Story of a JSON XSS

假设存在如下injection_point, content_type: text/html. { "xxx": true, "yyy": [injection_point] } Payload 1 - Failure yyy=test<haha> 但是injection_point会将<> HTML转置. { "xxx": true, "yyy": <strong>test&lt;haha&gt;</strong> } Payload 2 - Failure yyy[testarray]…

Reverse engineering the Humble Bundle app to get API access

本文讲述了如何通过读smali code来还原api的调用情况,简单地说就是写翻出个swagger出来。本来这工作完全可以通过一个proxy来进行,不过作者用RE的方式来实现也挺特别。 此外,作者还推荐了smali的教程. You can read more about Smali syntax at its GitHub page (in particular, I definitely recommend checking out the useful links in the README and the files in the 'examples' directory). Ref Reverse engineering the Humble Bundle app to get API access | Hayden…

Reverse Engineering the Drexel One API

通过MiTM得知App先通过authentication获取一个key,然后利用这个key进行一系列的hashing计算获得一个authentication_key,之后每次call api都将该authentication_key加载到HTTP header之上。 RE Android App,知道authentication_key的组成就是 {my username}:{Utils.generateHash method}:{timestamp} Hashing的alg是HmacSHA1. 借助Free Online HMAC Generator,我们可以做个小测试. 最后作者将这个流程写成一个python script. Ref Reverse Engineering the Drexel One API – Tomer Shemesh – Medium…

Bypass OAuth nonce and steal oculus response code

Introduction Authorization request: https://www.facebook.com/v2.8/dialog/oauth?app_id=1517832211847102&client_id=1517832211847102&domain=auth.oculus.com&locale=en_GB&origin=1&redirect_uri=https://auth.oculus.com/login/&response_type=code&sdk=joey&version=v2.8&nonce=AXRr8eBAjDTBkzQ7&state=d916afa3-3dc1-bab7-fc9d-3c8f44bf757 Bypass CSRF,让victim发送以上请求,当req authorized之后,…

frida ios dump

frida-ios-dump是类似Clutch的工具,通过它,我们可以从jailbreak的手机上解密ipa。不过该ipa只能在同一架构的CPU手机上运行。如在32bit的iphone5c上解密的ipa,只能安装到32bit的5c或者5上。 Usage 修改dump.py中的port, 假如不是使用 iproxy 2222 22. def on_message(message,data): if message.has_key('payload'): payload = message['payload'] if payload.has_key("opened"): opened.set(); if payload.has_key("dump"): orign_path = payload["path"] dumppath = payload[…