|
Your first mobile assessment |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Your first mobile assessment Par SensePost Blog Le [2013-05-20] à 10:00:29
Présentation : Monday morning, raring for a week of pwnage and you see you've just been handed a new assessment, awesome. The problem It's a mobile assessment and you've never done one before. What do you do, approach your team leader and ask for another assessment He's going to tell you to learn how to do a mobile assessment and do it quickly, there are plenty more to come. Now you set out on your journey into mobile assessments and you get lucky, the application that needs to be assessed is an Android app. A few Google searches later and you are feeling pretty confident about this, Android assessments are meant to be easy, there are even a few tools out there that do it all . You download the latest and greatest version, run it and the app gets a clean bill of health. After all, the tool says so, there is no attack surface no exposed intents and the permissions all check out. You compile your report, hand it off to the client and a week later the client gets owned through the application... Apparently the backend servers were accepting application input without performing any authentication checks. Furthermore, all user input was trusted and no server side validation was being performed. What went wrong How did you miss these basic mistakes After-all, you followed all the steps, you ran the best tools and you ticked all the boxes. Unfortunately this approach is wrong, mobile assessments are not always simply about running a tool, a lot of the time they require the same steps used to test web applications, just applied in a different manner. This is where SensePost's Hacking by numbers Mobile comes to the fore, the course aims to introduce you to mobile training from the ground up. The course offers hands-on training, introducing techniques for assessing applications on Android, IOS, RIM and Windows 8. Some of the areas covered include Communication protocols Programming languages for mobile development Building your own mobile penetration testing lab Mobile application analysis Static Analysis Authentication and authorization Data validation Session management Transport layer security and information disclosure Unlike other mobile training or tutorials that focus on a specific platform or a specific tool on that platform, Hacking by Numbers aims to give you the knowledge to perform assessments on any platform with a well established methodology. Building on everything taught in the Hacking by Numbers series, the mobile course aims to move assessments into mobile sphere, continuing the strong tradition of pwnage. The labs are a direct result of the assessments we've done for clients. Our trainers do this on a weekly basis, so you get the knowledge learned from assessing numerous apps over the last few years. On your next mobile assessment you'll be able to do both static and dynamic analysis of mobile applications. You will know where to find those credit card numbers stored on the phone and how to intercept traffic between the application and the backend servers. The course Hacking by numbers Mobile
Les mots clés de la revue de presse pour cet article : mobile Les videos sur SecuObs pour les mots clés : mobile Les mots clés pour les articles publiés sur SecuObs : mobile Les éléments de la revue Twitter pour les mots clé : mobile
Les derniers articles du site "SensePost Blog " :
- Lovely Pwnies - Twitter Monitor - Break the Web at BlackHat Singapore - SensePost Training - Improvements in Rogue AP attacks - MANA 1 2 - Demonstrating ClickJacking with Jack - Commercial Snoopy Launch ShadowLightly - Are you the intern we've been looking for - Release the hounds Snoopy 2.0 - Hacking Challenge Drive a tank through it - SensePost partners with Paterva to offer improved security intelligence
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|