Note: This article was authored by me and originally published on Moonfare’s Official Blog as part of my work at Moonfare. It is republished here on my personal blog with permission.

This post explores the limitations of GitHub Advanced Security (GHAS) and how Witcher enhances security management by providing greater scalability, control, and efficiency across repositories.

An Introduction to GitHub Advanced Security (GHAS)

GitHub Advanced Security (GHAS) is a comprehensive security suite that enhances code security. It offers a range of features that integrate directly into the development workflow, protecting at the pull request (PR) level to identify and mitigate vulnerabilities early.


Background

During a Pentest, we came across a scenario where the application was sending a token in response which will be used in the next request so that it can prevent request replay. On top of that, we can’t use macros to send requests for tokens due to limitations.

To overcome this challenge, we developed a SRePlay, Burp Plugin to bypass Replay Protection which will extract the value of the token from the last response and automatically update the future request with the new token on the fly resulting in Request Replay Protection bypass.


In this post, I’ll be discussing how to decrypt the mobile app AES Encrypted traffic on the fly using AES Killer.

Pre-requisites

  • Familiarity with Frida and hooking
  • Familiarity with Burpsuite and Genymotion

Requirements and Setup

  • 11x256 demo app and server

  • Frida

    • Frida on Local machine, can be installed using pip install frida
    • Frida Server on Android device, download latest version from GitHub Releases
  • Burpsuite


Demo App

For this usage guide, weI’ll be using the AES Killer - Demo App where I have simulated all possible scenarios with different variation in request and response to cover maximum possible combination which could occur. I have simulated the following test cases.

  • Complete Request & Response
  • Specific Request Parameters and complete response
  • Specific JSON Request parameters & complete response
  • Specific Request and Response Parameters
  • Override Request & Response

The application is sending back post data in response