From 3948e2d0c255d606aa7b4ee8bcc1de083c1e658a Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Tue, 1 Oct 2024 09:35:56 +0200 Subject: [PATCH 1/3] Add references to reFlutter Fixes #2902 --- techniques/android/MASTG-TECH-0109.md | 12 ++++++------ techniques/ios/MASTG-TECH-0110.md | 12 ++++++------ tools/generic/MASTG-TOOL-0100.md | 4 +++- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/techniques/android/MASTG-TECH-0109.md b/techniques/android/MASTG-TECH-0109.md index 435509f4f0..6c7775c7db 100644 --- a/techniques/android/MASTG-TECH-0109.md +++ b/techniques/android/MASTG-TECH-0109.md @@ -10,12 +10,12 @@ In order to intercept Flutter HTTPS traffic, we need to deal with two problems: - Make sure the traffic is sent to the proxy. - Disable the TLS verification of any HTTPS connection. -There are generally two approaches to this: **reFlutter** and **Frida**. +There are generally two approaches to this: **@MASTG-TOOL-0100** and **@MASTG-TOOL-0001**. -- **reFlutter**: This tool creates a modified version of the Flutter module which is then repackaged into the APK. It configures the internal libraries to use a specified proxy and disable the TLS verification. -- **Frida**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. ProxyDroid, DNS, iptables, ...). +- **@MASTG-TOOL-0100**: This tool creates a modified version of the Flutter module which is then repackaged into the APK. It configures the internal libraries to use a specified proxy and disable the TLS verification. +- **@MASTG-TOOL-0001**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. ProxyDroid, DNS, iptables, ...). -## Intercepting Traffic using reFlutter +## Intercepting Traffic using @MASTG-TOOL-0100 1. Patch the app to enable traffic interception. @@ -56,7 +56,7 @@ There are generally two approaches to this: **reFlutter** and **Frida**. 5. Open the app and start intercepting traffic. -## Intercepting Traffic using ProxyDroid / iptables with Frida +## Intercepting Traffic using ProxyDroid / iptables with @MASTG-TOOL-0001 1. Configure [proxyDroid](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/) or iptables rules to redirect requests to Burp. @@ -77,7 +77,7 @@ There are generally two approaches to this: **reFlutter** and **Frida**. - Select `Bind to address` to `All interfaces`. - Request Handling -> support for invisible proxying. -4. Run the @MASTG-TOOL-0101 frida script. +4. Run the @MASTG-TOOL-0001 frida script. ```bash frida -U -f eu.nviso.flutterPinning -l disable-flutter-tls.js diff --git a/techniques/ios/MASTG-TECH-0110.md b/techniques/ios/MASTG-TECH-0110.md index ab75159424..fa340ab1fb 100644 --- a/techniques/ios/MASTG-TECH-0110.md +++ b/techniques/ios/MASTG-TECH-0110.md @@ -10,12 +10,12 @@ In order to intercept Flutter HTTPS traffic, we need to deal with two problems: - Make sure the traffic is sent to the proxy. - Disable the TLS verification of any HTTPS connection. -There are generally two approaches to this: **reFlutter** and **Frida**. +There are generally two approaches to this: **@MASTG-TOOL-0100** and **@MASTG-TOOL-0039**. -- **reFlutter**: This tool creates a modified version of the Flutter module which is then repackaged into the IPA. It configures the internal libraries to use a specified proxy and disable the TLS verification. -- **Frida**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. VPN, DNS, iptables, WIFI hotspot). +- **@MASTG-TOOL-0100**: This tool creates a modified version of the Flutter module which is then repackaged into the IPA. It configures the internal libraries to use a specified proxy and disable the TLS verification. +- **@MASTG-TOOL-0039**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. VPN, DNS, iptables, WIFI hotspot). -## Intercepting Traffic using reFlutter +## Intercepting Traffic using @MASTG-TOOL-0100 1. Patch the app to enable traffic interception. @@ -50,7 +50,7 @@ There are generally two approaches to this: **reFlutter** and **Frida**. 5. Open the app and start intercepting traffic. -## Intercepting Traffic using WIFI Hotspot / openVPN with Frida +## Intercepting Traffic using WIFI Hotspot / openVPN with @MASTG-TOOL-0039 1. Configure using [WIFI hotspot / openVPN](https://blog.nviso.eu/2020/06/12/intercepting-flutter-traffic-on-ios/) method to redirect requests to Burp. @@ -63,7 +63,7 @@ There are generally two approaches to this: **reFlutter** and **Frida**. - Select `Bind to address` to `All interfaces`. - Request Handling -> support for invisible proxying. -4. Run the @MASTG-TOOL-0101 frida script. +4. Run the @MASTG-TOOL-0039 frida script. ```bash frida -U -f eu.nviso.flutterPinning -l disable-flutter-tls.js diff --git a/tools/generic/MASTG-TOOL-0100.md b/tools/generic/MASTG-TOOL-0100.md index ddd3d8cf11..efb143b4e6 100644 --- a/tools/generic/MASTG-TOOL-0100.md +++ b/tools/generic/MASTG-TOOL-0100.md @@ -4,6 +4,8 @@ platform: generic source: https://github.com/Impact-I/reFlutter --- -The [reFlutter](https://github.com/Impact-I/reFlutter) framework helps to reverse engineer Flutter apps using the patched version of the Flutter library, which is already compiled and ready for application repackaging. This library has a modified snapshot deserialization process that allows you to perform dynamic analysis. +The [reFlutter](https://github.com/Impact-I/reFlutter) framework helps to reverse engineer Flutter apps using the patched version of the Flutter library, which is already compiled and ready for application repackaging. This library has a modified snapshot deserialization process that allows you to perform dynamic analysis. reFlutter can also be used for intercepting Flutter HTTPS traffic, as described in the techniques for [Android](../../techniques/android/MASTG-TECH-0109.md) and [iOS](../../techniques/ios/MASTG-TECH-0110.md). You can install and use reFlutter by following [the official instructions](https://github.com/Impact-I/reFlutter?tab=readme-ov-file#install). More information is also available in the article ["Fork Bomb for Flutter"](https://swarm.ptsecurity.com/fork-bomb-for-flutter/) including details and practical examples. + +reFlutter can also be used for intercepting Flutter HTTPS traffic, as described in the techniques for [Android](../../techniques/android/MASTG-TECH-0109.md) and [iOS](../../techniques/ios/MASTG-TECH-0110.md). From ed7c6e2231eae19440b6358dd70f570a346fc100 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Tue, 1 Oct 2024 09:39:18 +0200 Subject: [PATCH 2/3] fix IDs --- techniques/android/MASTG-TECH-0109.md | 8 ++++---- techniques/ios/MASTG-TECH-0110.md | 8 ++++---- tools/generic/MASTG-TOOL-0100.md | 4 +--- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/techniques/android/MASTG-TECH-0109.md b/techniques/android/MASTG-TECH-0109.md index 6c7775c7db..c8e6caa9a7 100644 --- a/techniques/android/MASTG-TECH-0109.md +++ b/techniques/android/MASTG-TECH-0109.md @@ -12,10 +12,10 @@ In order to intercept Flutter HTTPS traffic, we need to deal with two problems: There are generally two approaches to this: **@MASTG-TOOL-0100** and **@MASTG-TOOL-0001**. -- **@MASTG-TOOL-0100**: This tool creates a modified version of the Flutter module which is then repackaged into the APK. It configures the internal libraries to use a specified proxy and disable the TLS verification. -- **@MASTG-TOOL-0001**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. ProxyDroid, DNS, iptables, ...). +- **reFlutter**: This tool creates a modified version of the Flutter module which is then repackaged into the APK. It configures the internal libraries to use a specified proxy and disable the TLS verification. +- **Frida**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. ProxyDroid, DNS, iptables, ...). -## Intercepting Traffic using @MASTG-TOOL-0100 +## Intercepting Traffic using reFlutter 1. Patch the app to enable traffic interception. @@ -56,7 +56,7 @@ There are generally two approaches to this: **@MASTG-TOOL-0100** and **@MASTG-TO 5. Open the app and start intercepting traffic. -## Intercepting Traffic using ProxyDroid / iptables with @MASTG-TOOL-0001 +## Intercepting Traffic using ProxyDroid / iptables with Frida 1. Configure [proxyDroid](https://blog.nviso.eu/2019/08/13/intercepting-traffic-from-android-flutter-applications/) or iptables rules to redirect requests to Burp. diff --git a/techniques/ios/MASTG-TECH-0110.md b/techniques/ios/MASTG-TECH-0110.md index fa340ab1fb..807c20ec01 100644 --- a/techniques/ios/MASTG-TECH-0110.md +++ b/techniques/ios/MASTG-TECH-0110.md @@ -12,10 +12,10 @@ In order to intercept Flutter HTTPS traffic, we need to deal with two problems: There are generally two approaches to this: **@MASTG-TOOL-0100** and **@MASTG-TOOL-0039**. -- **@MASTG-TOOL-0100**: This tool creates a modified version of the Flutter module which is then repackaged into the IPA. It configures the internal libraries to use a specified proxy and disable the TLS verification. -- **@MASTG-TOOL-0039**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. VPN, DNS, iptables, WIFI hotspot). +- **reFlutter**: This tool creates a modified version of the Flutter module which is then repackaged into the IPA. It configures the internal libraries to use a specified proxy and disable the TLS verification. +- **Frida**: The [disable-flutter-tls.js script](https://github.com/NVISOsecurity/disable-flutter-tls-verification) can dynamically remove the TLS verification without the need for repackaging. As it doesn't modify the proxy configuration, additional steps are needed (e.g. VPN, DNS, iptables, WIFI hotspot). -## Intercepting Traffic using @MASTG-TOOL-0100 +## Intercepting Traffic using reFlutter 1. Patch the app to enable traffic interception. @@ -50,7 +50,7 @@ There are generally two approaches to this: **@MASTG-TOOL-0100** and **@MASTG-TO 5. Open the app and start intercepting traffic. -## Intercepting Traffic using WIFI Hotspot / openVPN with @MASTG-TOOL-0039 +## Intercepting Traffic using WIFI Hotspot / openVPN with Frida 1. Configure using [WIFI hotspot / openVPN](https://blog.nviso.eu/2020/06/12/intercepting-flutter-traffic-on-ios/) method to redirect requests to Burp. diff --git a/tools/generic/MASTG-TOOL-0100.md b/tools/generic/MASTG-TOOL-0100.md index efb143b4e6..2d3b2ff3fb 100644 --- a/tools/generic/MASTG-TOOL-0100.md +++ b/tools/generic/MASTG-TOOL-0100.md @@ -4,8 +4,6 @@ platform: generic source: https://github.com/Impact-I/reFlutter --- -The [reFlutter](https://github.com/Impact-I/reFlutter) framework helps to reverse engineer Flutter apps using the patched version of the Flutter library, which is already compiled and ready for application repackaging. This library has a modified snapshot deserialization process that allows you to perform dynamic analysis. reFlutter can also be used for intercepting Flutter HTTPS traffic, as described in the techniques for [Android](../../techniques/android/MASTG-TECH-0109.md) and [iOS](../../techniques/ios/MASTG-TECH-0110.md). +The [reFlutter](https://github.com/Impact-I/reFlutter) framework helps to reverse engineer Flutter apps using the patched version of the Flutter library, which is already compiled and ready for application repackaging. This library has a modified snapshot deserialization process that allows you to perform dynamic analysis. reFlutter can also be used for intercepting Flutter HTTPS traffic. You can install and use reFlutter by following [the official instructions](https://github.com/Impact-I/reFlutter?tab=readme-ov-file#install). More information is also available in the article ["Fork Bomb for Flutter"](https://swarm.ptsecurity.com/fork-bomb-for-flutter/) including details and practical examples. - -reFlutter can also be used for intercepting Flutter HTTPS traffic, as described in the techniques for [Android](../../techniques/android/MASTG-TECH-0109.md) and [iOS](../../techniques/ios/MASTG-TECH-0110.md). From 122195c0c7216c967b551c53df51cbea8a4311ee Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Tue, 1 Oct 2024 09:48:07 +0200 Subject: [PATCH 3/3] fix IDs and update codesign to be 0114 --- techniques/android/MASTG-TECH-0109.md | 2 +- techniques/ios/MASTG-TECH-0084.md | 2 +- techniques/ios/MASTG-TECH-0092.md | 2 +- techniques/ios/MASTG-TECH-0110.md | 2 +- techniques/ios/MASTG-TECH-0111.md | 2 +- tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md | 2 +- tools/ios/{MASTG-TOOL-0101.md => MASTG-TOOL-0114.md} | 0 7 files changed, 6 insertions(+), 6 deletions(-) rename tools/ios/{MASTG-TOOL-0101.md => MASTG-TOOL-0114.md} (100%) diff --git a/techniques/android/MASTG-TECH-0109.md b/techniques/android/MASTG-TECH-0109.md index c8e6caa9a7..aef1a0ef9a 100644 --- a/techniques/android/MASTG-TECH-0109.md +++ b/techniques/android/MASTG-TECH-0109.md @@ -77,7 +77,7 @@ There are generally two approaches to this: **@MASTG-TOOL-0100** and **@MASTG-TO - Select `Bind to address` to `All interfaces`. - Request Handling -> support for invisible proxying. -4. Run the @MASTG-TOOL-0001 frida script. +4. Run the @MASTG-TOOL-0101 Frida script. ```bash frida -U -f eu.nviso.flutterPinning -l disable-flutter-tls.js diff --git a/techniques/ios/MASTG-TECH-0084.md b/techniques/ios/MASTG-TECH-0084.md index 6c66b287e0..7471f4c8f8 100644 --- a/techniques/ios/MASTG-TECH-0084.md +++ b/techniques/ios/MASTG-TECH-0084.md @@ -36,7 +36,7 @@ You'll find the debugserver executable in the `/usr/bin/` directory on the mount ``` -Apply the entitlement with @MASTG-TOOL-0101: +Apply the entitlement with @MASTG-TOOL-0114: ```bash codesign -s - --entitlements entitlements.plist -f debugserver diff --git a/techniques/ios/MASTG-TECH-0092.md b/techniques/ios/MASTG-TECH-0092.md index 47e0014593..8de15ddcad 100644 --- a/techniques/ios/MASTG-TECH-0092.md +++ b/techniques/ios/MASTG-TECH-0092.md @@ -21,7 +21,7 @@ Next, we need to make sure that the Bundle ID in `Info.plist` matches the one sp ## Re-Signing -Finally, we use the @MASTG-TOOL-0101 tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`. +Finally, we use the @MASTG-TOOL-0114 tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`. ```bash $ rm -rf Payload/UnCrackable\ Level\ 1.app/_CodeSignature diff --git a/techniques/ios/MASTG-TECH-0110.md b/techniques/ios/MASTG-TECH-0110.md index 807c20ec01..019080d741 100644 --- a/techniques/ios/MASTG-TECH-0110.md +++ b/techniques/ios/MASTG-TECH-0110.md @@ -63,7 +63,7 @@ There are generally two approaches to this: **@MASTG-TOOL-0100** and **@MASTG-TO - Select `Bind to address` to `All interfaces`. - Request Handling -> support for invisible proxying. -4. Run the @MASTG-TOOL-0039 frida script. +4. Run the @MASTG-TOOL-0101 Frida script. ```bash frida -U -f eu.nviso.flutterPinning -l disable-flutter-tls.js diff --git a/techniques/ios/MASTG-TECH-0111.md b/techniques/ios/MASTG-TECH-0111.md index 695ac86ffb..cce5d8fe0c 100644 --- a/techniques/ios/MASTG-TECH-0111.md +++ b/techniques/ios/MASTG-TECH-0111.md @@ -7,7 +7,7 @@ To extract the entitlements from a MachO binary, the following tools can be used - @MASTG-TOOL-0111 - @MASTG-TOOL-0105 -- @MASTG-TOOL-0101 +- @MASTG-TOOL-0114 The following examples use these tools on the main binary of @MASTG-APP-0028, which contains two architectures. diff --git a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md index a5b5399251..379039e88e 100644 --- a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md +++ b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md @@ -13,7 +13,7 @@ masvs_v1_levels: ## Static Analysis -You have to ensure that the app is [using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format). You can retrieve the signing certificate information from the application's .app file with @MASTG-TOOL-0101. Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system. +You have to ensure that the app is [using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format). You can retrieve the signing certificate information from the application's .app file with @MASTG-TOOL-0114. Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system. After you get the application's IPA file, re-save it as a ZIP file and decompress the ZIP file. Navigate to the Payload directory, where the application's .app file will be. diff --git a/tools/ios/MASTG-TOOL-0101.md b/tools/ios/MASTG-TOOL-0114.md similarity index 100% rename from tools/ios/MASTG-TOOL-0101.md rename to tools/ios/MASTG-TOOL-0114.md