/ iwsp

IWSP Week 16

Started on #6Q0T6 this week.

It was a mobile application pentest so it's different from everything that I've done thus far (The API server side is similar though). The application looked a little outdated in terms of how it was designed so I was hopeful.

One of the findings was able to access the details of the connected devices without authentication. User just need to POST the username to the API and it will return details such as,

  1. App version
  2. App name
  3. Device name
  4. Device ID
  5. Device OS name
  6. Device OS version

Will do more extensive testing and decompilation of APK next week.