Using Burp Suite for Penetration Testing of the ZhiXin Mobile Application

1. Background

As the ZhiXin app expands, information security and defensive measures have become a focal point for mobile applications. Apps built primarily on WebView use HTTP or HTTPS requests, which may expose security risks such as system vulnerabilities leading to user data leakage; therefore, security testing is a reliable method to protect user information.

Burp Suite is a mainstream penetration testing tool that combines the advantages of Fiddler and Charles, works cross‑platform, and integrates various scanning plugins that can be used individually or together, making it an ideal choice for security testing. This article introduces the specific application of Burp Suite in the ZhiXin app.

2. Penetration Testing

2.1 What is Penetration Testing

Penetration testing involves, with user authorization, simulating hacker attacks on a system to discover hidden risks.

2.2 Why Perform Penetration Testing

Penetration testing uses technical methods to verify a target system's security, identifying hidden vulnerabilities to achieve proactive defense.

The goal is to discover and resolve issues before they affect user safety.

3. What is Burp Suite

Burp Suite is an integrated platform for attacking web and mobile applications, primarily used for security penetration testing. It provides request interception, Burp Spider crawling, vulnerability scanning, brute‑force login cracking, and session token randomness checks.

3.1 Using Burp Suite for Traffic Capture

The ZhiXin client uses Burp Suite for penetration testing, mainly to capture and analyze intercepted request information.

Environment: a Windows PC with Burp Suite v1.6.17 installed and an Android phone.

(1) Connect the Android client and PC to the same Wi‑Fi subnet.

(2) Open Burp Suite and configure Proxy Listener (Proxy → Options → Proxy Listeners).

Click the "Add" button to set a new proxy listener with the PC's IP address and a custom port (e.g., 8080).

(3) Configure the phone's proxy: in Wi‑Fi settings, set the proxy to manual and input the "Proxy host name" and "Proxy port" matching the listener created in Burp Suite.

(4) To capture HTTPS traffic, install the Xposed + JustTrustMe module on the phone and restart. On the PC, use Chrome or Firefox to access the proxy IP and port, download the Burp Suite certificate, and trust this CA certificate on the phone.

3.2 Burp Suite Testing Process

This article uses Burp's proxy to capture application‑related information and analyze vulnerabilities in the ZhiXin client.

The main approach is to obtain application links, forms, and other requests via the proxy, then scan and attack them with Burp Suite for vulnerability detection.

4. Penetration Test Findings and Remediation

The testing focuses on sensitive information leakage, privilege escalation, XSS, and SQL injection vulnerabilities.

4.1 Sensitive Information Detection

4.1.1 Common Sensitive Data

Typical sensitive data includes plaintext transmission of usernames, passwords, verification codes, ID numbers, etc.

4.1.2 Detection Process

Check whether API responses or parameters directly expose user‑sensitive information.

Verify whether server logs store or print sensitive data.

4.1.3 Remediation

Encrypt any returned or displayed sensitive information such as phone numbers or email addresses.

Prevent server logs from printing or storing sensitive data. For example, the login API already encrypts passwords, indicating no leakage.

4.2 Privilege Escalation Vulnerability

4.2.1 Introduction

Privilege escalation allows one account to control all user data, often caused by missing permission checks during CRUD operations.

4.2.2 Test Process

Modify ID‑type parameters in request URLs.

4.2.3 Remediation

Permission verification should ensure that altering user‑identity parameters does not grant unauthorized access.

Using user A, attempts to modify request parameters should not retrieve user B's data.

Ordinary users should be unable to access or modify admin‑level interfaces; test results showed no data returned for altered case IDs, indicating no privilege escalation.

4.3 Cross‑Site Scripting (XSS) Vulnerability

4.3.1 Introduction

XSS attacks inject malicious scripts into webpages; when users view the page, the script executes, achieving the attacker’s goals.

4.3.2 Test Process

Enter JavaScript code in any input field: <script>alert(123)</script> .

4.3.3 Remediation

Filter user‑provided content so that injected JS is not executed when displayed.

Avoid loading untrusted external resources such as JS, CSS, or iframes.

When the JS code was entered in the issue‑report description box, the history view displayed the code without execution, confirming no XSS vulnerability.

（Input JS code block）

（The JS code was not executed, no XSS vulnerability）

4.4 SQL Injection Vulnerability

4.4.1 Introduction

SQL injection attacks insert malicious SQL commands into data inputs, allowing attackers to query, modify, or manage the database.

4.4.2 Test Process

Determine possible injection points by:

For numeric parameters (e.g., id), test id=2-1 versus id=1; identical results suggest numeric injection.

Append single or double quotes, or logical operators (e.g., id=1' OR 'a'='a') and observe error messages or result changes.

4.4.3 Remediation

Avoid executing raw SQL from parameters; use parameterized queries or escape/validate external inputs.

Manual injection attempts on parameters such as recTypeID showed no errors or altered results, indicating the absence of SQL injection.

5. Conclusion

Security testing is a crucial component of a software security framework. Using Burp Suite to perform penetration testing on ZhiXin can significantly prevent production‑environment vulnerabilities, thereby ensuring product safety, robustness, and stability.

Future work will compare other security testing tools to efficiently uncover hidden risks and continuously provide users with a secure, high‑quality experience.