Tag: penetration testing

08 May 2019

Exploiting & Securing Mobile Apps – A Penetration Testing Training

This action packed training course is focused around teaching the attendees with skills required to perform penetration testing of Android & iOS applications in real world. The training is given using real world like application as the target, especially designed for this training purpose.

The course includes extremely unique, real world vulnerabilities. The attendees will be understanding the concept behind each vulnerability, and then exploiting the vulnerability on the target application. The flow of the course is designed in a way which ensures that the attendees understand each concept and are able to discover and exploit the vulnerabilities themselves. Training includes some of the unique vulnerabilities discovered and exploited on the famous mobile applications.

Download Detailed Training Agenda

Some of the vulnerabilities and topics covered in the training include: 

  • Static analysis to remote code execution
  • Static analysis to application compromise
  • User detail compromise through broadcast
  • Insecure file storage, leading to full account takeover (Android & iOS)
  • Insecure application components and exploitation
  • Insecure application screens and exploitation
  • Unintended sensitive data leakage
  • Bypassing application logic (logical vulnerability)
  • Deep linking and exploitation
  • Hacking mobile APIs (vulnerabilities in API)
  • Reverse engineering the application
  • Performing static and dynamic analysis on the application
  • Finding and exploiting real world vulnerabilities
  • Several Frida-tools use cases
  • Bypassing security controls like SSL pinning, root detection, obfuscation etc
  • Attacking APIs for vulnerabilities

Unique benefits of this training: 

  • Get practical hands-on training on real world like android and iOS apps
  • Learn finding and exploiting critical mobile application vulnerabilities 
  • Get access to training content like pdfs, guides, exploit codes, lab applications
  • Get access to virtual machine pre-installed with all needed tools (mostly for android) 

Details about the training


Training date: 29th – 30th June 2019

Training Timing: 10:00 AM – 5 PM

Training Venue: 

  • New Delhi, India (Exact venue to be shared with registered students)
  • Virtual Conferencing (for delegates to join remotely)


Discounts are only available on group booking.

  • Group registration of 3+ people: 10% discount
  • Group registration of 5+ people: 15% discount

Contact us at hello@enciphers.com for availing this discount.

Book Your Seat now.

Having issues while booking? Visit the Event booking page here

Terms and Conditions:

  • Pass prices are exclusive of taxes and gateway charges.
  • Passes are non-refundable & non-transferable.
  • In case of event cancellation, we will inform the attendees at least one weeks before the actual training date.
  • Registration fees does not include the cost of travel and accommodation of delegates. All delegates are requested to make their own arrangements and any associated fees for any other availability of services.
  • Delegates/attendees are expected to have the prerequisite ready for the training, before the training date.
13 Sep 2018

The Art Of Hacking (Delhi Edition) : Web Application Hacking – Basic Level

We are excited to publicly announce the first session of “The Art Of Hacking”. Details are below:

Training Details:

Training Name: Web Application Hacking – Basic Level

Training Date | Time: 29th.September.2018 | 9:00 AM – 4:00 PM

Venue:  TO THE NEW, Tower B, 4th Floor, Logix Techno Park, Noida Express Way, Sector 127, Noida, Uttar Pradesh 201304.

Big thanks to “TO THE NEW” for helping us by providing the venue.


What’s so awesome in this training?

  • Free for all to attend.
  • Fully hands-on training, focusing on starting and succeeding in bug-bounties too.
  • It will be a live training with lab practice.
  • Attendees of Basic level will get discount for advance level training. 
  • Networking opportunity.



  • Working laptop with Kali Linux virtual machine.
  • Willingness to learn
  • (Optional) If you can get a personal wifi/internet connection, it would be better.


How to apply for this training?

  1. Fill the google form below (End of this page).
  2. As the seats are limited, we will chose majorly on who filled first criteria. So fill as soon as you can.
  3.  Wait for an acceptance email from our side with more details. Make sure to bring your ID and the invitation code we send in the acceptance email.


  • Enrolment start: 13th.September.2018
  • Enrolment ends: 19th.September.2018
  • Acceptance to be sent to attendees: 26th.September.2018


Agenda of the Training:

Module 1 – Basics of everything:

  • Basics of web applications
  • Vulnerability scanning
  • DNS and Domain level stuff
  • Intro to burp suite , Setting up & use cases

Module 2 – Recon:

  • What is recon? Best tools for recon.
  • Low severity issues and how to find them during recon.
  • Chaining low severity bugs to get higher impact.
  • Reporting low severity bugs the correct way.

Module 3 – Finding the “easy money bugs”:

  • Cross Site Scripting:
    • How to find? Where to look?
    • Using Burp suite for finding XSS
    • Interesting case studies of XSS
  • Cross site request forgery
  • Access control & Improper session management issues
  • Insecure subdomains & hidden insecure files

Module 4 – Finding high paying bugs:

  • Insecure Direct Object Reference
    • What are they?
    • Where do they exist?
    • Using burp suite to find IDORs
    • Case studies on interesting IDOR bugs
  • Authentication & Session related vulnerabilities:
    • MFA bypass
    • Password reset issues
    • Session management issues

Module 5 – How not to suck at bug bounties:

  • Reporting is the key to good money.
  • How to avoid duplicate issues?
  • Amazing resources from around the internet.
  • Where can you hunt other than Bugcrowd and Hackerone?


Want to know more about the whole series of trainings? Read here

Want to join the group? Have questions to ask? Join us on Slack: Slack Invite Link

Training Content/Hand-Outs:

  1. Presentation Used in the basic level training: (Presentation) The Art Of Hacking – Web App Basic Level
  2. Books/Resources:
    1. OWASP testing guide: OTGv4
    2. CORS POC sample: CORS_POC
    3. Web Application penetration Testing Checklist: Web Application Penetration Testing Checklist
    4. More resources to start in web app security:  Resources
  3. Virtual Machine (OVA file): OVA Link
  4. Virtual Machine Details VM Details
  5. Vulnerable App – WackoPicko Details
  6. Vulnerable App – OWASP Juice Shop: https://github.com/bkimminich/juice-shop


Hope you loved the training. Please give your feedback here.

13 Jun 2018

Bypassing Cloudflare WAF to get more vulnerabilities

Hey guys,

If you have been doing penetration testing or bug bounties for some time now, then you must have come across applications which uses Cloudflare as their Content Delivery Network(CDN). As a new bug bounty hunter or penetration tester, you must be feeling kind of frustrated when any XSS Payload you provide leads to a security page or you get blocked by Cloudflare’s Web Application Firewall in place there.

What exactly is Cloudflare and how can you detect which web application uses it?

CloudFlare is a useful tool to enhance site performance, accelerate the access speed and improve the visitors’ experience. It is a CDN, DNS, Security(Web Firewall), Optimer, Analytics etc. all in one package. In a simple way, you can say that Cloudflare makes the application loading time faster and saves it from attacks such as SQLi and XSS to save your users from being hacked. If you are unsure about how to check if a web application is using Cloudflare, you can simply use an extension such as Wappaylzer which shows the different technologies, Frameworks, CDN’s the application is using. You can download it from here if you don’t have this or any other extension like it.  Its usage is pretty simple. This is how it will look like when you browse an application which uses Cloudflare as CDN.

This is how it will look when you see the Extension for a particular app using Cloudflare. There are other ways too and we will get to that eventually. Now if you try to use your normal XSS payload, you are either going to get the Captcha Security Box every time or on doing it constantly you will be blocked from further interaction with the app on that IP. Not only this, scanning and spam messages or emails will also lead to problematic issues for as a penetration tester.

What’s actually happening behind the scenes?

When a company uses Cloudflare, what happens is that Cloudflare sits in between you and the web application original server. So any malicious payloads or files which you try to execute on the main app goes through Cloudflare and as a result it blocks you. Not only this, even if you get the IP address and try to access the app using this IP, it will show that “Direct Access is not allowed”. Below is the image of a target which uses Cloudflare. Use the below command to get the IP being used

ping target.com

This is where Cloudflare is hosting your application. Any time you insert your payload, it goes here. Now just try to directly access the app using this IP and you will get the following error:

So is there any way out of it?

Yes, of course, there is. Think of what will happen if you could just access the Origin Server directly without going through Cloudflare’s protection? Then the app will have no protection via Cloudflare’s firewall and we can now test for various vulnerabilities like XSS and SQLI.

Let’s see some of the tools and methods which can help us to access the Origin Server directly.


You can access the application here. This applications work is solely based to determine the Directly Accessible server for that application i.e the origin server. They have maintained a database and a zip file containing the name of all the services which use Cloudflare and who is sitting behind this Cloudflare’s service. You will be able to see a search box at the bottom of the page. Once you enter the website’s name and Crimeflare comes up with a Direct Connection IP, then you can be almost sure that it’s the Origin Server. We are using “almost” here because many times the results produced are that of the target’s subdomain instead of the main domain, so you have to further verify from the other methods we are going to talk about. On the other hand, if you didn’t get any information on the Origin Server from here move to the other methods.

A sample demonstration for Bugcrowd.com which uses Cloudflare and how you can get the Origin Server.


The website itself says that it’s a tool to find and analyze every reachable server on the internet. This tool comes in very handy during the Recon process of a penetration test or Bug Bounties as we can get different types of information from here about the target. But this is also helpful in this case where we have to find the Origin Server for an application using Cloudflare.

If you just enter the target’s name in the search box, it will come up with the IP’s of that target and mostly the origin server is in those. Let’s say for example Bugcrowd here.


This is what the URL looks like and it’s giving a lot of results because the application might be using multiple hosts so you need to work a little harder.

3.Security Trails:

It is actually a repository of historical DNS data and you can get the origin server’s IP by looking at this data. Just like before, enter the application name in the search box and it will give you a whole lot of information. On the left side, you will find 4 rows. Go to Historical Data in there and see the ‘A’ field which will reveal all the IP’s related to the target.


This website contains the history of hosting records for different websites. It can also be used if the other previous methods are not working. There is an extension for Netcraft which you can install to keep a look at the target’s different info which you can get from here.

What to do after we got the Origin Server?

Now there are 3 things which you can do now.

  1. Directly access the app through the real IP.
  2. Add the entry in the /etc/hosts file. In Windows, you can access this file from c:\windows\system32\drivers\etc\ hosts. Add the entry in it. In Linux, you can just do cd /etc to go to the /etc directory and then do nano hosts or vi hosts, whichever you like and add the entry like this.

    The OriginServer one was our new entry. You can use the same format on both Linux and Windows. Now when you do this, if you now try to go to the target application, it won’t go through the Cloudflare’s servers and directly access the application.

  3. Instead of option 2, you can also choose to override the DNS resolver for this project if you are using Burpsuite while Testing. It will do the same thing but it’s probably better because you just want to do it for this pentesting project and not for every time.To do this, go to the Project Options -> Hostname Resolution. Add the entry there. Just see the below screenshot in which I have added the Hostname and the IP address and this will override our computer’s DNS resolution which always takes us to the Cloudflare’s server.

When to think of bypass?

These methods are not 100% full proof and there are many more methods to bypass Cloudflare’s protection. dig and ping are especially useful in this cases. But when should you start looking for a bypass. Don’t just start looking for a bypass just after seeing that the application is using a Cloudflare’s CDN. First know, if the firewall is blocking your payloads. Cloudflare won’t possibly block you for every testing. Like it won’t if you check for Access Control and IDOR’s. It is up to the applications internal code how it handles that. Cloudflare will mostly block you for XSS, SQli injections, DoS, and DDoS attacks primarily, spamming etc. And many times even if you find the real IP and you go there it may behave in a weird manner or they may have taken extra measures in advance, so don’t lose hope. But from the next time you find an application using Cloudflare, you can definitely follow the methods mentioned in the post and you can also find some other ways if you search the internet. Try this and let us know your success stories.

HAPPY HACKING until then. !!!