Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sample App bypass not working #13

Open
alebeta90 opened this issue Sep 16, 2021 · 4 comments
Open

Sample App bypass not working #13

alebeta90 opened this issue Sep 16, 2021 · 4 comments

Comments

@alebeta90
Copy link

Hi all,

I had been testing the Sample App provide in the repo. But so far I do not manage to perform the bypass.

Am testing on LineageOS 18, which is Android 11 with Magisk Root.
Using Burp as a proxy, I added CA cert using ADB push to /etc/security/cacerts I hashed.0 the cert and it appears in the installed CA certificates in my phone and test with the local browser.

The app seems to be starting properly and I can do a request with no problem.
But something that does not allow me to understand the proper or improper functioning of the bypass is that the segfault.me domain might be not working properly?

I tried to reproduce the call visiting

I took this from
https://github.com/GoSecure/frida-xamarin-unpin/blob/master/src/SampleApp/SampleApp/ViewModels/AboutViewModel.cs#L36

https://www.segfault.me/?k=637673854930158135

and it always returns Not Found, is this behaviour intended? or it should return an OK 200 HTTP status?

So Following the blog post https://www.gosecure.net/blog/2020/04/06/bypassing-xamarin-certificate-pinning-on-android/

I should receive a Code: OK, if the request is made properly, which it is not happening at the moment.

Then my first question is: Is the segfault.me from the sample app working properly?

If it is working as intended, what could be happening in my test that it is not working?

Thanks in advance
@obilodeau
Copy link
Collaborator

segfault.me seems to always return 404 at the moment. It's the private site of a former colleague, I just warned him about it.

Having a:

Return code: Not Found

Is ok because of that.

To confirm everything is working:

  • Keep cert pinning active (this simply enforces regular cert validation in the example app)
  • perform man-in-the-middle w/o the unpin attack
  • Click "Test HTTP Request"
  • See a cert failure in the logs
  • Activate the unpin attack
  • Click "Test HTTP Request"
  • See a "Return Code: Not Found"

@alebeta90
Copy link
Author

Hi Oliver,

thanks for your very assertive steps. I manage to reproduce and get the cert failure and then the Not Found response.

Something that is not clear, is, why the request is not visible in burp? am catching a lot of requests performed by the Android device, but not the request to segfault.me. Or does the sample app has an option not to send the traffic using the proxy?

thanks for clarifying the doubts
All the best

@obilodeau
Copy link
Collaborator

I think your proxy is misconfigured. You should see the request to segfault.me go through your proxy. You must proxy HTTP and HTTPS as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@obilodeau @alebeta90 and others