Hello guys,
Today I wanna share one of my interesting PoC I ever found. First of all it is related to iOS application, secondly it needs more manual work rather then using tools and BOOM found.
In the starting of 2017, I started to learn about jailbreaking, and thought to contribute something to the jailbreaking world. Till now I developed some useless tweaks and I learned about how to read an iOS app, how it works and finding intresting things into.
Testing iOS applications is much more intresting than testing android application, because first of all Android is cross-platform, can be develop or read on any platform, but iOS is different you need a Mac OS to perform actions, and if you're like me, who don't have a Macbook, then it's pretty difficult.
There are some simple vulnerabilities like intercepting the ongoing requests and finding vulnerabilities in HTTP requests and responses, but thats too simple and chances are too low to find a vulnerability there. Then there is reverse engineering and finding vulnerabilities, that part is complicated. I already made a video on youtube showing reverse engineering a simple iOS application without Apple's DRM fairplay protection one.
Some days ago I got a invitation from a private website to test there iOS or Android application, as I was new and little bit confident in iOS application I chose to hunt for iOS application. Using the first method i.e. burpsuite I found banner disclosing, but that has low impacct and no complication at all, so I thought to find another vulnerability. Then I decided to reverse engineer that iOS app, using clutch & IDA Pro. And started to see all the headers, and there I found something intresting.
Now in this image, as you can see there is header file called "logPreviousSessionCrashedOnDate", it shows that session is being destroyed by the app itself, not by the server, and if you look at the other part you'll see it is doing some calculations and all, to destroy that session, all that implies that session is stores somewhere in iOS, which would later destroy by the app.
Now I started digging into the filesystem, but there was nothing there, I was confused where the f*** it is storing that session, then I thought that cookies and session could be stored it memory using "NSHTTPCookies", I started finding that session in the buffer of the app, and not only I found sessionID in buffer also cookies in the buffer. Here is the screenshot
Well now how to exploit it, to get both fun & profit.
You could use cycript or just develop a tweak to get those sensitive information.
OK so after some finding I found a class which don't know do what, but it does something with the session IDs as per my understanding it is checking something in cookies or might be something else i.e. -[ANSUploader session]
Here are cycript commands to get those tasty cookies and session IDs.
cy# sessions = choose(session)
cy# sessions[0]
cy# sessions[0] -> isa.messages
Well after you could see the stored cookies and sensitive info, but I am little bit lazy to run all the commands again and again, that's why I simply developed a tweak to show that juicy info on the screen, as you can see in the above image.
Hope you'll also like this PoC as much I like this.
1 comment:
Thanks for sharing this information.
#Mobile_App_Development
#Android app Development
IOS app development
Post a Comment