Blackberry apps security assessment
Hi,
I am trying to route a blackberry app via burp.
I did some quick research and found that updating rimpublic.property file
of MDS will do the job.
I included appropriate config details under HTTPHandler and pointed it the
ip on which my burp is running. However, the traffic from the simulator is
still not getting routed via burp. The app is unable to connect to the
server.
So its not bypassing the proxy, but is not hitting burp either.
Is anyone aware of any other method of routing the http traffic via proxy?
Any help on this matter will be much appreciated.
PS: HTTPS is disabled to ensure that everything uses HTTP.
--
Regards,
Chintan Dave
Hi Chintan,
By default, Burp is configured to listen to only Loopback Address
(localhost,127.0.0.1).
As your blackberry app is not on localhost, so please make sure that Burp
is allowed to listen to all IP Address.
*Burp Window -> Proxy -> Options -> Select the Proxy Listener -> Edit ->
Remove the check from "listen on loopback interface only" -> Update
You will be asked if "You want to listen on all interfaces" -> Yes*
I hope this resolves the issue.
..
Regards,
Praful Agawral
Information Security Consultant
Sandrock eSecurities Pvt. Ltd.
New Delhi, India
Mobile: +91-98185-59358
Skype: praful.agarwal8*
Gmail: praful.aga@gmail.com
Hotmail: praful.agarwal@hotmail.com
Linked In: in.linkedin.com/in/prafulagarwal
Facebook: facebook.com/praful.agarwal
*
On Sun, Dec 16, 2012 at 12:18 PM, Chintan Dave davechintan@gmail.comwrote:
Hi,
I am trying to route a blackberry app via burp.
I did some quick research and found that updating rimpublic.property file
of MDS will do the job.
I included appropriate config details under HTTPHandler and pointed it the
ip on which my burp is running. However, the traffic from the simulator is
still not getting routed via burp. The app is unable to connect to the
server.
So its not bypassing the proxy, but is not hitting burp either.
Is anyone aware of any other method of routing the http traffic via proxy?
Any help on this matter will be much appreciated.
PS: HTTPS is disabled to ensure that everything uses HTTP.
--
Regards,
Chintan Dave
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi Praful,
My bad - I forgot to mention that, however I am listening on all interfaces
and not just local host.
It still is not working.
Thanks,
Chintan
On Sun, Dec 16, 2012 at 1:25 PM, Praful Agarwal
praful.agarwal@sandrock.inwrote:
Hi Chintan,
By default, Burp is configured to listen to only Loopback Address
(localhost,127.0.0.1).
As your blackberry app is not on localhost, so please make sure that Burp
is allowed to listen to all IP Address.
*Burp Window -> Proxy -> Options -> Select the Proxy Listener -> Edit ->
Remove the check from "listen on loopback interface only" -> Update
You will be asked if "You want to listen on all interfaces" -> Yes*
I hope this resolves the issue.
..
Regards,
Praful Agawral
Information Security Consultant
Sandrock eSecurities Pvt. Ltd.
New Delhi, India
Mobile: +91-98185-59358
Skype: praful.agarwal8*
Gmail: praful.aga@gmail.com
Hotmail: praful.agarwal@hotmail.com
Linked In: in.linkedin.com/in/prafulagarwal
Facebook: facebook.com/praful.agarwal
*
On Sun, Dec 16, 2012 at 12:18 PM, Chintan Dave davechintan@gmail.comwrote:
Hi,
I am trying to route a blackberry app via burp.
I did some quick research and found that updating rimpublic.property file
of MDS will do the job.
I included appropriate config details under HTTPHandler and pointed it
the ip on which my burp is running. However, the traffic from the simulator
is still not getting routed via burp. The app is unable to connect to the
server.
So its not bypassing the proxy, but is not hitting burp either.
Is anyone aware of any other method of routing the http traffic via proxy?
Any help on this matter will be much appreciated.
PS: HTTPS is disabled to ensure that everything uses HTTP.
--
Regards,
Chintan Dave
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Regards,
Chintan Dave,
LinkedIn: http://in.linkedin.com/in/chintandave
Blog:http://www.chintandave.com
Hi Chintan
If the app isn't honoring the proxy settings you've configured, you could potentially try invisible proxying via Burp. You'll need a way of controlling the DNS lookups on the device/emulator, enable invisible proxying on your Burp listener, and then redirect the outbound traffic from Burp to the correct destination (which might not be a problem in this instance).
There is some (non-device-specific) help here:
http://portswigger.net/burp/help/proxy_options_invisible.html
Cheers
PortSwigger
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Chintan Dave
Sent: 16 December 2012 06:48
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Blackberry apps security assessment
Hi,
I am trying to route a blackberry app via burp.
I did some quick research and found that updating rimpublic.property file of MDS will do the job.
I included appropriate config details under HTTPHandler and pointed it the ip on which my burp is running. However, the traffic from the simulator is still not getting routed via burp. The app is unable to connect to the server.
So its not bypassing the proxy, but is not hitting burp either.
Is anyone aware of any other method of routing the http traffic via proxy?
Any help on this matter will be much appreciated.
PS: HTTPS is disabled to ensure that everything uses HTTP.
--
Regards,
Chintan Dave
Hi,
Thanks, I am aware of this feature. If forward proxying doesn't work out, I
was planning to use this method for intercepting.
Seems, its about time as there are not many pointers available.
Thanks,
Chintan
On Mon, Dec 17, 2012 at 4:00 PM, PortSwigger support <
support@portswigger.net> wrote:
Hi Chintan
If the app isn't honoring the proxy settings you've configured, you could
potentially try invisible proxying via Burp. You'll need a way of
controlling the DNS lookups on the device/emulator, enable invisible
proxying on your Burp listener, and then redirect the outbound traffic from
Burp to the correct destination (which might not be a problem in this
instance).
There is some (non-device-specific) help here:
http://portswigger.net/burp/help/proxy_options_invisible.html
Cheers
PortSwigger
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On
Behalf Of Chintan Dave
Sent: 16 December 2012 06:48
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Blackberry apps security assessment
Hi,
I am trying to route a blackberry app via burp.
I did some quick research and found that updating rimpublic.property file
of MDS will do the job.
I included appropriate config details under HTTPHandler and pointed it the
ip on which my burp is running. However, the traffic from the simulator is
still not getting routed via burp. The app is unable to connect to the
server.
So its not bypassing the proxy, but is not hitting burp either.
Is anyone aware of any other method of routing the http traffic via proxy?
Any help on this matter will be much appreciated.
PS: HTTPS is disabled to ensure that everything uses HTTP.
--
Regards,
Chintan Dave
--
Regards,
Chintan Dave,
LinkedIn: http://in.linkedin.com/in/chintandave
Blog:http://www.chintandave.com