Sec-88
  • πŸ§‘Whoami
  • πŸ•ΈοΈWeb-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
    • DNS Dangling / NS Takeover
  • βœ‰οΈAPI-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • πŸ“±Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • πŸ“ΆNetwork-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • πŸ’»Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
    • Amazon Cognito Misconfiguraitons
  • πŸ‘¨β€πŸ’»Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • πŸ–₯️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
  • IOS-AppSec
Powered by GitBook
On this page
  • Essential Frida CLI Commands
  • Java Hooks
  • 1. Hook a Java Method
  • 2. Hook Method Overloads
  • 3. Enumerate Live Instances
  • 4. Hook Constructor
  • 5. Override Parameters
  • Native & Memory Hooks
  • 6. Hook Native Function
  • 7. Memory Pattern Search
  • 8. Memory Dump
  • Security Bypasses
  • 9. Bypass SSL Pinning
  • 10. Bypass Root Detection
  • 11. Bypass Emulator Detection
  • Data & Network Monitoring
  • 12. Hook Encryption/Decryption
  • 13. Monitor Network Traffic
  • 14. Hook Shared Preferences
  • Game & Logic Manipulation
  • 15. Modify Game Logic
  • 16. Set High Score
  • Advanced Techniques
  • 17. Trace Method Calls
  • 18. Hook Dynamic Class Loading
  • 19. Enumerate Exports
  • 20. UI Toast Injection
  • Example: Pentest a Login

Was this helpful?

Edit on GitHub
  1. Android-AppSec

Frida Cheat Sheet

Essential Frida CLI Commands

Start your pentesting session with these core commands to manage Frida and interact with apps:

  • List Processes: frida-ps -U Shows running processes on a USB-connected device (-R for remote).

  • Spawn App: frida -U -f <package_name> -l script.js Launches an app (e.g., com.example.app) and injects script.js.

  • Attach to Process:

    • By Name: frida -U -n <process_name> -l script.js

    • By PID: frida -U -p <PID> -l script.js Injects script into a running process.

  • Run Without Pausing: frida -U -f <package_name> -l script.js --no-pause Starts app without halting, ideal for automation.

  • Save Output: frida -U -f <package_name> -l script.js > log.txt Redirects console logs to a file.

  • Load Multiple Scripts: frida -U -f <package_name> -l script1.js -l script2.js Injects several scripts sequentially.

  • Interactive REPL: frida -U -f <package_name> Opens a live scripting console for debugging.

  • Trace Native Functions: frida-trace -U -i "<function_name>" <package_name> Auto-traces native functions (e.g., decrypt) and generates hook templates.

  • Hook System Process: frida -U -p 1 -l script.js Attaches to init (PID 1) for system-wide hooks (needs root).

  • Kill Process: frida-kill -U <PID> Terminates a process by PID for restarts.

  • Check Frida Server: adb shell "ps | grep frida" Verifies if frida-server is running on the device.

  • Start Frida Server: adb shell "/data/local/tmp/frida-server &" Runs frida-server in the background (adjust path if needed).

  • Explore with Objection: objection -g <package_name> explore Launches Objection for runtime app exploration.

  • Version Check: frida --version Confirms installed Frida version.

Java Hooks

1. Hook a Java Method

Log or modify method behavior.

Java.perform(function() {
    var Auth = Java.use("com.example.app.Auth");
    Auth.login.implementation = function(username, password) {
        console.log(`[+] Login: ${username}, ${password}`);
        return true; // Force success
    };
});

Use Case: Bypass authentication or log inputs. Tip: Return this.login(username, password) to keep original behavior.

2. Hook Method Overloads

Target specific parameter signatures.

Java.perform(function() {
    var Utils = Java.use("com.example.app.Utils");
    Utils.process.overload('java.lang.String').implementation = function(data) {
        console.log(`[+] Process: ${data}`);
        return this.process("modified");
    };
});

Use Case: Alter inputs for overloaded methods. Tip: Find exact types in decompiled code (e.g., via JADX).

3. Enumerate Live Instances

Interact with runtime objects.

Java.perform(function() {
    Java.choose("com.example.app.User", {
        onMatch: function(instance) {
            console.log(`[+] User: ${instance.username.value}`);
            instance.isAdmin.value = true;
        },
        onComplete: function() {
            console.log("[+] Instance scan done");
        }
    });
});

Use Case: Escalate privileges or dump session data. Tip: Verify field names in APK decompilation.

4. Hook Constructor

Control object initialization.

Java.perform(function() {
    var Item = Java.use("com.example.app.Item");
    Item.$init.overload('int').implementation = function(value) {
        console.log(`[+] Item init: ${value}`);
        this.$init(9999); // Max value
    };
});

Use Case: Set high values for game items or user attributes. Tip: Useful for apps creating sensitive objects.

5. Override Parameters

Force specific method inputs.

Java.perform(function() {
    var Game = Java.use("com.example.app.Game");
    Game.setScore.implementation = function(score) {
        console.log(`[+] Old score: ${score}`);
        return this.setScore(1000000); // Max score
    };
});

Use Case: Test edge cases or manipulate state. Tip: Log inputs to understand default behavior.

Native & Memory Hooks

6. Hook Native Function

Intercept calls in .so libraries.

Interceptor.attach(Module.getExportByName("libnative.so", "decrypt"), {
    onEnter: function(args) {
        console.log(`[+] Decrypt arg: ${args[0].readUtf8String()}`);
    },
    onLeave: function(retval) {
        console.log(`[+] Decrypt result: ${retval.readUtf8String()}`);
    }
});

Use Case: Capture plaintext from native crypto functions. Tip: Run Module.enumerateExports("libnative.so") to list hookable functions.

7. Memory Pattern Search

Find byte patterns in memory.

Memory.scan(Process.enumerateRanges('rw-'), "41 42 43", {
    onMatch: function(address, size) {
        console.log(`[+] Found at: ${address}`);
    },
    onComplete: function() {
        console.log("[+] Scan complete");
    }
});

Use Case: Locate hardcoded keys or tokens. Tip: Use Ghidra/IDA to identify patterns.

8. Memory Dump

Read raw memory at an address.

function dumpMemory(address, size) {
    console.log(hexdump(Memory.readByteArray(ptr(address), size), { length: size }));
}

Use Case: Extract runtime secrets like keys. Tip: Combine with frida-trace to pinpoint addresses.

Security Bypasses

9. Bypass SSL Pinning

Disable pinning for traffic interception.

Java.perform(function() {
    var X509TrustManager = Java.use("javax.net.ssl.X509TrustManager");
    var TrustManager = Java.registerClass({
        name: "com.example.FakeTrustManager",
        implements: [X509TrustManager],
        methods: {
            checkClientTrusted: function(chain, authType) {},
            checkServerTrusted: function(chain, authType) {},
            getAcceptedIssuers: function() { return []; }
        }
    });
    var SSLContext = Java.use("javax.net.ssl.SSLContext");
    var context = SSLContext.getInstance("TLS");
    context.init(null, [TrustManager.$new()], null);
});

Use Case: Proxy HTTPS traffic with Burp Suite. Tip: If ineffective, try hooking OkHttpClient$Builder.

10. Bypass Root Detection

Spoof root checks.

Java.perform(function() {
    var File = Java.use("java.io.File");
    File.exists.implementation = function() {
        var path = this.getAbsolutePath();
        if (path.includes("su") || path.includes("magisk")) {
            console.log("[+] Bypassing root path: " + path);
            return false;
        }
        return this.exists();
    };
});

Use Case: Run apps on rooted devices. Tip: Also hook custom classes like RootChecker.isRooted.

11. Bypass Emulator Detection

Trick apps into running on emulators.

Java.perform(function() {
    var System = Java.use("java.lang.System");
    System.getProperty.overload('java.lang.String').implementation = function(prop) {
        if (prop.includes("os.name") || prop.includes("os.version")) {
            console.log("[+] Bypassing emulator check");
            return "android";
        }
        return this.getProperty(prop);
    };
});

Use Case: Test apps that block emulators. Tip: Check for custom detection logic in decompiled code.

Data & Network Monitoring

12. Hook Encryption/Decryption

Capture crypto inputs and outputs.

Java.perform(function() {
    var Crypto = Java.use("com.example.app.Crypto");
    Crypto.decrypt.implementation = function(input) {
        console.log(`[+] Decrypt input: ${input}`);
        var result = this.decrypt(input);
        console.log(`[+] Decrypt output: ${result}`);
        return result;
    };
});

Use Case: Extract plaintext from encrypted data. Tip: Look for classes named Cipher, Crypto, or Utils.

13. Monitor Network Traffic

Log HTTP/HTTPS connections.

Java.perform(function() {
    var HttpURLConnection = Java.use("java.net.HttpURLConnection");
    HttpURLConnection.connect.implementation = function() {
        console.log(`[+] URL: ${this.getURL()}`);
        return this.connect();
    };
});

Use Case: Discover API endpoints or third-party services. Tip: Use with SSL bypass for full traffic visibility.

14. Hook Shared Preferences

Monitor key-value storage.

Java.perform(function() {
    var SP = Java.use("android.content.SharedPreferences");
    SP.getString.implementation = function(key, defValue) {
        var value = this.getString(key, defValue);
        console.log(`[+] SharedPrefs: ${key}=${value}`);
        return value;
    };
});

Use Case: Capture auth tokens or settings. Tip: Hook Editor.putString to log writes.

Game & Logic Manipulation

15. Modify Game Logic

Alter mechanics (e.g., dice rolls).

Java.perform(function() {
    var Dicer = Java.use("com.example.app.Dicer");
    Dicer.rollDice.implementation = function(poolSize, faceNum) {
        console.log(`[+] Rolling: ${poolSize}, ${faceNum}`);
        var result = this.rollDice(poolSize, faceNum);
        for (var i = 0; i < result.length; i++) {
            result[i] = faceNum; // Max roll
        }
        console.log(`[+] Fixed: ${result}`);
        return result;
    };
});

Use Case: Force high scores or test logic flaws. Tip: Adapt for any array-based method.

16. Set High Score

Manipulate leaderboard data.

Java.perform(function() {
    var Profile = Java.use("com.example.app.Profile");
    Profile.setHighScore.implementation = function(score) {
        console.log(`[+] Old score: ${score}`);
        return this.setHighScore(999999);
    };
});

Use Case: Test server-side validation or UI limits. Tip: Check if scores are client- or server-enforced.

Advanced Techniques

17. Trace Method Calls

Log call stacks for debugging.

Java.perform(function() {
    var Exception = Java.use("java.lang.Exception");
    Exception.$init.overload().implementation = function() {
        console.log("[+] Stack trace:");
        this.getStackTrace().forEach(function(frame) {
            console.log(`\t${frame}`);
        });
        return this.$init();
    };
});

Use Case: Map app flow or find hidden methods. Tip: Combine with specific hooks for context.

18. Hook Dynamic Class Loading

Monitor runtime-loaded classes.

Java.perform(function() {
    var ClassLoader = Java.use("java.lang.ClassLoader");
    ClassLoader.loadClass.overload('java.lang.String').implementation = function(name) {
        console.log(`[+] Loading: ${name}`);
        return this.loadClass(name);
    };
});

Use Case: Detect obfuscated or anti-tamper code. Tip: Useful for complex apps.

19. Enumerate Exports

List native library functions.

Module.enumerateExports("libtarget.so").forEach(function(exp) {
    console.log(`[+] Export: ${exp.name} @ ${exp.address}`);
});

Use Case: Find hookable native functions. Tip: Run before crafting native hooks.

20. UI Toast Injection

Display custom messages.

Java.perform(function() {
    var Toast = Java.use("android.widget.Toast");
    var Context = Java.use("android.app.ActivityThread").currentApplication().getApplicationContext();
    Java.scheduleOnMainThread(function() {
        Toast.makeText(Context, Java.use("java.lang.String").$new("Frida Hook Active!"), 1).show();
    });
});

Use Case: Confirm hook execution or test UI. Tip: Always use scheduleOnMainThread for UI tasks.

Example: Pentest a Login

  1. Find Class: Decompile to locate com.example.app.Auth.

  2. Hook Login:

    Java.perform(function() {
    var Auth = Java.use("com.example.app.Auth");
    Auth.login.implementation = function(user, pass) {
        console.log(`[+] Login: ${user}, ${pass}`);
        return true;
    };
});

  3. Log APIs: Use network hook for endpoints.

  4. Check Storage: Hook SharedPreferences for tokens.

  5. Bypass Protections: Apply SSL/root bypass if needed.

PreviousHacking InsecureBankv2 AppNextNetwork-Sec

Last updated 1 month ago

Was this helpful?

Pro Tip: Use frida --help for more options. Visit for advanced guides.

πŸ“±
frida.re/docs