Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

JS debugging - Sameer Bhatt

818 views

Published on

Now every financial sector applications i.e. mobile or web, use one more security layer which is encryption mechanism so the attacker who able to intercept the traffic through any MITM tools can not able to understand the request data. When we do pen-testing we follow some methodology, we have to test each and every parameter and request. well as we all know attackers don't follow any rules or regulations, when they want to attack they will find the way to do it. So as keeping the mindset of the attacker, we will understand this kind of encryption mechanism, what developer thinks when they implement this? also what kind of mistakes they do? why they feel putting encryption means the application is secure? what makes them think that no one can break there logic? so they hide sensitive information behind the encryption. So keeping all above maybe some more cases in my mind, I prepared my own "Debugging methodology" for this, which I follow when I face this kind of scenarios

https://nsconclave.net-square.com/cold-war-with-javascript.html

Published in: Technology
  • Be the first to comment

JS debugging - Sameer Bhatt

  1. 1. What is this talk about? ● JavaScript ● Brief About Js Engines ● DevTools (V8) ● Extra Security layer implemented inside banking application ● How to break it, fuzz it and bypass something? ● How to debug JavaScript based mobile application? ● How to debug Add-on or web browser extensions? Don’t worry, this session will have lot of demos!!!
  2. 2. What you can do with JavaScript?
  3. 3. ● How Developers see it : Building stuff ● How Attackers see it : Breaking stuff ● Using JS, you can build a complete - a. web/mobile applications. b. Real-time networking apps (chats, video streamings). c. Command line tools. d. Games. e. Desktop Application. f. Windows 95 using electron.
  4. 4. Javascript vs ECMAScript?
  5. 5. Where does JavaScript code run? ● Browser Engines ● JavaScript engines (V8 for Chrome, spidermonkey for firefox etc.) ● Previously, we were able to run javascript inside browsers only. ● Later on, Node was developed (which is nothing but Javascript engine outside browser).
  6. 6. Debugging with Chrome DevTool
  7. 7. Debugging is the process of finding and fixing errors within a script
  8. 8. Debugger is your friend. function hello(name) { let phrase = `Hello, ${name}!`; Debugger; //Let’s have a cup of Tea. alert(phrase); }
  9. 9. What Developer Thinks?
  10. 10. Proper Server Side Validation Encrypt the Encrypted Data
  11. 11. Breaking and Bypassing
  12. 12. What?
  13. 13. How?
  14. 14. 1. Understand the application and It’s flow.
  15. 15. 2. When you found something, is it on client side?
  16. 16. 3. Look for all the files.
  17. 17. 4. Want to break encryption? Or bypass something?
  18. 18. 5. Find the Logic
  19. 19. We are fully charged now.
  20. 20. DEMO Lets Debug!
  21. 21. 1. Monitor() 2. Debug() 3. Memory analysis 4. Network 5. Snippet 6. Extension based 7. console.save() 8. Save all Javascript file …….
  22. 22. Fuzzing?
  23. 23. function fuzz(){ var textArea = document.getElementById('payloads'); var lines = textArea.value.split('n'); for (var j = 0; j < lines.length; j++) { console.log('Payload: ' + lines[j]); var mykey = "myKey123" otpEncrypt = CryptoJS.AES.encrypt( lines[j], mykey, {format: CryptoJSAesJson} ); $.post("otpvalidate.php",{ otp: otpEncrypt.toString() }, function(res){ var data2 = CryptoJS.AES.decrypt(JSON.stringify(res), mykey, {format: CryptoJSAesJson}).toString(CryptoJS.enc.Utf8); var data = JSON.parse(data2); console.log(data); }
  24. 24. DEMO Lets Fuzz!
  25. 25. Mobile Applications
  26. 26. Mobile Application
  27. 27. Cordova and React:
  28. 28. Android Application Remote debugging
  29. 29. Debugging Web Browser Extensions
  30. 30. chrome://extensions
  31. 31. about:debugging
  32. 32. Reality……….
  33. 33. Obfuscation:
  34. 34. Github: bhattsameer Twitter: sameer_bhatt5

×