Challenges
Search…
Introduction
InsecureShop Challenges
Hardcoded Credentials
Insufficient URL Validation
Weak Host Validation
Arbitrary Code Execution
Intent Redirection (Access to Protected Components)
Unprotected Data URIs
Theft of Arbitrary files from LocalStorage
Using Components with Known Vulnerabilities
Insecure Broadcast Receiver
AWS Cognito Misconfiguration
Insecure use of FilePaths in FileProvider
Use of Implicit intent to send a broadcast with sensitive data
Intercepting Implicit intent to load arbitrary URL
Insecure Implementation of SetResult in exported Activity
Insecure Content Provider
Lack of SSL Certificate Validation
Insecure Webview Properties Enabled
Insecure Data Storage
Insecure Logging
Powered By GitBook
Insecure Implementation of SetResult in exported Activity
The com.insecureshop.ResultActivity is exported and contains the following code:
1
public void onCreate(Bundle savedInstanceState) {
2
super.onCreate(savedInstanceState);
3
setResult(-1, getIntent());
4
finish();
Copied!
The exported activity passes an Intent to the attacker via setResult(code, intent). Such configuration allows an attacker to access arbitrary content providers.

Going an extra mile

Can you read Phone contacts using this vulnerability?

Note: In order to read Phone contacts, you need to grant InsecureShop access to your contacts. You can enable this permission by long pressing the app icon and then going to App Info > Permissions. Here you need to enable the Contacts permission.

Reference:

Gaining access to arbitrary* Content Providers
News, Techniques & Guides
Two weeks of securing Samsung devices: Part 1
News, Techniques & Guides
InsecureShop Challenges - Previous
Intercepting Implicit intent to load arbitrary URL
Next - InsecureShop Challenges
Insecure Content Provider
Last modified 6mo ago
Copy link
Contents
Going an extra mile
Reference: