Challenges
  • Introduction
  • InsecureShop Challenges
    • Hardcoded Credentials
    • Insufficient URL Validation
    • Weak Host Validation
    • Arbitrary Code Execution
    • Intent Redirection (Access to Protected Components)
    • Unprotected Data URIs
    • Theft of Arbitrary files from LocalStorage
    • Using Components with Known Vulnerabilities
    • Insecure Broadcast Receiver
    • AWS Cognito Misconfiguration
    • Insecure use of FilePaths in FileProvider
    • Use of Implicit intent to send a broadcast with sensitive data
    • Intercepting Implicit intent to load arbitrary URL
    • Insecure Implementation of SetResult in exported Activity
    • Insecure Content Provider
    • Lack of SSL Certificate Validation
    • Insecure Webview Properties Enabled
    • Insecure Data Storage
    • Insecure Logging
Powered by GitBook
On this page

Was this helpful?

  1. InsecureShop Challenges

Insecure Broadcast Receiver

The activity com.insecureshop.AboutUsActivity is exported and contains the following code:

public void onCreate(android.os.Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(2131492892);
        com.insecureshop.CustomReceiver customReceiver = new com.insecureshop.CustomReceiver();
        this.receiver = customReceiver;
        if (customReceiver == null) {
            kotlin.jvm.internal.Intrinsics.throwUninitializedPropertyAccessException("receiver");
        }
        registerReceiver(customReceiver, new android.content.IntentFilter("com.insecureshop.CUSTOM_INTENT"));
    }

Observe that during onCreate method execution, a receiver is registered. The code highlighted above says the receiver named customReceiver will trigger when the intent filter com.insecureshop.CUSTOM_INTENT is called.

The class com.insecureshop.CustomReceiver contains the following code:

public final class CustomReceiver extends android.content.BroadcastReceiver {
    public void onReceive(android.content.Context context, android.content.Intent intent) {
        android.os.Bundle extras;
        java.lang.String stringExtra = (intent == null || (extras = intent.getExtras()) == null) ? null : extras.getString("web_url");
        java.lang.String str = stringExtra;
        if (!(str == null || kotlin.text.StringsKt.isBlank(str))) {
            android.content.Intent intent2 = new android.content.Intent(context, com.insecureshop.WebView2Activity.class);
            intent2.putExtra("url", stringExtra);
            if (context != null) {
                context.startActivity(intent2);
            }
        }
    }
}

The above code says the onReceive method will be called first which receives the value of web_url from the intent. Its value is further assigned to the variable str. If the value of str is not empty, then this value is passed to the class com.insecureshop.WebView2Activity and is assigned to url as extra.

Exploitation (!!SPOILER!!)

Refer the following video which shows how you can exploit this by creating a third-party android application.

PreviousUsing Components with Known VulnerabilitiesNextAWS Cognito Misconfiguration

Last updated 3 years ago

Was this helpful?