Thankyou! No content-type

Hi Everyone,

I was testing an application a few days back. It was an investing application and most of the application was secure.

Suppose the application is target.com. So the application had a feature where we could upload a document.

I tested for normal file upload vulnerabilities, though the application was giving me an error if I tried to upload any document other than valid file types.

The application had a check on content-type, filename and also on its content.

When you uploaded any document, the response contained a URL to which the file could be downloaded.

Consider that when you upload a file the response will contain something like this:

200 OK

{{URL: https://target.com/file/1234}}

As it was already checking that html should not be uploaded I didn't test for XSS. 

After testing the feature, I started to check other feature of the application. I saw few of my documents there, which I downloaded. 

In the response I saw a thing interesting. The response did not had "Content-type" header.

So the browser would just check the file content and display it accordingly. To those who don't know,

If no content-type is set in the response, the browser checks the file content and see if the content is html it will render as HTML. If it is javascript, it will render as javascript.

So I went to the upload document feature to check for XSS. I already knew that I don't need to change the filename or Content-type as the application doesn't check that when it is providing the document to the user. 

The Only thing that I needed to change was executing my payload in the request body.

So I started uploading the document with a valid filename test.jpg, without changing its content-type in the request and sending my payload in the content of the file.

It turned out that server was also checking the content of the file and would give me an error when I sent a payload. So there was waf which would check for this. 

After checking for few payloads I found that script tag is checked by the application, though it was not checking for html tags if it was sent like <HtmL>. After that I also found that img tag is not being checked by WAF.

I send a payload like

<HTml><img src=x onerror="alert(2)"></HTml> 

And, it didn't work. Later I found out that the application was also checking for alert. I tried prompt,confirm and different ways in which alert could be sent like a;alert(2) though that also didn't worked. 

So to send this issue to the bug bounty company I need to execute the payload so that they will accept it. After checking on google I found something like this, console.log can also be utilized to show the impact.

So I sent the payload.

It worked. 

So I successfully bypassed the waf that wasn't the trick here. The trick was the checking the file which was uploaded had no content type.

Reported it to the company. 

Attacking templates in a web creating application

Hi Everyone,

Few days back I was testing an application which allows users to create a web for them. I tested it for few days and found some critical vulnerabilities in it.

So consider this web application as target.com.

This application allows to create a web and we can install the templates that are available in the applications template store. There was also an option to create our own template.

So I started creating my own templates. These templates wont show up in the store as these are private templates and not Public. There was no option available to the user to create a Public template for security reason.

When I was creating a template I saw an api with a parameter "isPublic" which was set to false.

Ok, This looks interesting. 

I didn't have any idea at that moment why is that parameter being sent and that I cannot create a Public template.

I changed false to true and resumed my testing. After few moments I went to the template store just to check which templates are available and was excited to see my template there.

There I knew this was something critical.

My theme would be shown to every user who creates an account with target.com. 

I created a PoC with a template name "Target.com is not secure" to show the impact of the issue. This would mean that business of that application would be at risk.

The issue got fixed in a few hours. 

Unintended Data Leakage - Copy/paste buffer caching

When an application processes sensitive information taken as input from the user or any other source, it may result in placing that data in an insecure location in the device. This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.

Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device.

Below is the list of scenarios where unintended data leakage flaws may exist.

• Leaking content providers
• Copy/paste buffer caching
• Logging
• URL caching.

I will be using Appuse which is a vm developed for Android Application Penetration Testing.

Im using Insecure Bank V2 application.

Steps for Unintended Data Leakage Copy/paste buffer caching
1.Open the app and copy sensitive information on clipboard.
2.Open drozer on the android mobile.
3.Start the server.
4.Open the terminal and enter adb forward tcp:31415 tcp:31415
5.Now enter drozer console connect
6.On the drozer terminal enter run post.capture.clipboard
7. You will get the data copied onto the clipboard if the app allows it.

Unintended Data Leakage - Leaking content providers

When an application processes sensitive information taken as input from the user or any other source, it may result in placing that data in an insecure location in the device. This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.

Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device.

Below is the list of scenarios where unintended data leakage flaws may exist.

• Leaking content providers
• Copy/paste buffer caching
• Logging
• URL caching.

I will be using Appuse which is a vm developed for Android Application Penetration Testing.

Im using Insecure Bank V2 application.

Steps for Unintended Data Leakage Leaking content providers

1.Get the package name from androidmanifest.xml file of the app.

2.Open drozer on the android mobile.

3.Start the server.

4.Open the terminal and enter adb forward tcp:31415 tcp:31415

5.Now enter drozer console connect

6.On the drozer terminal enter run app.package.attacksurface package_name.

7. You will get if there are any exported content provider.

8.Enter run app.provider.finduri package_name to get the exported content provider name.

9. To get all the data enter run app.provider.query content_provider_name.

Insecure Data Storage Shared Preferences Database

Shared Preferences

Android provides many ways of storing data of an application.

One of this way is called Shared Preferences. Shared Preferences allow you to save and retrieve data in the form of name,value pair.

I will be using Appuse which is a vm developed for Android Application Penetration Testing.

Im using Sieve application.

Steps for Insecure Data Storage shared preferences database:

1.Get the package name from androidmanifest.xml file of the app.

To get package name of an app use the command

apktool d app_name.apk

2.Open the terminal and enter adb shell.

3.su root.

4.cd data/data/

5.Enter into the directory of the app using the package name.

6.cd package_name.

7.Enter ls

8.Enter into the directory with name shared preferences.

9.Enter ls to view the files in the directory.

10.Open a new terminal.

11.Copy the file from android to your linux with command

adb pull data/data/package_name/Shared_Pref/file_name

12.Open the file in your linux.

13.Search for sensitive data stored in the file.

15.It can include usernames and passwords.
 

Insecure Data Storage SQLite database

Android offers multiple standard facilities for data storage

 1.Shared Preferences

 2.SQLite databases

Each of these storage types can be created and accessed in various ways, including managed and native code, or through structured interfaces like Content Providers.

Developers include plaintext storage of sensitive data, unprotected Content Providers and insecure file permissions.

If an attackers gets access to the android mobile then he can use tools to get such information.

This information can include username,password,credit card no.

I will be using Appuse which is a vm developed for Android Application Penetration Testing.

Im using Sieve application.

To get the data stored in SQLite database use the following steps:

1.Get the package name from androidmanifest.xml file of the app.

To get package name of an app use the command

apktool d app_name.apk

2.Open the terminal and enter adb shell.

3.su root (if you are not into the shell as root).

4.cd data/data.

5.Enter the directory of the app using cd package_name.

6.Enter ls.

7.Search for a directory with a name SQLite or database.

8.Enter ls to get all the files in the directory.

9.Copy the file from android to appuse

adb pull data/data/package_name/SQLite/file_name

10.To view the data in the file we will use sqlite3 tool. It is included in the Appuse. To use it open a terminal in appuse and enter sqlite3 filename.

11.Enter .tables to get all the tables in the SQLite database.

12. To view all the data in the table enter command select * from table_name;