About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

DJI Drone Vulnerability - 134

Checkpoint ResearchPosted 6 Years Ago
  • Across several subdomains a single authorization token is used. So, the team tried finding an XSS bug within one of the subdomains that did not have the HTTPOnly protections turned on.
  • The XSS bug is a reflected XSS bug within the JavaScript in the page. Because of this, 'this kind of XSS would not be blocked by any XSS Auditor because it resides in the JavaScript itself and not consist of scripts or events'. I thought this was super interesting! What is actually blocked from the XSS auditor?
  • The mobile application had many debugging and reversing protections. Using Frida, among other things, did not work. It was discovered that the app actually spawned a process that had Frida already attached to it, making is impossible to add another process to it. To bypass the SSL pinning, they had to overload SSLContext and hook a different trust manager.
  • After getting the MCK (metadata-key) token from the XSS the login process can be hijacked by replacing the MCK in the login request with the stolen one.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed