Challenges
  • Introduction
  • InsecureShop Challenges
    • Hardcoded Credentials
    • Insufficient URL Validation
    • Weak Host Validation
    • Arbitrary Code Execution
    • Intent Redirection (Access to Protected Components)
    • Unprotected Data URIs
    • Theft of Arbitrary files from LocalStorage
    • Using Components with Known Vulnerabilities
    • Insecure Broadcast Receiver
    • AWS Cognito Misconfiguration
    • Insecure use of FilePaths in FileProvider
    • Use of Implicit intent to send a broadcast with sensitive data
    • Intercepting Implicit intent to load arbitrary URL
    • Insecure Implementation of SetResult in exported Activity
    • Insecure Content Provider
    • Lack of SSL Certificate Validation
    • Insecure Webview Properties Enabled
    • Insecure Data Storage
    • Insecure Logging
Powered by GitBook
On this page
  • Going an extra mile
  • Reference:

Was this helpful?

  1. InsecureShop Challenges

Unprotected Data URIs

PreviousIntent Redirection (Access to Protected Components)NextTheft of Arbitrary files from LocalStorage

Last updated 3 years ago

Was this helpful?

The com.insecureshop.WebView2Activity contains the following code. The code takes untrusted URL in loadUrl method and passes it to webview.

if (!(dataString == null || kotlin.text.StringsKt.isBlank(dataString))) {
            android.content.Intent intent2 = getIntent();
            kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent2, "intent");
            webview.loadUrl(intent2.getDataString());
            return;
}

Going an extra mile

Analyze the intent-filter used by this activity carefully. Can you convert this attack into a remote exploitation by utilizing intent scheme URIs?

Reference:

https://www.mbsd.jp/Whitepaper/IntentScheme.pdf