **Android image** "_system-images;android-28;google_apis;x86\_64_".\
-Now you can** list the virtual machines** you have created with:
+In the last command **I created a VM named** "_AVD9_" using the **device** "_Nexus 5X_" and the **Android image** "_system-images;android-28;google\_apis;x86\_64_".\
+Now you can **list the virtual machines** you have created with:
```bash
C:\Users\\AppData\Local\Android\Sdk\tools\bin\avdmanager.bat list avd
@@ -161,7 +161,7 @@ The following Android Virtual Devices could not be loaded:
### Run Virtual Machine
-We have already seen how you can list the created virtual machines, but** you can also list them using**:
+We have already seen how you can list the created virtual machines, but **you can also list them using**:
```bash
C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -list-avds
@@ -184,7 +184,7 @@ C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -ht
### Command line options
-However there are **a lot of different command line useful options** that you can use to initiate a virtual machine. Below you can find some interesting options but can** **[**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
+However there are **a lot of different command line useful options** that you can use to initiate a virtual machine. Below you can find some interesting options but can **** [**find a complete list here**](https://developer.android.com/studio/run/emulator-commandline)
#### Boot
@@ -208,11 +208,11 @@ However there are **a lot of different command line useful options** that you ca
## Install Burp certificate on a Virtual Machine
-First of all you need to download the Der certificate from Burp. You can do this in _**Proxy **_--> _**Options **_--> _**Import / Export CA certificate**_
+First of all you need to download the Der certificate from Burp. You can do this in _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_
 (1).png>)
-**Export the certificate in Der format** and lets **transform **it to a form that **Android **is going to be able to **understand. **Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run **this machine **with** the **`-writable-system`** option.\
+**Export the certificate in Der format** and lets **transform** it to a form that **Android** is going to be able to **understand.** Note that **in order to configure the burp certificate on the Android machine in AVD** you need to **run** this machine **with** the **`-writable-system`** option.\
For example you can run it like:
```bash
diff --git a/mobile-apps-pentesting/android-app-pentesting/content-protocol.md b/mobile-apps-pentesting/android-app-pentesting/content-protocol.md
index 66badd44b..c8f3e47cc 100644
--- a/mobile-apps-pentesting/android-app-pentesting/content-protocol.md
+++ b/mobile-apps-pentesting/android-app-pentesting/content-protocol.md
@@ -52,9 +52,9 @@ Row: 88 _id=89, _data=/storage/emulated/0/Android/data/com.whatsapp/cache/SSLSes
...
```
-### The Chrome CVE-2020-6516 Same-Origin-Policy bypass
+### The Chrome CVE-2020-6516 Same-Origin-Policy bypass
-The _Same Origin Policy_ (SOP) \[[12](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)] in browsers dictates that Javascript content of URL A will only be able to access content at URL B if the following URL attributes remain the same for A and B:
+The _Same Origin Policy_ (SOP) \[[12](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin\_policy)] in browsers dictates that Javascript content of URL A will only be able to access content at URL B if the following URL attributes remain the same for A and B:
* The protocol e.g. `https` vs. `http`
* The domain e.g. `www.example1.com` vs. `www.example2.com`
@@ -97,4 +97,4 @@ A proof-of-concept is pretty straightforward. An HTML document that uses `XMLHtt