Pentesting apps using Parse as a backend
Objective-C
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
ParseRevealer.xcodeproj
ParseRevealer
ParseRevealerTests
LICENSE
README.md

README.md

ParseRevealer

Parse Revealer is a pentesting utility for Mac OS X that helps with analysis of Parse account used in an application under test. More info on attacking Parse is available in this article.

It has the following capabilities at the moment:

  • Validity checking of Parse Application ID and Client Key.
  • Getting the list of access permissions for custom Parse classes.
  • Revealing the structure of custom Parse classes with 'Find' permission set to 'YES',
  • Exporting all the revealed data to .txt.

WARNING: Parse Revealer can leave a trace in Parse classes - it adds new fields and objects when testing the corresponding permissions, so be careful.

Installation

The installation is simple - build and run the application in Xcode.

Usage

  1. Enter the applicationId and clientKey derived from the target app.
  2. Enter the names of Parse classes, also derived from the target, and click 'Save'. Basic Setup
  3. Go to the 'ACL Revealing' tab and click 'Reveal'. After a few seconds you'll see the list of access permissions for all saved classes. ACL Revealing
  4. Go to the 'Structure Revealing' tab, also click 'Reveal', and enjoy the structure of your classes. Structure Revealing
  5. On the last tab you can export all the revealed data to txt format. Export

Version

0.2

Author

Egor Tolstoy - @igrekde.

License

ParseRevealer is available under the MIT license. See the LICENSE file for more info.

Todo's

  • Browse through objects in a specified class,
  • Create, update and delete objects in a specified class,
  • Dump all the classes to different file formats,
  • Stable work with objects-defined ACLs.