Challenges
  • Introduction
  • InsecureShop Challenges
    • Hardcoded Credentials
    • Insufficient URL Validation
    • Weak Host Validation
    • Arbitrary Code Execution
    • Intent Redirection (Access to Protected Components)
    • Unprotected Data URIs
    • Theft of Arbitrary files from LocalStorage
    • Using Components with Known Vulnerabilities
    • Insecure Broadcast Receiver
    • AWS Cognito Misconfiguration
    • Insecure use of FilePaths in FileProvider
    • Use of Implicit intent to send a broadcast with sensitive data
    • Intercepting Implicit intent to load arbitrary URL
    • Insecure Implementation of SetResult in exported Activity
    • Insecure Content Provider
    • Lack of SSL Certificate Validation
    • Insecure Webview Properties Enabled
    • Insecure Data Storage
    • Insecure Logging
Powered by GitBook
On this page

Was this helpful?

  1. InsecureShop Challenges

Weak Host Validation

The class com.insecureshop.WebViewActivity contains the following code. As per the code, the application registers a path webview and a query parameter url. The application implements a URL validation and only allows URLs that ends with insecureshopapp.com to be loaded in Webview.

} else if (kotlin.text.StringsKt.equals$default(uri.getPath(), "/webview", false, 2, (java.lang.Object) null)) {
                android.content.Intent intent3 = getIntent();
                kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent3, "intent");
                android.net.Uri data3 = intent3.getData();
                if (data3 == null) {
                    kotlin.jvm.internal.Intrinsics.throwNpe();
                }
                java.lang.String queryParameter = data3.getQueryParameter("url");
                if (queryParameter == null) {
                    kotlin.jvm.internal.Intrinsics.throwNpe();
                }
                kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(queryParameter, "intent.data!!.getQueryParameter(\"url\")!!");
                if (kotlin.text.StringsKt.endsWith$default(queryParameter, "insecureshopapp.com", false, 2, (java.lang.Object) null)) {
                    android.content.Intent intent4 = getIntent();
                    kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent4, "intent");
                    android.net.Uri data4 = intent4.getData();
                    if (data4 != null) {
                        str = data4.getQueryParameter("url");
                    }
                    data = str;
                }
            }

Since the application implements a weak host validation, a malicious application can bypass the host validation by loading arbitrary URL owned by attacker that ends with insecureshopapp.com. In such a case something like attackerinsecureshopapp.com would stand valid.

PreviousInsufficient URL ValidationNextArbitrary Code Execution

Last updated 3 years ago

Was this helpful?