Full Account Takeover (Android Application)

Introduction :

Hello Again, I am Vishal Bharad, I’m here again to share about my findings on Full Account Takeover on Android Application

About the Vulnerability :

First of all this is the one of the Simplest Vulnerability which rated in P1 Category. For Discovering the bug need to Setup for Android Application Penetration Testing.

Hope You all already know about the Setup of Android Application Penetration Testing. :)

So I am directly started with the Vulnerability that I have identified. Consider I have an Android Application which is target.apk

Tools Used for this Vulnerability:

1. BurpSuite
2. Genymotion

General Steps:

1. First of all Setup for a Android Application Penetration Testing
2. Then open genymotion and Install the application which is target.apk
3. After Installing application we need to Bypass the SSL via SSLunpinned application.
4. Then we are able to capture the request in Burp suite.

Steps to Reproduce the Vulnerability

1. After Installing application create an account as victim account.
2. Go to the Recover Password and type username or Mobile number to receive OTP or CODE.
3. Capture the Recover Password request in BurpSuite. Now Right…