M 109: Broken SSL (30 pts extra)

What You Need for This Project

Summary

Many Android app sends login credentials over broken HTTPS, without verifying the SSL certificate.

This is such a serious security flaw that the FTC punished Fandango and Credit Karma for doing the same thing in 2014.

Adjusting Android Networking to Bypass the Proxy

While Burp is useful, most of the time you want to bypass it so you can get to Google Play.

From the Android home screen, click the circle at the bottom center.

Open Settings.

In Settings, click "Network & internet".

Click Wi-Fi.

Click AndroidWiFi.

Click Advanced.

In the "Network details" screen, at the top right, click the Pencil icon.

In the "Proxy" field, click the down-arrow.

Click None.

Then click Save.

Installing Firefox

If you don't already have Firefox installed, install it from Google Play.

Installing the Travelzoo Android App

Open Google Play and search for travelzoo.

Install the app, as shown below.

If you can't get the app from Google Play, download my archived copy.

Adjusting Android Networking to Use the Burp Proxy

On your Android device, in Settings, click "Network & internet".

Click Wi-Fi.

Click AndroidWiFi.

Click Advanced.

In the "Network details" screen, at the top right, click the Pencil icon, outlined in green in the image below.

In the "AndroidWifi" box, in the "Advanced options" row, click the down-arrow.

In the "Proxy" field, click the down-arrow.

Click Manual, which is outlined in green in the image below.

Enter the IP address and port number of the Burp proxy listener, as shown below.

On your Android device, click SAVE.

At the bottom center of the device, click the round Home button.

Testing a HTTPS Connection

Open Firefox. Go to https://samsclass.info

You should see an error message, as shown below. If you don't, remove the Portswigger certificate, with the steps in the gray box below.

This happens because Burp is performing a man-in-the-middle attack and Firefox notices it.

Removing the PortSwigger Certificate

On your Android device, in Settings, click "Security & location",
Advanced, "Encryption & credentials", "Clear credentials".

Click OK.

Enter your PIN.

Observing the HTTPS Traffic

Open the Travelzoo app.

At the lower right of the home page, click the head icon.

Click the "Sign In or Sign Up" button.

Click the "SIGN IN" button.

Enter an email address and password, as shown below, and click the "Sign In" button.

In Burp, on the Proxy tab, click the "HTTP Requests" sub-tab.

Find the POST method going to travelzoo.com.

The username and password appear in Burp, as shown below:

M 109.1: Parameter Name (10 pts)

Find the text covered by a green box in the image below. That's the flag.

Cisco E-Service Training

WARNING: this app no longer allows a login through Burp, as of 5-12-2021. So I recommend skipping the Cisco app. Install the app, as shown below.

If you can't get the app from Google Play, download my archived copy.

Enter any email and click the Next button.

Enter any password and click the "Sign In" button.

M 109.2: Server Name (10 pts)

In Burp, find the text covered by a green box in the image below. That's the flag.

Somnote

Install the app, as shown below.

If you can't get the app from Google Play, download my archived copy.

Launch Somnote. If it asks for permissions, grant them.

Click "LOGIN WITH EMAIL", and enter any email and password, and click the Login button.

M 109.3: Parameter Name (10 pts)

In Burp, find the text covered by a green box in the image below. That's the flag.

Responsible Disclosure

I notified all these companies of this problem years ago:
Posted 2-10-21
Note about Cisco App added 5-12-2021