BFScan: Uncover Hidden URLs, Paths, & Secrets in JAR/WAR/APK Files

by · Published · Updated

BFScan – Tool for initial processing of APK / XAPK / DEX / JAR / WAR applications.

Use

java -jar bfscan.jar <jar_war_apk> <...> [-m <mode>] [-ma <minifiedAnnotationsSupport>] [-r <mappingFile>] [-s <searchString>] [-u <url>] [-v <verbose>]

 -m <mode>                          Mode ([a]ll, [s]ecrets, [h]ttp), default: all
 -ma <minifiedAnnotationsSupport>   Minified or unknown annotations support (yes, no), default: yes
 -r <mappingFile>                   Deobfuscation mapping file
 -s <searchString>                  Search string
 -u <url>                           API base url (http://localhost/api/)
 -v <verbose>                       Log level (off, error, warn, info, debug, trace)
java -jar bfscan.jar test/*.apk -u https://example.tld/api/

Example

For this class using Spring annotations, the following results will be generated.

@RestController
@RequestMapping("/api")
public class UserController {

    @PostMapping("createUser")
    public String create(@RequestParam Optional<String> someParamName, @RequestBody User user) {
        return "response";
    }

Results

Method: com.mycompany.springbootexample.UserController->create

  • Spring Method
    POST /api/createUser?someParamName=value HTTP/1.1
    Host: localhost
    Connection: close
    Content-Type: application/json

    {
      "name": "name",
      "age": 1
    }

Obfuscated code

If you are analyzing an application that uses a supported library, but its code is obfuscated, you can create a mapping file to replace the class names.

To do this, you can manually use the “Rename” function in the decompiled code in the jadx-gui, and then save the generated mapping file (File > Save mappings). Or use an example mapping file for Retrofit and modify it according to your application.

Example of analyzing an application with renaming classes using a mapping file.

java -jar BFScan.jar ./tests/example.apk -r ./tests/mapping.txt

Download

Tags: