zoukankan      html  css  js  c++  java
  • How to verify Certificate Pinning?

    Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps.

     

    Take a popular shopping app “X” for example, If “X” does not meet the requirement of  “Certificate Pinning”,  we could definitely use proxy tool like Burp Suite to intercept any confidential between mobile device and servers.

    1. Run Burp Suite on my laptop and my laptop becomes a proxy server. (Don’t foreget to change policy of firewall to allow connection to its proxy server listening port.)
    2. Download Certificate from Burp Suite and install this cert file into my mobile phone.
    3. Setup the proxy server ip and port in my mobile phone’s wifi settings.(Of course the ip is my laptop’s ip; the port number is the listening port of proxy server on my laptop)
    4. Make sure Burp suite is ready to intercept packets.

     

    Now we could run this app “X” and start to login. Let’s see what data Burp could intercept. To my surprise “nothing” found in intercept tab.

     

    The “Alert” tab turns orange means something happens. It looks like “X” could meet the requirement of certificate pinning.

     

    Don’t jump to conclusions too soon. Let’s take a look at account registry. Input some data such as ID, username , password, phone number, e-mail and click “Submit”.  Guess what? Those confidential data being intercepted by Burp suite.


    “X” still need to do certificate pinning to avoid the risk of MITM. Now my friends know how to verify certificate pinning by using proxy.

  • 相关阅读:
    python学习(二十三) String(下) 分片和索引
    python学习(二十二) String(上)
    微服务网关
    【转】linux 软连接 硬链接
    设计模式--观察者模式
    设计模式--策略模式
    ubuntu-server 安装redis
    【转】linux的hostname修改详解
    【转】ftp的两种模式
    【转】linux下find查找命令用法
  • 原文地址:https://www.cnblogs.com/pieces0310/p/8531567.html
Copyright © 2011-2022 走看看