Tuesday, 21 October 2014

My Leap of Faith !!!

Leap of faith !!! That's what it was for me, when I got into information security.

Currently the level of awareness for information security is very low in developers.

The coding practices followed by most developers today are far from the recommended best practices.
Its just amazing how vulnerable the application becomes just because of poor coding by the developer.
And this is just one face of information security, network Security is another story altogether.

I think one of the major challenges for the information security domain is the lack of awareness.
Lack of awareness works in both ways for us.
In cases such as social engineering attacks, lack of awareness does help penetration testers,
but it also works against us when the top management sees information security as a burden to the organization. Most of the time they learn the lesson the hard way after a security breach.

I was just lucky enough to have a go at this, a career in penetration testing. And I'm sure the challenges that it brings with it, will keep me wanting more.

Keep Rocking !!!

Monday, 25 February 2013

Installing Burp Certificate For IPad and IPhone Testing


Pentesting for mobile devices has become important for security consultant since more and more clients are requesting for to get their Android and iOS version of applications tested.

Using a proxy tool like Burp suite to intercept traffic from Apple devices is easy when the application does not use SSL. But in cases where the application is using https connection, the IPad or IPhone does not allow you to intercept the traffic. The reason being that Burp presents the device with a fake certificate that cannot be verified. Therefore in case of browsing through Safari browser, the user just gets a warning and can proceed ahead. But in case of applications, the certificate is either valid or not, there is no warning for invalid certificate. And if the certificate is invalid, the connection is terminated.

So during testing we can install the Burp SSL certificate on the iOS device and hence it will consider it as a trusted certificate.

Step 1) Start Burp proxy



Step 2) Set your browser to Burp proxy



Step 3) Browse to any SSL page. The browser will show a warning for 'Invalid SSL Certificate'

 

Step 4) Open the certificate details. Click on PortSwigger CA, this is important since we want the top-most hierarchy. Then click on Export.



Step 5) When you export the certificate it will be called PortSwigger CA. Remember to add '.crt' to the certificate when you save it. This is important since it determines what IPad or IPhone does with the file.




Step 6) Send the certificate to the device. This can be done by any method like email or directly copy on the device etc. When you try to open the certificate, the device will prompt you to install the certificate. Click on Install.