Skip to content

Instantly share code, notes, and snippets.

View Exadra37's full-sized avatar

Paulo Renato Exadra37

38 followers · 123 following
View GitHub Profile
@coaxial
coaxial / README.md
Last active May 3, 2024 20:06
unpinning SSL certs on Android apps with Frida to inspect network traffic with mitmproxy

Most of the time, applications won't pin the certificate. Running mitmproxy and passing all Android traffic through it is as simple as adb connect <IP> && adb shell settings put global http_proxy <mitmproxy host>:<mitmproxy port> (or use Android's UI)

Some applications, however, pin the certificate and will refuse to do any network calls if using mitmproxy.

Luckily, Frida is here!

This assumes Android x86 is running in a VM, that you are a developer in Android (tap the build version enough times), adb debugging is enabled, and that android tools are installed on the host.

  • start mitmproxy on host
  • visit mitm.it on the target (after setting the proxy) and install the spoofed cert
@Chervychnyk
Chervychnyk / release_tasks.ex
Last active March 31, 2024 15:53
Example of migration and seed tasks for phoenix release
defmodule YourApp.ReleaseTasks do
@app :your_app
@repos Application.get_env(:your_app, :ecto_repos, [])
def migrate() do
Application.load(@app)
for repo <- @repos do
{:ok, _, _} = Ecto.Migrator.with_repo(repo, &Ecto.Migrator.run(&1, :up, all: true))
@Exadra37
Exadra37 / 00-README.md
Last active August 8, 2021 16:35
Gist with all code snippets for this blog post http://blog.approov.io/how-to-extract-an-api-key-from-a-mobile-app-with-static-binary-analysis

HOW TO EXTRACT AN API KEY FROM A MOBILE APP WITH STATIC BINARY ANALYSIS

You can read the blog post here.

TLDR

An API key is probably the most common method used by developers to identify what is making the request to an API server, but most developers are not aware how trivial is for a hacker or even a script kid to steal and reuse an API key for unauthorized access to their APIs.

We will see how to grab an API key by reverse engineering the binary of a mobile app in an effective and quick way with an open source tool, and once we see how easy it can be, we will realize why it is even achievable by non developers.

@Exadra37
Exadra37 / security-tools.md
Last active September 22, 2020 13:17
Security Tools

SECURITY TOOLS

My personal list of security tools I recommend in the Approov Blog were I write articles as a Developer Advocate for security in Mobile and APIs.

API

  • MITMPROXY or Man In The Middle Proxy - Intercept traffic from a client consuming an API.
  • Fierce Domain Scanner - Enumerate hostnames for a domain.
  • Certificate Transparency Logs:
  • Web Interface:
@Exadra37
Exadra37 / 00-README.md
Last active May 1, 2019 14:50
Code Snippets for an Approov Integration in Python Flask API on this blog post http://blog.approov.io/approov-integration-in-a-python-flask-api

APPROOV INTEGRATION IN A PYTHON FLASK API

The blog post can be found here.

TLDR

This walk-though will show us how simple it is to integrate Approov in a current API server using Python and the Flask framework.

We will see the requirements, dependencies and a step by step walk-through over the code necessary to implement Approov in a Python Flask API.

@jswny
jswny / Flexible Dockerized Phoenix Deployments.md
Last active July 3, 2023 05:25
A guide to building and running zero-dependency Phoenix (Elixir) deployments with Docker. Works with Phoenix 1.2 and 1.3.

Prelude

I. Preface and Motivation

This guide was written because I don't particularly enjoy deploying Phoenix (or Elixir for that matter) applications. It's not easy. Primarily, I don't have a lot of money to spend on a nice, fancy VPS so compiling my Phoenix apps on my VPS often isn't an option. For that, we have Distillery releases. However, that requires me to either have a separate server for staging to use as a build server, or to keep a particular version of Erlang installed on my VPS, neither of which sound like great options to me and they all have the possibilities of version mismatches with ERTS. In addition to all this, theres a whole lot of configuration which needs to be done to setup a Phoenix app for deployment, and it's hard to remember.

For that reason, I wanted to use Docker so that all of my deployments would be automated and reproducable. In addition, Docker would allow me to have reproducable builds for my releases. I could build my releases on any machine that I wanted in a contai

@nunesdaniel
nunesdaniel / Tools.md
Created February 3, 2018 15:42
Tools List

Tools

  • Metaspoit: Penetration testing software
  • BeEF: The Browser Exploitation Framework
  • PTF: Penetration Testers Framework
  • Bettercap: MITM framework
  • Nessus: Vulnerability scanner
  • AutoNessus: Auto Nessus
  • BDFProxy: Patch Binaries via MITM (BackdoorFactory)
  • Xplico: Network Forensic Analysis Tool (eg. parse pcap file)
@bgando
bgando / hubspot-blog.md
Created July 17, 2017 19:27
steps to publish a blog on hubspot with minimal formatting issues

Hubspot

  1. Write your post in Markdown (probably on Google Docs)
  2. Open the markdown editor at http://dillinger.io/
  3. Write (or paste) {% raw %} {% endraw %} in the blank editor - this is the most annoying unavoidable step, but only needed if you have {{ }} tags in the article
  4. Paste your markdown in between the raw/endraw tags
  5. Export as -> Styled HTML
  6. Open the downloaded file, copy the body
  7. Open your Hubspot post, go to Tools > Source Code
  8. Paste
@Kovrinic
Kovrinic / .gitconfig
Last active April 11, 2024 11:50
git global url insteadOf setup
# one or the other, NOT both
[url "https://github"]
insteadOf = git://github
# or
[url "git@github.com:"]
insteadOf = git://github
@jessejanderson
jessejanderson / the_abcs_of_otp.md
Last active March 13, 2024 11:23
The ABCs of OTP