Challenges
Search…
Introduction
InsecureShop Challenges
Hardcoded Credentials
Insufficient URL Validation
Weak Host Validation
Arbitrary Code Execution
Intent Redirection (Access to Protected Components)
Unprotected Data URIs
Theft of Arbitrary files from LocalStorage
Using Components with Known Vulnerabilities
Insecure Broadcast Receiver
AWS Cognito Misconfiguration
Insecure use of FilePaths in FileProvider
Use of Implicit intent to send a broadcast with sensitive data
Intercepting Implicit intent to load arbitrary URL
Insecure Implementation of SetResult in exported Activity
Insecure Content Provider
Lack of SSL Certificate Validation
Insecure Webview Properties Enabled
Insecure Data Storage
Insecure Logging
Powered By
GitBook
Unprotected Data URIs
The
com.insecureshop.WebView2Activity
contains the following code. The code takes untrusted URL in
loadUrl
method and passes it to webview.
1
if
(
!
(
dataString
==
null
||
kotlin
.
text
.
StringsKt
.
isBlank
(
dataString
)))
{
2
android
.
content
.
Intent
intent2
=
getIntent
();
3
kotlin
.
jvm
.
internal
.
Intrinsics
.
checkExpressionValueIsNotNull
(
intent2
,
"intent"
);
4
webview
.
loadUrl
(
intent2
.
getDataString
());
5
return
;
6
}
Copied!
Going an extra mile
Analyze the intent-filter used by this activity carefully. Can you convert this attack into a remote exploitation by utilizing intent scheme URIs?
Reference:
https://www.mbsd.jp/Whitepaper/IntentScheme.pdf
InsecureShop Challenges - Previous
Intent Redirection (Access to Protected Components)
Next - InsecureShop Challenges
Theft of Arbitrary files from LocalStorage
Last modified
11mo ago
Copy link
Contents
Going an extra mile
Reference: