Category Archives: Hands On Series

B-sides san francisco logo

Security B-Sides SF 2013: The Pineapple Express: Live mobile application hacking demo…

pineapple express

All aboard the Pineapple Express, its a speeding bullet to the mobile backend! I’m looking forward to speaking at the upcoming B-Sides San Francisco. Most of the mobile security research has been focused on the apps on devices, but I have been more interested in the services and back-ends that power mobile apps.

B-sides san francisco logo

I’m excited about the new wifi Pineapple software that I have discovered while doing my research on mobile application security and I’m leveraging it to create a wifi hotspot during my talk.

In this talk, we’ll go beyond the typical discussion points on mobile security to delve into the vulnerable back-ends mobile applications. I will demonstrate how easy it is to find vulnerabilities and attack the service calls in social media, banking and payment applications.

These applications leverage new formats like JSON, AJAX and REST to deliver a rich user experience, but unfortunately they are too often exposing the same familiar vulnerabilities like SQL and Command injection. During this talk, I will demonstrate just how vulnerable these back-ends can be and how easy it is to watch the traffic and attack these interfaces.

The first step in learning to attack these mobile applications is understanding the formats used. Participants learn how to break-down these new formats, where to attack them and which tools and techniques make it easy to attack these back-end interfaces.

The audience will have the opportunity to connect to my Wifi Pineapple and use their real apps, which I will snoop and demonstrate how to hack the backends. While they won’t actually hack applications, the group will watch the live traffic and the discuss techniques that can be used to hack those applications.

Hands On Series – Cross Site Scripting (XSS) Part 1

The “Hands on Series” continues!


In this episode we start dealing with Cross Site Scripting (XSS) attacks.

CSS = Cascading Style Sheets
XSS = Cross Site Scripting

Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users browsers.
A key element to XSS is that one user can submit data to a website that will later be displayed for other users.
It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web defacement rather then attacking other users.

The hackme site has been updated and improved (more about that in a moment)

and now includes a section for XSS which we will be using in this episode.

Continue reading

Hands On Series – SQL Injection Part 1

The start of the “Hands on Series”, which means that there are actual
hands on excersises to go along with these shows.

I feel that its time to go beyond the concepts, the chatter about what bad guys can do,
and actually show you directly. Let you see for yourself the saying goes.

I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.

Continue reading