Delivered the in Person training at BlackHat Europe 2023

Delivered the in person training at BlackHat USA 2023

Delivered the in Person training at BlackHat Asia 2023

Delivered the in Person training at BlackHat Europe 2022

Delivered the virtual training at BlackHat USA 2022

Are you ready to dive into the fascinating world of Flutter and take control of your Android app’s traffic? Look no further! In this blog, we’ll embark on an exciting journey as I walk you through the simple yet powerful steps to capture the heartbeat of your Flutter-based Android application installed on the Android Studio emulator. The entire thing devided in 3 parts Configure the Proxy in Your Android Studio Emulator Capture the Sequence Bytes of “ssl_verify_peer_cert” Function Change the Return Value of “ssl_verify_peer_cert” to True Using Frida Configure the Proxy in Your Android Studio Emulator To set up the proxy in the Android Studio emulator, the initial step involves installing the Burp certificate directly into the emulator.

In this blog, I and Amish have explained how we can capture any application network traffic in Android Studio Emulator. To begin, export the Burp certificate in the ‘DER’ format and save it to the base system, as illustrated in the following figure: Next, utilizing OpenSSL, convert the DER file to a PEM file. Afterward, rename the PEM file with the certificate hash and proceed to push the certificate to the emulator’s ‘/sdcard’ folder, as depicted in the figure below:

In this blog post, I have explained how pentesters can benefit from a good understanding of cryptography and potential weaknesses in its implementation. In particular, he talks about how to exploit ECDSA to perform a nonce reuse attack.

More information: https://notsosecure.com/ecdsa-nonce-reuse-attack

In this blog post, I have described how I got around every necessary check to conduct API/dynamic testing on an Android application.

More information: https://notsosecure.com/bypassing-hardened-android-applications

In this blog, I have explained the workings of ECDSA sign and verification. To understand this, we first require the knowledge about basic concept of cryptography. If you know the concept, then you can jump to ECDSA explanation. Disclaimer: The information provided in this blog post about the working of ECDSA signing and verification is explained to the best of my knowledge and is the result of thorough research from various reliable sources.

The tool is used to accumulate the secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers. These secrets will be utilized by the Blacklist3r tools to audit the target application and verify the usage of these pre-published keys exploit it further.

Presented on how the padding oracle attack works under the hood.

The android application analyzer is the GUI to do the process of static analysis during the android application penetration testing with single-click support of jd-gui, apktool, MobSF, frida script hook and android logcat.

Basic components and terminology used in Blockchain

Advance method to do local storage analysis

It’s command line python based tool which can be used to import multiple keys and encrypt the specific file using specificied recipient, recipient belongs to specific organization or recipient belongs to specific multiple organization.

It’s Web Interface to generate payload using various deserialization exploitation framework.

The tool is used to analyze the content of the android application in local storage.

The goal of this project is to accumulate the secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers.

Collection information about Organization like IP Ranges, Subdomains and Operations on Subdomains.

An undisclosed link on the BIG-IP APM virtual server allows a malicious user to build an open redirect URI.

https://bugcrowd.com/devsecboy

https://hackerone.com/devsecboy