Monday, 31 August 2020

Attacking templates in a web creating application

Hi Everyone,

Few days back I was testing an application which allows users to create a web for them. I tested it for few days and found some critical vulnerabilities in it.

So consider this web application as target.com.

This application allows to create a web and we can install the templates that are available in the applications template store. There was also an option to create our own template.

So I started creating my own templates. These templates wont show up in the store as these are private templates and not Public. There was no option available to the user to create a Public template for security reason.

When I was creating a template I saw an api with a parameter "isPublic" which was set to false.

Ok, This looks interesting. 

I didn't have any idea at that moment why is that parameter being sent and that I cannot create a Public template.

I changed false to true and resumed my testing. After few moments I went to the template store just to check which templates are available and was excited to see my template there.


There I knew this was something critical.

My theme would be shown to every user who creates an account with target.com. 

I created a PoC with a template name "Target.com is not secure" to show the impact of the issue. This would mean that business of that application would be at risk.

The issue got fixed in a few hours. 
Posted by at No comments:

Tuesday, 22 November 2016

Unintended Data Leakage - Copy/paste buffer caching

When an application processes sensitive information taken as input from the user or any other source, it may result in placing that data in an insecure location in the device. This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.

Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device.

Below is the list of scenarios where unintended data leakage flaws may exist.
  • Leaking content providers
  • Copy/paste buffer caching
  • Logging
  • URL caching.
I will be using Appuse which is a vm developed for Android Application Penetration Testing.

Im using Insecure Bank V2 application.

Steps for Unintended Data Leakage Copy/paste buffer caching
1.Open the app and copy sensitive information on clipboard.
2.Open drozer on the android mobile.
3.Start the server.
4.Open the terminal and enter adb forward tcp:31415 tcp:31415
5.Now enter drozer console connect
6.On the drozer terminal enter run post.capture.clipboard
7. You will get the data copied onto the clipboard if the app allows it.
Posted by at 2 comments:

Monday, 26 September 2016

Unintended Data Leakage - Leaking content providers

When an application processes sensitive information taken as input from the user or any other source, it may result in placing that data in an insecure location in the device. This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.

Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device.

Below is the list of scenarios where unintended data leakage flaws may exist.
  • Leaking content providers
  • Copy/paste buffer caching
  • Logging
  • URL caching.
I will be using Appuse which is a vm developed for Android Application Penetration Testing.

Im using Insecure Bank V2 application.

Steps for Unintended Data Leakage Leaking content providers

1.Get the package name from androidmanifest.xml file of the app.

2.Open drozer on the android mobile.

3.Start the server.

4.Open the terminal and enter adb forward tcp:31415 tcp:31415

5.Now enter drozer console connect

6.On the drozer terminal enter run app.package.attacksurface package_name.

7. You will get if there are any exported content provider.

8.Enter run app.provider.finduri package_name to get the exported content provider name.

9. To get all the data enter run app.provider.query content_provider_name.








    Posted by at No comments:

    Thursday, 8 October 2015

    Insecure Data Storage Shared Preferences Database

    Shared Preferences

    Android provides many ways of storing data of an application.

    One of this way is called Shared Preferences. Shared Preferences allow you to save and retrieve data in the form of name,value pair.

    I will be using Appuse which is a vm developed for Android Application Penetration Testing.

    Im using Sieve application.

    Steps for Insecure Data Storage shared preferences database:

    1.Get the package name from androidmanifest.xml file of the app.

    To get package name of an app use the command

    apktool d app_name.apk

    2.Open the terminal and enter adb shell.

    3.su root.

    4.cd data/data/

    5.Enter into the directory of the app using the package name.

    6.cd package_name.

    7.Enter ls

    8.Enter into the directory with name shared preferences.

    9.Enter ls to view the files in the directory.

    10.Open a new terminal.

    11.Copy the file from android to your linux with command

    adb pull data/data/package_name/Shared_Pref/file_name

    12.Open the file in your linux.

    13.Search for sensitive data stored in the file.

    15.It can include usernames and passwords.
     
    Posted by at No comments:

    Wednesday, 7 October 2015

    Insecure Data Storage SQLite database


    Android offers multiple standard facilities for data storage

     1.Shared Preferences

     2.SQLite databases

    Each of these storage types can be created and accessed in various ways, including managed and native code, or through structured interfaces like Content Providers.

    Developers include plaintext storage of sensitive data, unprotected Content Providers and insecure file permissions.

    If an attackers gets access to the android mobile then he can use tools to get such information.

    This information can include username,password,credit card no.

    I will be using Appuse which is a vm developed for Android Application Penetration Testing.

    Im using Sieve application.

    To get the data stored in SQLite database use the following steps:

    1.Get the package name from androidmanifest.xml file of the app.

    To get package name of an app use the command

    apktool d app_name.apk

    2.Open the terminal and enter adb shell.

    3.su root (if you are not into the shell as root).

    4.cd data/data.

    5.Enter the directory of the app using cd package_name.

    6.Enter ls.

    7.Search for a directory with a name SQLite or database.

    8.Enter ls to get all the files in the directory.

    9.Copy the file from android to appuse

    adb pull data/data/package_name/SQLite/file_name

    10.To view the data in the file we will use sqlite3 tool. It is included in the Appuse. To use it open a terminal in appuse and enter sqlite3 filename.

    11.Enter .tables to get all the tables in the SQLite database.

    12. To view all the data in the table enter command select * from table_name;




    Posted by at 3 comments:
    Subscribe to: Posts (Atom)