Awesome

ParseRevealer

Parse Revealer is a pentesting utility for Mac OS X that helps with analysis of Parse account used in an application under test. More info on attacking Parse is available in this article (russian version).

It has the following capabilities at the moment:

• Validity checking of Parse Application ID and Client Key.
• Getting the list of access permissions for custom Parse classes.
• Revealing the structure of custom Parse classes with 'Find' permission set to 'YES',
• Exporting all the revealed data to .txt.

WARNING: Parse Revealer can leave a trace in Parse classes - it adds new fields and objects when testing the corresponding permissions, so be careful.

Installation

The installation is simple - build and run the application in Xcode.

Usage

1. Enter the applicationId and clientKey derived from the target app.
2. Enter the names of Parse classes, also derived from the target, and click 'Save'.
3. Go to the 'ACL Revealing' tab and click 'Reveal'. After a few seconds you'll see the list of access permissions for all saved classes.
4. Go to the 'Structure Revealing' tab, also click 'Reveal', and enjoy the structure of your classes.
5. On the last tab you can export all the revealed data to txt format.

Version

0.2

Author

Egor Tolstoy - @igrekde.

License

ParseRevealer is available under the MIT license. See the LICENSE file for more info.

Todo's

• Browse through objects in a specified class,
• Create, update and delete objects in a specified class,
• Dump all the classes to different file formats,
• Stable work with objects-defined ACLs.