Challenges
Search…
Introduction
InsecureShop Challenges
Hardcoded Credentials
Insufficient URL Validation
Weak Host Validation
Arbitrary Code Execution
Intent Redirection (Access to Protected Components)
Unprotected Data URIs
Theft of Arbitrary files from LocalStorage
Using Components with Known Vulnerabilities
Insecure Broadcast Receiver
AWS Cognito Misconfiguration
Insecure use of FilePaths in FileProvider
Use of Implicit intent to send a broadcast with sensitive data
Intercepting Implicit intent to load arbitrary URL
Insecure Implementation of SetResult in exported Activity
Insecure Content Provider
Lack of SSL Certificate Validation
Insecure Webview Properties Enabled
Insecure Data Storage
Insecure Logging
Powered By GitBook
Intercepting Implicit intent to load arbitrary URL
The class com.insecureshop.ProductListActivity registers a receiver as shown below.
The code says the receiver named productDetailBroadCast will trigger when the intent filter com.insecureshop.action.PRODUCT_DETAIL is called.
registerReceiver(this.productDetailBroadCast, new android.content.IntentFilter("com.insecureshop.action.PRODUCT_DETAIL"));
The receiver com.insecureshop.broadcast.ProductDetailBroadCast contains the following code.
The code takes an action, an extra and starts the activity.
public final class ProductDetailBroadCast extends android.content.BroadcastReceiver {
public void onReceive(android.content.Context context, android.content.Intent intent) {
android.content.Intent webViewIntent = new android.content.Intent("com.insecureshop.action.WEBVIEW");
webViewIntent.putExtra("url", "https://www.insecureshopapp.com/");
if (context != null) {
context.startActivity(webViewIntent);
}
}
}

Reference:

Interception of Android implicit intents
News, Techniques & Guides
InsecureShop Challenges - Previous
Use of Implicit intent to send a broadcast with sensitive data
Next - InsecureShop Challenges
Insecure Implementation of SetResult in exported Activity
Last modified 10mo ago
Copy link