Banking applications are increasingly enhanced with confidentiality. One of them is the encryption of request / response data when sending and receiving. Some weak encryptions can be decrypted easily, but some strong encryptions like RSA are difficult. Hooking into functions that send request/response and intercept data before it's encrypted is one way we can view and modify the data.
- Set up Burp listener
- Listen on 127.0.0.1:26080
- Redirect to 127.0.0.1:27080 and Check (Support invisible proxying)
- Run echoServer.py
- Config and optimize handlers.js
- Run burpTracer.py -p com.apple.AppStore / [-n 'App Store']
*Note: Different applications will use different libraries. You need to reverse or trace the application to find the correct function.
https://medium.com/p/a5c4ef22a093
OceabBank : https://youtu.be/hn1GV-JCpjc
SaiGonBank Smart Banking: https://youtu.be/7C0SLvtI7RY