Skip to content

SSL Pinning Solution

Jump to bottom
Tim Guenther edited this page Jul 24, 2017 · 2 revisions

Set up Burp

  1. Follow the challenge set up guide.
  2. Open Burp Suite in the OWASP VM with burp
    1. Set the Proxy -> Options -> Proxy Options -> Edit -> Specific address to 10.13.13.101.
    2. Enable Proxy -> Options -> Proxy Options -> Edit -> Request handling -> Support invisible proxying.
    3. Troubleshooting: Enable Proxy -> Options -> Proxy Options -> Edit -> Miscellaneous -> Allow request to web interface using full qualified DNS hostnames.
  3. Import the Burp CA into the Android VM:
    1. Download the Burp CA via http://burp via a web browser (this might need proxy settings for the browser)
    2. Move the CA to the Android VM adb push Downloads/cacert.der /sdcard/Download/burpCA.crt
    3. Now open the Android Settings -> Security -> Install from SD-Cardand install the CA from /sdcard/Download/

Modify the application

  1. Get the application (.apk) form the Android VM or download the latest release
    1. adb pull /data/app/ruhrpott.owasp.com.vuln_app_1-2/base.apk ./
  2. Decompile the android application apktool d base.apk
  3. Move to the new folder cd base
  4. The application has the certificate of the https server stored inside and will check all connections against this certificate the idea is to replace this certificate with the one Burp has create for us:
    1. Move to the folder with the certificate cd assets. The location is disclosed via the SSLPinning.java -> KeyPinStore.java:39.
    2. Export the Burp certificate via Proxy -> Options -> Proxy Options -> Import / export CA certificate -> Certificate in DER format and follow the dialog.
    3. Replace the certificate base/assets/owasp.crt with the exported certificate. (it must have the same file name)
    4. The android application needs to be build and signed.
    cd ../../
apktool b base
keytool -genkey -v -keystore owasp.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore owasp.keystore base.apk alias_name
    1. Uninstall the android application and install the new one:
    adb unistall ruhrpott.owasp.com.vuln_app_1-2
adb install base.apk
    1. The application is now installed and patched.

Test the application

  1. In the Android VM navigate to Basic HTTPS Request and submit the request via the button.
  2. Burp and the application should now show you the string:
    1. HAHAHAHAHAH! No one will steal my secret messages! They are soooo "Military Grade" encrypted! And buzzwords can't fail.

Please open an issue in the case you found a mistake in the wiki.

Challenges

Solutions

Clone this wiki locally