6 Must have tools for your iOS pentesting toolkit
When performing a pentesting either it is web, network, mobile or IoT the essential thing the pentester should have is its tool. So in this blog, I am going to share the tools which I use to perform pentesting of iOS applications. 1. Cydia Impactor: Cydia Impactor is a GUI tool which is used to install the ios application into the iPhone when we have the IPA file of it. So if you have a jailbreak IPA then this tool is must which will let you install that jailbreak exploit IPA into your device. You can download Cydia from here.
In this write up we will be focusing on CSV injection. CSV also knows as Comma Separated Value stores tabular data (numbers and text) in plain text. Each record consists of one or more fields, separated by comma. Nowadays, there are many web application and frameworks being developed which allow users to export the data saved in database into a csv file. The csv file created might lead to CSV injection. So it becomes very important to be sure that the file exported through the web application is safe and will not leave the users system prone to any attack. CSV Injection aka Formula Injection. It occurs when websites embed untrusted user input inside CSV files without validating. When the user tries to open the CSV file using any spreadsheet program such as Microsoft Excel or LibreOffice Calc, any cells starting with ‘=’ will be interpreted by the software as a formula. Spreadsheet programs like Microsoft Excel, Open Office, Libre Office Calc are not a new programs. We have been using it to perform different task like calculation, analysis, and visualization of data and information. These software’s provide many formulas and functions which can be used by us in our day to day life. For example: Below image shows the Microsoft Excel allowing to add value of two field and display it in the third field.
Automating Stuff with Python
What is Automation? The use of any machine or computer to perform your task efficiently and in very less time can be termed as automation. Why do we need automated scripts? Humans can do great stuff, but sometimes we are too lazy to perform some. For example, if I ask you to multiply 345*246 most of you people will open calculator in your devices to calculate the result, rather than using pen paper to solve it. So using automated scripts make our task easy and is less time consuming. Ever wondered why do we need automated scripts is security testing? If so then the answer to your question is here. While performing security testing you can across a task that needs to be done multiple times like placing 1 lakh orders to check that the application can be flooded with multiple request. Now, sitting and creating each and every request manually will be a very tough job. So, here we can use automated scripts to perform our job.
Is your Captcha really secure?
Captcha is the challenge solving test used in the computing to distinguish between the human and machine. It is implemented as one of the security feature to stop automation of any process. But what if the any small piece of code is able to solve that challenge and is successful in impersonating the application that the form is been submitted by the human. While performing Web Application Security Assessment for different web application we came across many wrong implementation of Captcha being done by the developer. So here are some of the common mistakes made by the developer while implementing Captcha in your application: Using only numbers with the small length of string. The permutation and combination required to brute force the captcha will be less. Here the length of string is 4. To brute force above string total number of tries will be 10*10*10*10=10000, which is very less.