Mobile

Last updated 4 years ago

Pro Tip - Android applications can suffer from LFI and stored XSS just by injecting <iframe/src=/etc/hosts> into input fields. Payout: $4,500! 😎👍 — xer0dayz (@xer0dayz)

- AndroidHackingMonth
Pro Tip - Android applications can suffer from LFI and stored XSS just by injecting <iframe/src=/etc/hosts> into input fields. Payout: $4,500!
this helped me alot: In case a program has an Android/IOS app, extract endpoints and add those to your wordlists before running directory bruteforce on the subdomains list. You'll be surprised to see the results

Pro Tip - Android applications can suffer from LFI and stored XSS just by injecting <iframe/src=/etc/hosts> into input fields. Payout: $4,500! 😎👍 — xer0dayz (@xer0dayz)

- AndroidHackingMonth

Pro Tip - Android applications can suffer from LFI and stored XSS just by injecting <iframe/src=/etc/hosts> into input fields. Payout: $4,500!

this helped me alot: In case a program has an Android/IOS app, extract endpoints and add those to your wordlists before running directory bruteforce on the subdomains list. You'll be surprised to see the results

#bugbounty

pic.twitter.com/JvP4jN8Zha

June 24, 2018

When trying to backup an android app without root privileges for vulnerabilities, you need to know the package name but you don't have access to the /data directory. Run --> aapt dump badging abc.ap

https://twitter.com/Hacker0x01/status/1229869424628420608

#bugbounty

#BugBountyTip

If you found exposed broadcast receiver in android app. Reverse the app and investigate it...it may give you access to private shared pref using object deserialization and may lead to account take over!

Android tip: wifi passwords are in /data/misc/wifi/wpa_supplicant.conf