Challenges
Search…
Introduction
InsecureShop Challenges
Hardcoded Credentials
Insufficient URL Validation
Weak Host Validation
Arbitrary Code Execution
Intent Redirection (Access to Protected Components)
Unprotected Data URIs
Theft of Arbitrary files from LocalStorage
Using Components with Known Vulnerabilities
Insecure Broadcast Receiver
AWS Cognito Misconfiguration
Insecure use of FilePaths in FileProvider
Use of Implicit intent to send a broadcast with sensitive data
Intercepting Implicit intent to load arbitrary URL
Insecure Implementation of SetResult in exported Activity
Insecure Content Provider
Lack of SSL Certificate Validation
Insecure Webview Properties Enabled
Insecure Data Storage
Insecure Logging
Powered By GitBook
Insecure use of FilePaths in FileProvider
The file provider_paths.xml contains the following data:
1
<?xml version="1.0" encoding="utf-8"?>
2
<paths xmlns:android="http://schemas.android.com/apk/res/android">
3
<root-path name="root" path="/"/>
4
</paths>
Copied!
You can use the Nuclei template provider-path.yaml on a decompiled Android app to identify this misconfiguration.
1
echo /output_apktool/ | nuclei -t /file/android/provider-path.yaml
Copied!
Observe the provider has the root folder configuration that allows us to access home directory (which also includes /data and /sdcard directory).
This misconfiguration can be chained with other vulnerabilities like Intent Redirection to steal sensitive data or Overwriting arbitrary files to achieve arbitrary code execution by Overwriting native libraries.
InsecureShop Challenges - Previous
AWS Cognito Misconfiguration
Next - InsecureShop Challenges
Use of Implicit intent to send a broadcast with sensitive data
Last modified 9mo ago
Copy link