Bypassing SSL pinning Using Frida issue

I am a penetration tester, and i was doing some SSL pinning Bypass using Frida.

I have pushed all the required files, certificates , burp is intercepting traffic from the Android Studio emulator.

i have performed the steps to run frida

[Android Emulator 5554::com.*****.**** ( flagged for ethical security reasons )]-> [.] Cert Pinning Bypass/Re-Pinning [+] Loading our CA... [o] Our CA Info: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger [+] Creating a KeyStore for our CA... [+] Creating a TrustManager that trusts the CA in our KeyStore... [+] Our TrustManager is ready... [+] Hijacking SSLContext methods now... [-] Waiting for the app to invoke SSLContext.init()... 

And when i try to interact with the application, the application is not allowing my request through because of the missing certificate and frida is not capturing the request and bypassing the pinning knowing that i have performed all the right steps.

I am here if anyone needs to ask more question .. can you please help with the above ?

POST requests are bypassing PHP checks

I have a website with a contact form on PHP and a mail server. Email are sent with the help of PHP mail function like so (skipping validation code for brevity)

$  name = $  _POST["name"]; $  email = $  _POST["email"]; $  message = $  _POST['message'];  $  headers = array(     'From' => $  name . '<' . $  email . '>',     'MIME-Version' => '1.0',     'Content-type' => 'text/html; charset=iso-8859-1' ); $  result = mail($  to, $  subject, $  message, $  headers, '-r' . $  sender); 

Recently I’ve been attacked by a spammer who is posting emails with From field value like this

check@mydomain.com, this@mydomain.com, link@mydomain.com,  "US:http"@mydomain.com://www.somedomain.com/page <somename@mail.com> 

So I prohibited the @ character in the name field like so

if (strpos($  _POST["name"], "@") !== false)     exit() 

I’ve tried sending a POST request with a name like name@ from Postman and it was rejected successfully but am still getting the same spam emails.

Any ideas please how the spammer is bypassing the validation check?

Can the manual and tome magic items that increase stats be used multiple times by bypassing the century wait time via the spell Sequester?

Assume we have a Wizard who is at least level 13 and can reliably cast Sequester many times (either through acquired spell scrolls, or has acquired enough material components for it to be a non-issue), has a safe place (through the spell Demiplane) to be under the influence of Sequester for many centuries, and has access to the Manual of Bodily Health, Manual of Gainful Exercise, Manual of Quickness of Action, Tome of Clear Thought, Tome of Leadership and Influence, and Tome of Understanding.

Per the item descriptions in the DMG:

…your [STAT] score increases by 2, as does your maximum for that score. The manual then loses its magic, but regains it in a century.

Now, normally this would be a once-in-a-lifetime use, or maybe twice (due to the lifespan of the races), but if a wizard used Sequester on themself, many years can pass without growing older:

…[willing target creature] falls into a state of suspended animation. Time ceases to flow for it, and it doesn’t grow older. You can set a condition for the spell to end [before the spell is dispelled by the caster].

So, assuming that time continues to flow for the magic items, but not for the sequestered wizard, can they study these books and take the necessary long rests, Sequester for a hundred years, “wake” from the Sequester, and then repeat an arbitrary-but-finite number of times for an arbitrarily high (but finite) improvement to their stats?

To end the cycle and escape the demiplane, the wizard would simply Plane Shift out:

…You can specify a target destination in general terms … and you appear in or near that destination.

Bypassing NET::ERR_CERT_DATE_INVALID

When I try to access the Openmailbox web site, Google Chrome returns a NET::ERR_CERT_DATE_INVALID error. The details state that “openmailbox.org normally uses encryption to protect your information. When Google Chrome tried to connect to openmailbox.org this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be openmailbox.org, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit openmailbox.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.” This has continued for a few days.

Is it safe to set up a program such as Thunderbird to access my Openmailbox account without manually visiting the web site, or would doing so still expose me to the security risk?

xss attack on value field by bypassing encoded double quotes

consider a website that handles search query like this:

<input class="something" type="search-field" value="SEARCHQUERY"> 

if i try to inject this script it doesnt work…

" onerror="alert(0) 

This is probably because the website encodes double quote as &quot. I even tried double encoding by encoding double quote as %2522, but the webisite seems to render this as "%22 onerror%22alert(0)" and for some reason, the %22 is not further decoded

Is there a way to bypass this?

Bypassing valid certificate requirement for websockets

I’m attempting to connect to a websocket server hosted in C# using SuperWebSockets from a page. The issue is that the websocket server generates a self-signed certificate making it difficult to connect to from the browser. The ServerConfig of the SuperWebSocket has “tls” for Security and passes on a self-signed certificate filepath through the Certificate member of the ServerConfig.

I was wondering if anyone knew any hacky tricks to connect to this web socket server from a web page, I’m open to ideas for either/both Firefox or Chrome. I know there are ways to do this if the user adds an exception for the certificate or disables certificate validation, but I need a method that’s pure javascript. Perhaps emulating TLS?

Bypassing file extension check

I am dealing with a self-made extension check in C#.

public static string GetFilename(string url) {     string filename = url.Substring(url.LastIndexOf("/") + 1);     if(filename.Contains(".")) {         string extension = filename.Substring(filename.LastIndexOf(".") + 1).ToLower();          string[] blacklisted_extensions = new string[]         {             "exe",             "msi",             "msp",             "msu",             "p2"         };          for (int i = 0; i < blacklisted_extensions.Length; i++)         {             if (blacklisted_extensions[i] == extension)             {                 throw new Exception("Blacklisted extension");             }         }          bool found_whitelisted_extension = false;         for (int i = 0; i < whitelisted_hashes.Length; i++)         {             if (whitelisted_hashes[i] == extension)             {                 found_whitelisted_extension = true;                 break;             }         }          if(!found_whitelisted_extension)             throw new Exception("Invalid extension");     }      foreach (char oldChar in Path.GetInvalidFileNameChars())     {         filename = filename.Replace(oldChar, ' ');     }      return filename; } 

The goal is to have GetFilename return a filename that if you wrote to would result in a file with one of the specified blacklisted hashes. The operating system is Windows therefore I’m thinking there might be some filename tricks you can do to have windows save under another extension without using a dot. Assume the list of whitelisted hashes does not contain any extensions that could be used to execute code. Any ideas?