Challenges
  • Introduction
  • InsecureShop Challenges
    • Hardcoded Credentials
    • Insufficient URL Validation
    • Weak Host Validation
    • Arbitrary Code Execution
    • Intent Redirection (Access to Protected Components)
    • Unprotected Data URIs
    • Theft of Arbitrary files from LocalStorage
    • Using Components with Known Vulnerabilities
    • Insecure Broadcast Receiver
    • AWS Cognito Misconfiguration
    • Insecure use of FilePaths in FileProvider
    • Use of Implicit intent to send a broadcast with sensitive data
    • Intercepting Implicit intent to load arbitrary URL
    • Insecure Implementation of SetResult in exported Activity
    • Insecure Content Provider
    • Lack of SSL Certificate Validation
    • Insecure Webview Properties Enabled
    • Insecure Data Storage
    • Insecure Logging
Powered by GitBook
On this page

Was this helpful?

  1. InsecureShop Challenges

Lack of SSL Certificate Validation

PreviousInsecure Content ProviderNextInsecure Webview Properties Enabled

Last updated 3 years ago

Was this helpful?

The Webview class com.insecureshop.util.CustomWebViewClient contains the following code:

public final class CustomWebViewClient extends android.webkit.WebViewClient {
    public void onReceivedSslError(android.webkit.WebView view, android.webkit.SslErrorHandler handler, android.net.http.SslError error) {
        if (handler != null) {
            handler.proceed();
        }
    }
}

The code overrides the SSLError and proceeds with the attacker provided certificate. This makes the app vulnerable to MITM attacks.

This implies any HTTPS website loaded within webview can be intercepted by an attacker on the same network.

The attack scenario works as follows:

The easiest way to check such misconfiguration is to remove Burp CA cert from the mobile device and check if you can still intercept HTTPS traffic? If yes, then the application failed to validate SSL certificate.

You can also use the Nuclei template certificate-validation.yaml on a decompiled Android app to identify this misconfiguration.

echo /output_apktool/ | nuclei -t /file/android/certificate-validation.yaml