Full Account Takeover (Android Application)

  1. BurpSuite
  2. Genymotion
  1. First of all Setup for a Android Application Penetration Testing
  2. Then open genymotion and Install the application which is target.apk
  3. After Installing application we need to Bypass the SSL via SSLunpinned application.
  4. Then we are able to capture the request in Burp suite.
  1. After Installing application create an account as victim account.
  2. Go to the Recover Password and type username or Mobile number to receive OTP or CODE.
  3. Capture the Recover Password request in BurpSuite. Now Right click on the request and Click on Do Intercept > Response To This Request and click on forward Until you got the Response.
  4. Now I am able to see the CODE or OTP which will send it to Victims Mobile Number.
Response with OTP
  1. I reported to Private Site on 20th Sept
  2. They pay less, So they rewarded me with 3 digit $(Between $500-$700).

--

--

--

Penetration Tester, Bug Bounty Hunter, Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vishal Bharad

Vishal Bharad

Penetration Tester, Bug Bounty Hunter, Security Researcher

More from Medium

Implementing TLS Certificate Checking in Android Apps

Pentesting Android Applications-Part 1-Basic Setup

SQL Injection - The File Upload Playground

Session Fixation