Challenges
Search…
Introduction
InsecureShop Challenges
Hardcoded Credentials
Insufficient URL Validation
Weak Host Validation
Arbitrary Code Execution
Intent Redirection (Access to Protected Components)
Unprotected Data URIs
Theft of Arbitrary files from LocalStorage
Using Components with Known Vulnerabilities
Insecure Broadcast Receiver
AWS Cognito Misconfiguration
Insecure use of FilePaths in FileProvider
Use of Implicit intent to send a broadcast with sensitive data
Intercepting Implicit intent to load arbitrary URL
Insecure Implementation of SetResult in exported Activity
Insecure Content Provider
Lack of SSL Certificate Validation
Insecure Webview Properties Enabled
Insecure Data Storage
Insecure Logging
Powered By GitBook
Insecure Content Provider
The Content Provider com.insecureshop.contentProvider.InsecureShopProvider is exported due to the presence of flag android:exported="true".
<provider android:name="com.insecureshop.contentProvider.InsecureShopProvider" android:readPermission="com.insecureshop.permission.READ" android:exported="true" android:authorities="com.insecureshop.provider"/>
The content provider com.insecureshop.contentProvider.InsecureShopProvider contains the following code:
public boolean onCreate() {
android.content.UriMatcher uriMatcher2 = new android.content.UriMatcher(-1);
uriMatcher = uriMatcher2;
if (uriMatcher2 == null) {
return true;
}
uriMatcher2.addURI("com.insecureshop.provider", "insecure", 100);
return true;
}
public android.database.Cursor query(android.net.Uri uri, java.lang.String[] projection, java.lang.String selection, java.lang.String[] selectionArgs, java.lang.String sortOrder) {
kotlin.jvm.internal.Intrinsics.checkParameterIsNotNull(uri, "uri");
android.content.UriMatcher uriMatcher2 = uriMatcher;
if (uriMatcher2 == null || uriMatcher2.match(uri) != 100) {
return null;
}
android.database.MatrixCursor cursor = new android.database.MatrixCursor(new java.lang.String[]{"username", "password"});
java.lang.String[] strArr = new java.lang.String[2];
java.lang.String username = com.insecureshop.util.Prefs.INSTANCE.getUsername();
if (username == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
strArr[0] = username;
java.lang.String password = com.insecureshop.util.Prefs.INSTANCE.getPassword();
if (password == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
strArr[1] = password;
cursor.addRow(strArr);
return cursor;
}
If the content provider matches the URI insecure, then it allows us to access username and password of the logged-in user.
Exploiting this is not really straightforward. You need to create an android app as it cannot be exploited using adb or drozer. The reason is that the Content provider can only be accessed with the defined permission "android:readPermission". You need to add this permission in Attacker's "AndroidManifest.xml" file in order to access the Content Provider.
InsecureShop Challenges - Previous
Insecure Implementation of SetResult in exported Activity
Next - InsecureShop Challenges
Lack of SSL Certificate Validation
Last modified 1yr ago
Copy link