MagiskTrustUserCerts
hetty
MagiskTrustUserCerts | hetty | |
---|---|---|
3 | 3 | |
1,575 | 5,906 | |
1.9% | - | |
0.0 | 0.0 | |
6 months ago | about 1 year ago | |
Shell | Go | |
- | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
MagiskTrustUserCerts
-
Inspecting http traffic from mobile phone applications
I am doing this right now. I'm using burp to proxy the traffic from a mobile application to test it's APIs. I did the following: 1. Root device and install Magisk 2. Connect phone to computer running burp and Android Debug Bridge. 3. Establish proxy connection using adb tunnel and ProxyDroid app. 4. Download Burp certificate to phone (it's stopped in User trust store but needs to be put in System. 5. Use the following Magisk module. MagiskTrustUserCerts 6. Profit
-
Mitmproxy 8
This is true, by default Android apps do not trust user-installed certificate authorities. IMO the easiest solution if you're doing security testing on a dedicated device is MagiskTrustUserCerts[1]. If you're not testing on a dedicated device or you don't want to root the device, I'd recommend using the objection[2] tool which has a guided mode for patching an apk, and you can modify the manifest to add your CA or to trust all user-installed CAs.
[1]: https://github.com/NVISOsecurity/MagiskTrustUserCerts
[2]: https://github.com/sensepost/objection/wiki/Patching-Android...
-
Scraping an Android App
2) in magisk install https://github.com/NVISOsecurity/MagiskTrustUserCerts
hetty
- Hetty - An http toolkit for security research.
-
Mitmproxy 8
FWIW: I'm building something in Go (https://github.com/dstotijn/hetty). But it's pretty early stage and not even near the featureset that mitmproxy or Burp Suite has. Also I wouldn't dare say it's more efficient (yet!). But Go has been great so far to build it.
As mentioned elsewhere: (dev friendly) extensibility/add-ons with Go will be an interesting challenge. Haven't looked into it yet.
-
Gopher Gold #14 - Wed Oct 07 2020
dstotijn/hetty (Go): Hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community.
What are some alternatives?
mitmpcap - export mitmproxy traffic to PCAP file
mitmproxy - An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
super-auto-pets - A tool to allow for viewing of arbitrary Super Auto Pets replays
ppmap - A scanner/exploitation tool written in GO, which leverages client-side Prototype Pollution to XSS by exploiting known gadgets.
xmppmitm - XMPP Man-in-the-Middle, quick & dirty
lakeFS - lakeFS - Data version control for your data lake | Git for data
ndbproxy - A proxy/bridge that runs between a Node.JS debug server and a Chromium devtools client and adds some additional features.
interactsh - An OOB interaction gathering server and client library
spark-operator - Kubernetes operator for managing the lifecycle of Apache Spark applications on Kubernetes.
objection - 📱 objection - runtime mobile exploration