xdavidhu

Tested on Workplace for Android version 362.0.0.29.109. This approach might work in other Facebook/Meta applications. Thank you Imre Rad for helping me analyze the binary.

How does it work?

The Workplace Android app uses the Fizz open source TLS-1.3 library to communicate with the backend APIs. This library is written in C++, and is compiled to native code. It is running as a native library attached to the Android app.

The certificate verification is implemented in fizz/client/ClientProtocol.cpp, on line 1944. The easiest way to bypass this check is to patch the if (state.verifier()) { check on line 1942.

xdavidhu

import requests

headers = {
    "Authorization": "SAPISIDHASH [sapisidhash]",
    "Origin": "https://console.cloud.google.com",
}

cookies = {
    "SID": "",
    "HSID": "",

xdavidhu

#! /usr/bin/python3

import http.server, ssl, sys, random, string, argparse, socket

hostname = "[domain]"
redirect_enabled = False
redirect_target = ""
redirect_token = ""
manual_redirect_token = False
redirect_code = 303

xdavidhu

#!/bin/bash
# Converter.sh by @xdavidhu
# This is a script inspired by the Bug Hunter's Methodology 3 by @Jhaddix
# With this script, you can convert domain lists to resolved IP lists without duplicates.
# Usage: ./converter.sh [domain-list-file] [output-file]

echo -e "[+] Converter.sh by @xdavidhu\n"
if [ -z "$1" ] || [ -z "$2" ]; then
  echo "[!] Usage: ./converter.sh [domain-list-file] [output-file]"
  exit 1

xdavidhu

#!/usr/bin/env python3
# author: @xdavidhu

import requests, json, sys, socket

if len(sys.argv) > 1:
    ip = sys.argv[1]
else:
    ip = False

xdavidhu

Keybase proof

I hereby claim:

• I am xdavidhu on github.
• I am xdavidhu (https://keybase.io/xdavidhu) on keybase.
• I have a public key ASDkMZTUsxCqD0WnxOK6QA5nLKL0cxFLnRhOkAGBuakWfwo

To claim this, I am signing this object: