arthusu

Intercepting traffic on Android and iOS Flutter applications

I recently stumbled upon an application developed with Flutter, and since it was my first time seeing it, I surprisingly couldn't intercept its requests. After some digging on google, I created this tutorial with the steps that personally worked for me and I wanted to share them in hope to help someone else. Note that the applications that I tested didn't have certificate pinning implemented. I'll update this file once I get to test an application that has it (if I'll be able to bypass it 😃 ).
To simplify the explanation I refer to the machine that hosts Burp as Kali, but you can use whatever linux machine you want.

Android:

There are 2 ways to intercept HTTP connections from a Flutter application installed on an Android device (I'm sure there are more but these are the ones I know). Intercepting requests by changing the proxy settings of the device, through the classic settings of Android, doesn't work in this case, since Flutter applic

Almost browsers prevent to XSS that is using javascript: protocol.

<a href=javascript:alert(location.origin) traget=_blank>XSS</a>

Demo: https://nuvjcp.csb.app/

Summary

Oh my zsh.

Install ZSH.

sudo apt install zsh-autosuggestions zsh-syntax-highlighting zsh

	const commonPaths = [
	"/data/local/bin/su",
	"/data/local/su",
	"/data/local/xbin/su",
	"/dev/com.koushikdutta.superuser.daemon/",
	"/sbin/su",
	"/system/app/Superuser.apk",
	"/system/bin/failsafe/su",
	"/system/bin/su",
	"/su/bin/su",

	rule Instruction_Bypass: PromptInjection
	{
	meta:
	category = "Instruction Bypass"
	description = "Detects phrases used to ignore, disregard, or bypass instructions."

	strings:
	$bypass_phrase = /(Ignore\|Disregard\|Skip\|Forget\|Neglect\|Overlook\|Omit\|Bypass\|Pay no attention to\|Do not follow\|Do not obey)\\s(prior\|previous\|preceding\|above\|foregoing\|earlier\|initial)?\\s(content\|text\|instructions\|instruction\|directives\|directive\|commands\|command\|context\|conversation\|input\|inputs\|data\|message\|messages\|communication\|response\|responses\|request\|requests)\\s*(and start over\|and start anew\|and begin afresh\|and start from scratch)?/

	condition:

	setTimeout(function() {
	Java.perform(function() {
	console.log('');
	console.log('======');
	console.log('[#] Android Bypass for various Certificate Pinning methods [#]');
	console.log('======');


	var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
	var SSLContext = Java.use('javax.net.ssl.SSLContext');

	console.log("[*] SSL Pinning Bypasses");
	console.log(`[*] Your frida version: ${Frida.version}`);
	console.log(`[*] Your script runtime: ${Script.runtime}`);

	/**
	* by incogbyte
	* Common functions
	* thx apkunpacker, NVISOsecurity, TheDauntless
	* Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that.
	* !!! THIS SCRIPT IS NOT A SILVER BULLET !!

	<script>
	/*
	〱='',〳=〱,ᘓ=〱+{},ᘒ=〱+[][[]],〱+=[〱==〱],〳+=[!〱],ᘑ=+[],ᘐ=+!+[],ᘔ=ᘐ+ᘐ,ᘕ=ᘔ+ᘐ,ᘖ=ᘔ+ᘕ,ᘖ+=ᘖ+ᘖ+ᘔ,ᘗ=ᘖ+ᘐ,ᘘ=ᘓ[ᘔ+ᘕ],ᘙ=ᘓ[ᘐ],ᘚ=〱[ᘐ],ᘲ=〱[ᘑ],ᘳ=ᘘ+ᘙ+ᘒ[ᘐ]+〳[ᘕ]+ᘲ+ᘚ+ᘒ[ᘑ]+ᘘ+ᘲ+ᘙ+〱[ᘐ],ᘰ=[][ᘳ][ᘳ],ᘏ=''+ᘰ,ᘎ=〳[ᘐ]+〳[ᘔ]+〱[ᘕ]+ᘚ+ᘲ+ᘏ[ᘖ]+ᘏ[ᘗ],ᘰ`ᘳ${ᘎ}```
	*/


	〱=''
	〳=〱 //''
	ᘓ=〱+{} //'[object Object]' <- '' + [object Object]
	ᘒ=〱+[][[]] //'undefined' <- '' + undefined

	security-checklist
	Opinionated security and code quality checklist for Solidity smart contracts. Based off the BentoBox checklist.

	Variables
	V1 - Can it be private?
	V2 - Can it be constant?
	V3 - Can it be immutable/constant?
	V4 - Is visibility set? (SWC-108)
	V5 - Is the purpose of the variable and other important information documented using natspec?
	Structs