Exploiting esoteric Android vulnerability
Show transcript [en]
so now let's move to the workshop that is uh that we are explaining and that is exploiting esoteric android vulnerabilities so before dive into the workshop let's just introduce ourselves so my name is sanjay gundalya and currently i'm working as a principal security consultant at not so secure and currently i'm having eight plus years of experience in information technology where my specialization includes web mobile desktop and the external infrastructure penetration testing i mostly do a research and create a vulnerable vulnerable application for the not so secure training program and these are the well-known repositories that i owned and that is blacklister android application analyzer and the serialized payload generator so we'll see a demo around android application
analyzer uh along with p uh the my colleague is there whose name is she's also a co-presenter for this workshop so sharon could you please introduce yourself thank you sanjay uh i am sharon banega senior security consultant at not so secure so i'm having four years experience in information security uh i love to research develop a vulnerable apps do a lot of things like pen testing my specialization in web application mobile application cloud config review and external infrastructure uh that's about me uh thank you sanji over to you thanks shira it's a wonderful introduction so let's jump in and jump into the workshop let's move to the next slides so yes this is a workshop we have
created uh so many vulnerable applications so those who want to do a hands-on during this workshop can simply navigate to my github page so this is a public repositories let me show you that so you can simply navigate to this besides mdhabad where i've just uploaded a google drive link which contains all the vulnerable application details okay so this is all the apks that we are going to use uh and exploit during this workshop so yeah you can navigate to that so if we talk about android application penetration testing we generally divide whole stuff into two parts the first one is the static analysis and the second one is the dynamic analysis where the in the
dynamic analysis portion we generally do api pen testing uh that is communicating with the android application and in which we are just checking for the wasp top 10. in case of static analysis whenever we receive the apk file we first do a epic analysis then we'll bypass the client side checks that are implemented or you will find this kind of checks especially in the production application and that is root detection checks emulator detection check integrity check ssl pinning checks and so on so once we have successfully bypassed this we are able to access the application and we are communicating with the application and we actually we are able to access the activities that is there within the recreation
so then we'll see a demo on how we can use the application sandbox analysis uh while using my tool and that is application android application analyzer which will save your time during the testing so once all done uh we can talk about esoteric vulnerabilities so these are generally untouched vulnerabilities that generally our pen tester missed okay so we'll see a demo around that how we can exploit and how we can identify those okay these are the tools that we generally use for the purpose of this workshop or what we will be looking at so we are not going to look at how we can do apic analysis like uh use the more basic framework or let's say use
the trojan framework to exploit all this but instead of that we'll see how can bypass the client-side checks which uh in which we are checking in which we are looking at root detection emulator integrity and the ssl pinning checks so here we are talking about two techniques data is generally mostly used the first one is the smiley code modification and the second one is the frida hooking uh and then we'll see a demo on our android application analyzer and then we'll discuss about the uh esoteric vulnerabilities so in this we'll discuss about webview attacks remote debugging attacks app links uh how what is the difference between app links and the deep links then we'll uh see
exploitation around android file picker miss configuration and we'll see how we can exploit the mobile passcode using bash script so in this we will discuss about two techniques two test case where we first check for the text based inputs and the second one we are trying to bypass the touch bed inputs so when it comes to root detection check so generally developer use the third party libraries and these are the well-known third parties libraries like root beer then there is a fire board firebase in which there is a common utils lab the class is there where it contains is rooted function then there are a certain developer they create their own user defined function where they create their own function to
do uh root detection checks so basically they just check for all these stops like it checks for these two binaries exist or not is there any uh danger permission installed or not in the application and based on all these stuffs they just detect whether the application is running on the rooted device or not and if it's so then it just it just blocks the user to try to access on the android device and if uh the application is able to identify the root detection then you usually find this kind of an error like the device is rooted so when you click on ok button it will force close the application and you are unable to access
the application further or let's say you are unable to pen test the application further the second check is emulator detection checks as many of us having uh let's say many of us are having uh using uh emulator instead of mobile device because it's very convenient uh to do a testing so how the developer is detect whether it's running on the emulator or not so based on the build information brand information or let's say device information then there is a product information so based on the string keywords or the string comparison let's say if it's able to identify these keywords like john rick unknown google sdk emulator genie motion so based on that it will uh it will
detect the emulator and once it's detect it will show you this kind of an error let's say application running on emulator so if you click on ok it will not allow you to access the application it force close the application the next check is integrity check okay so generally the integrity check is implemented using the checksum calculation okay so this is the overall architecture of how uh the android convert the java file into an apk file so as we all know that the android is nothing but the collection of java files right so whenever we try to create an apk file the compiler first convert or first the compiler first compile all the java file
and produce the class file equivalent to the classes then it uses the text to a text compiler which basically converts all the class file into a single collection of dex file uh it's basically a classes.dex file which contains all the classes information then it will package this dex file into a ap then this aap file is used to create an apk file so this checksum is basically implemented using uh the checksum that is calculated for the dex file okay and when we run this particular application it will recalculate the checksum for the text file and if it's not matched then it will show you an error for the integrity mismatch so if if that's the case you will often
find this kind of an error and that is application integrity is tampered so when you click on ok the application force closed and you are unable to do a for the pen testing and this is the most commonly uh error that we have identified and that is ssl painting so most of us who are doing a mobile application penetration testing is required to bypass the ssl pinning checks okay so this is the third party libraries uh that is most commonly used to implement by implemented by the developer to implement a ssl painting checks and that is ok http where the certificate pinner class is used to implement the ssl filling within the application then there is a conscript library which has a
class trust manager implementation and using that uh generally developer implement ssl pinning checks if the developer fully ever about how to implement ssl pending in that case they create a custom function so when we try to configure a proxy in our mobile device you often find this kind of an error in your let's say bob shoe event log where it says that the client failed to negotiate a tls connection to your api endpoints where it receives a fatal alert and contains certificate unknown and you are unable to access the application further so these all checks that i have found during the journey of mobile application penetration testing and in order to do a pen testing further
first we have to bypass all this so this ssr pinning is generally implemented based on the checks uh that is sa256 has that is calculated for the certificate and it's hard bounded within the source code of the application so at the run time it will recalculate uh it will uh capture the start of it with x hash from the api endpoints and based on the comparison it's through an error so it's demo time so let's try to bypass all these checks so these are the four checks that you have to bypass the first one is the root detection the second one is emulator then the integrity and the ssl pinning so let me show you the basic application
so let me quickly start the genie motion so this is this this is a very simple application so if you install this particular vulnerable application it has two activities the first one is the main activity when you click on next button it show you this your secret this is the second activity okay so we have to reach out to this particular page while bypassing all these checks so let me install the application where it contains all these tags so it has implemented the devices the root detection checks so here i teach you two things the first one the first technique is molly code modification and the second one is the freda hooking so there are a lot of tools are involved
in order to process this so we have to use like in order to do a smiley code modification first we have to use let me zoom it a bit so first we have to use apktool.jar in order to decompile the okay so the first step is we have to extract the apk from android device then we have to use apktool.jar to decompile the application then we have to do a smiley modification in order to test this first we have to recompile using apk tool hyphen build option then we have to sign the newly generated apk then we have to uninstall the existing application that is installed on the device and then we have to install the newly generated
application so you see uh there are so many steps that we have to perform in order to test this particular thing so to save the time i've just created a tool uh that is called android application analyzer you can find the source code it's open source okay so you can simply go to the company github page and that is android application analyzer you can simply use this okay let me just so here is the setup insta insta instruction and you can simply run this uh using the python 3. so it's python 3 based tool so i already downloaded that okay so let me quickly run that so in order to run that we have to simply shoot this
command that is python main dot py so i just tried to club all the things into a single gui based application where here you can see all the connected device that is connected to the mobile uh the machine so once we select the device then you over here you see all the application that is installed on that particular device okay you can also use this which basically hide all the default packages then you have to select uh the application package name so in our case it's com.nss.not so simple android app but today to give you an example or to give you a walkthrough because this contains so many hierarchy so i'll just using zucker.sim.diva i
just installed a diva vulnerable application so once you click on this here you see all the folders and the file that is there within the slash data slash data slash application folder okay so you can simply click on this if it contains any file it showed so over here so if there is a database then you can simply click on any of the database file okay it contains nothing but if it contains any data you see it will dump all the tables information along with the columns and rows within this particular interface and if you want to see a log cat you can simply click on this you will see live locket of that particular device so this is how this
particular tool works now let's try to bypass the the root detection checks using this uh the step that i have mentioned so the first step we have to do a uh uh the reverse changing of that apks so when we click on this okay so let me open this so this is my tool so it will basically download this into so i'll just walk you through the walk you through this so there is a so once you download this android application analyzer which contains a apps folder okay and when you click on this apk tool it's try to decompile it try to first face the apk from the device and then try to decompile okay so
to select the application that i want to bypass the root detection checks and that is com.nss.not so secure not so simple android app and let's do apktool so it's doing stuff in the background so let's just wait for that so once done you will find a tool that is there within the apps folder which basically created as output of apk tool hyphen d option so in order to bypass this i usually use a string based comparison within the whole source code so let's just try to search for that particular error message and restart the emulator meanwhile those who are doing a hands-on and hands-on during this workshop can simply download all the source code okay it
just loaded up okay so let's just search for that particular string and okay and this is the folder path where i want to search for this particular string and that is the android application analyzer apps and this is the package name so let's just find that so you see there are so many uh occurrences for the rooted but if you uh if you search for the complete string you will often find that in two so you'll identify that within this particular source code and that is not so simple android app validation root checker dot smally okay so let's just go to that particular folder so it's within smally com then nss not so simple android app then
there is a validation and it's inside a root checker so you see you uh you have identified this uh at three places at lineup number 143 164 and 190. so the first error message is over here okay and if you open that into a jd gui you have to click on this particular button it will use in the back in the back end it will use the desktop and convert the apk file into a java file so this is the function the first one is the check magic and exposed okay and you see this is the error message that is shown or this is popped up and below exactly above there is a if condition so
what if we tweak this if condition okay so what i'll do i'll just replace this eq zed with the nz so eq that means it will check the equal uh equality in the smalley code where any z it will check for the not equality so we'll just tweak the condition so if it identifies then please do nothing and same similarly we'll do it all the three places and let's save it okay so now we have to perform so many tasks as i mentioned earlier and that is we have to use apk tools then sign sign apk file uninstall and all this stuff so that's that thing you can simply achieve it using while clicking those
clicking on this particular button let's reinstall it so in the background it will recompile the apk file and just try to sign this apk and then uninstall the older one and install the newer one so let's just wait for some time it's just doing a back uh some stuff in background so now it's done so now let's try to open that so you see we have successfully bypassed the root detection check using the smiley code modification and now it's showing me an error it says that application running on emulator that means it's it has implemented this particular stuff so now let's try to bypass the root detection check using the frida so before dive into the frida let's
first understand what is frida is so the friday is dynamic intro instrumentation toolkit implementation toolkit which is used by the developer or the security researcher or the reverse engineer to hook a process into a uh to hook a function or the processes within the process environment okay which uh so let's move on to the installation stuff so in order to play with frida you have to install the frida client and fida server where you can install the frida client using pip install frida tools on any of the client oss like windows mac and let's say ubuntu or the linux then you have to install the server version on the android device where to where you
have to go to the frida release page where you have to go to the server you have to navigate to the friday server where you have to download the android uh the specific binary which is there for your device so once you have downloaded you have to push this server on the frida server into your android device and that is adjust for the timing i just put that into a data local temp directory that is there within the android device and then you have to run the friday server using dot slash feeder server and then run it into a background so let's try to bypass this uh using frida's script so once the feeder successfully
installed if you navigate to this particular command feed iphone ps iphone you you will find all the processes that is running on the android device so let's try to bypass this using frida okay so it's showing me the device is rooted so in order to initialize the so it's visible right so in order to initialize the fieldscape you have to use java.perform
so once you have done that let me save this as in the tools let's say frida vsides dot js
so in order to hook the function first we have to identify the class in which this particular function is there so you have to navigate to this jdg gui where you see there is a package called com.nss.d uh the not so simple android app dot validation where there is a function called check magisk and xposed firebase root checker and then there is a is rooted is rooted root beer so these are the three function that we have to hook and modify the function behavior okay so let's do it so to do that first we have to create an object so it's obj it's a root checker so we can instantiate an object into a field script using java.use
where you have to specify the name of the class so this is there within this particular package so let me open let me paste this
okay better to use word wrap okay done so the name of the class is root checker so we have created the object of that particular class now let's try to hook the function so the function name is nothing but check magisk and exposed so i want to modify the function behavior so we have to use implementation is equal to function then let's say console.log bypassed magisk and exposed so what i have done over here so whenever this particular screen whenever this particular script is hooked into this particular application so instead of calling this to statement the if condition and the top up the popup it will show you this particular error message so now it will
not do any kind of validation okay so let's override other two function as well in order to bypass the detection so again we have to use the object then we have to use the function that is firebase root checker and i want to
and the third function name is object dot is rooted root beer dot implementation how to modify the function console.log
bypassed root beer check so now let's hook this particular javascript into android application so to do that we have to use okay let me zoom a bit
okay so we have to use frida hyphen u then we have to provide the package name that is com dot nss dot not so simple android app then we have to specify the script that we have created that is besides
oh
um
then no pose so that means whenever this function hooked please don't stop please continue the execution so when i run this okay okay so in order to do that first we have to run the server on the android android device so let me quickly do [Music] adb cell adb shell where i put it the uh the frida server on data local temp folder so you see there is a few dash server is there let's just run into a background and now let's try to run our the so once everything goes correct you see it hooked all this for the three function which says that bypass would be a tag firebase check and the magic magisk and exposed and you see this time
it will not show me an uh error of how the the application is running on the rooted device but it's showing me an error of application running on emulator so let's try to bypass this as we all know that how the application implemented the emulator check so when once you search for this particular string you will ended up this particular class and that is integrity check uh the emulator checker so let's just create an object of that particular class into our script so let's say where and let's say emulator is equal to java dot use and let's try to bypass uh let's try to modify the function behavior so to do attacking it has a function
that is e-simulator so let's just modify the function definition for this and its implementation is equal to function console.log so instead of do all these checks please do nothing please print a error message for me let's say bypassed emulator check so this is the function uh that i override okay so now let's try to run this script exit this one and please run the modified script so you see the the emulator check uh the military texting function is successfully hooked and we are successfully able to bypass simulator detection as well so now it's showing me an error of application integrity integrity is tampered so as we have haven't modified anything but for the purpose of this workshop i just
mentioned the wrong checksum into uh while creating the android application so in order to show you how we can bypass this okay so let's uh so based on the string search you will find this particular error message within this particular class that is integrity checker and there is a function called check for app integrity which is responsible to do this particular stuff where it use the zip file function and over here it just match the cyclic redundancy check particularly checksum okay so it just uh read the existing uh from this particular string id so let's just try to bypass this so to do that let's run let's create integrity object java dot use we have to select the path and that is
com dot nss dot not so simple android app dot validation dot the name of the class that is integrity checker and the function name is check for app integrity dot implementation is equal to function
so once this function successfully please do nothing and please print a message app integrity check
so now let's try to run the modified script so please close the existing one and run the modified script so we are getting some error okay there is a typo i guess oh i just use the wrong class because it's obj integrity and i just use the emulator one so it's showing me an error this particular function is undefined so please use the correct class so we have successfully bypassed all the checks now we are able to access the application and if you click on next it show me here it will landed me to the next activity so what we have to do uh to do the ap uh the api analysis first we have to do a
proxy configuration so when we do a proxy configuration let's just do that and let me quickly identify my ip address okay 172 20.10.2
so now if you run this particular script in order to capture the traffic you see now it's showing me an error that network proxy is detected and when you see the bob log you see it show me the event log see which state state that okay let me open this into a bigger window
okay just a minute so the first error message said that the client failed to negotiate a tls connection to this particular endpoints so what generally a pen tester do they use open source script and the heaven for us is the universal sr uh universal uh frida ssl unpinning script okay so let me show you that as well universal ssl unpinning frida okay let me search for github
so there are so many open source script is available yeah but uh i already copied that so let me show you that as well so this is the universal friday's ssl and pinning app where if you want to bypass the ssl pinning then you have to first drop your ca certificate within this particular directory so i already done that so if you go to that particular directory within the tool you see there is already a push i'll place this particular script okay and then you have to run the script but this is only for the ssl uh unpinning what about the all other three tags so we have to club uh our existing script this one
and the universal ssl unpinning script so that i've already done over here i've just created three object which basically allow me to bypass the root detection integrity and the emulator detection and there are function implementation that is there next to this particular object is creation okay so let's try to bypass this using universal script so you see it just bypassed uh it just hooked this particular function to trust manager implementation but if you navigate to the application it's still showing you an error which said that the network proxy detected okay so you will often find this kind of an error if the developer is implemented a custom function okay and using this particular script you will not able to bypass this
particular ssl painting check so over here there is no dead end you have to just analyze the source code you have to identify the function which is responsible to do a ssl pinning check okay and then you have to hook that particular function so let's do that so let me get back to my original function and if you navigate to this particular class pinning checker where i use the ok http 3 and just create some threads and stuffs to do ssl pinning checks where this is run function is basically responsible to do a checking within the pinning checker okay so let's just create object of that particular stuff where obj pinning checker
and the name of the class is this and sorry name of the package is this and the name of the class is this and now let's try to overload the function and that is obj integrity dot run dot implementation function
okay so now let's run this particular script exit please run the besides 21.js in order to bypass all this stuff again there is a an error same it's undefined okay again i made did the same mistake
exit and run the new one so you see now it has bypassed all this stuff and if you navigate to the application now you are able to access the application and to do a pen testing further so the most common question i was asked when i do or when i present these things what if the source code is obfuscated what we can do in that case okay so in that case the approach is same you have to do our string based comparison search and you have to identify the class and you have to identify the function and you have to bypass all these texts so i also created the vulnerable application if you want to play with that
so let me show you that as well
it's inside apk obfuscated code now let's just uninstall the older one
and install the obfuscated one so the functionality is same it has implemented all these checks but when you do a jd gui in order to understand the source code let's just reload it and select the application and when you do a jd gui
you will see now there is no package that is called validation however i already created this is the same code but just i implemented a proguard within this particular application so there is no folder called validation and there is no class that is there like we have previously root check root checker and the integrity checker and so on okay so what you can do simply again you can download the source code using apk tool so it's not useful for the download just extract the apk from the device and perform the reverse engine on that so once all done so you see there is officiated code now there is no classes within this particular folder okay now let's just
search for that particular string the device is rooted
okay so now it's within the gw dot it's not inside any package it's just within the root folder so this is there so yeah i accept that it just takes so much time in order to identify the function in case of obfuscated binaries okay and that is gw
so you will find that so now there is uh the function is not a well known function you see there is a a then there is a c then there is a d so all the function name is also obfuscated even the variable name also but the most interesting thing is the error message remains same so based on that you can identify the function or just track the function that is used to call that particular thing so again you can write the script for that so to save the time let me show you that i already created that particular script and let me explain this and then run this particular script
okay so here instead of using a package structure what i'll do i'll just use the direct class name because it's there within the root directory so gw uh class is used to do a root checking hf class is used to do emulator checking el class is used to do an integrity check then this okay so here the implementation is bit different than the other so you see using this particular code base we are trying to implement we are trying to modify the function behavior in the older script but over here we have used the old overload again overload is the concept of object-oriented programming okay where there are two function which has a different number of argument or let's
say different data types with the same arguments so this is useful when there are so when when the application is performed you will identify there are multiple function with the name of with the same name so okay so in that case you have to use the overload otherwise it will not work it will throw you an error so this is why i have used the overload so to do a check let's just run that
it's obscure.js
so all the function is hooked and we are successfully bypassed all the checks even in case of obfuscated code and we are able to access the application so with that we have successfully analyzed the apk file we have successfully bypassed all the text now what to do so now we are able to do a real pen test we are able to find the esoteric vulnerabilities which are generally untouched vulnerability due to this checks that is implemented within the application okay so let me go to the presentation so we have successfully bypass all these checks now let's jump to the esoteric vulnerability so this particular portion is taken by sharon so sharan over to you so for me
if you are implementing anything at the client end then a developer is capable to bypass this at the client end so you have to do most of the checking at the server side otherwise you are not protected and these are these all are the let's say enhanced security box it's not kind of a bug but it just makes for the the pen tester a bit difficult to identify the further vulnerabilities okay so we have to do the all the checking on the server side right yes using the most of the cases so the these all checks cannot be implemented on the server side but these are the enhanced security which makes uh the pen tester difficult to find the
other vulnerabilities because if the the pen tester is not able to bypass this particular checks then he or she is not able to do a pen testing further in your application and you have written that js file to bypass the function right yes what if i do a change in the java file itself and recom rebuild the apk and then install it sorry uh you have written that js file right the function what if i directly change the source code in the java file itself yeah but you do not have access to the java file directly so if you decompile the application you will get output of smalley code and smalley code is bit difficult to understand okay
we've seen that right yeah yeah that that's that's we have seen in the jd gui but if you download all the source code then you are unable to make an apk file out of it okay okay understood so jdga is providing the view right yeah it's providing a view that is there so there are so many third parties uh packages is there to build the epic uh the apk file right and that is generally not shown in the jdg or it's generally cannot be uh we cannot use that source to rebuild the application okay and uh by signing the apk we are doing zip line right no i'm just using the signed.jar so basically jar signer it uses in the back end so it
basically sign the application using the test certificates thank you yeah thanks so i hope you understand how we can modify android application question uh yeah or we get a question at last so sanjay has explained us that how we can modify android application the smaller code if it is a client-side code right so i can trace the source code and i can modify the things i can bypass so those things are explained uh using afrida now we will move ahead what after bypass application using some functionality right a standard application if you are there it has activities uh so we are looking at esoteric vulnerabilities like webview everyone knows uh android application uses a webview
then remote debugging of webview webview interfaces what are these things uh deep links what are the app links file picker miss configuration and mobile passcode or 2fa how we can bypass it using a bash so everyone knows what is a webview right in android application if i want to load some website a developer want to load some advertisement or he want to integrate some third party application i don't want to develop a app he'll just add a web application inside the android application as you can see in the screen a google.com is open which is actually a webview app it's loading a web app web html content inside the application so what webview allows you to display a content part of
activity layout which is a android activity third third-party application integration suppose i want to do a paypal payment on my android application and i just want to do you know integrate the paypal inside my application so i'll just use a webview and i'll call url paypal.com uh advertisement and native app extension like react.js most of them they use away view so if webview is going to use there should be a way that we can identify as an attacker we should know how application using a web view so how to take a web view so as everyone knows how we reverse the application using zx or using smaller code or if you do a jar text that gives a java that is very
simple to understand and if you see there is a import for anything i want to initialize in java i should import the class that the webview is a class so when you reverse the application first check uh the view is there not and there is a setting for webview that is always there so it has if you see the setting it has a webview client over here then and interface is there my interface and it has a load url uh which loads the url if capital url as a parameter at extras so extras are the intent which is used by android application if i want to pass something data to another intent so i will pass it as extras or i can pass
it as a query parameter so this is my vulnerable application webview which i defined here so let me quickly show you how webview actually works so this is my android application hope everyone is visible for this uh so if i open a url inside my web view on autosecure.com so as you guys can see it uh this is a web url is getting loaded into my application this is android application this is not a browser so i can see and there is no way as a victim i don't know what is address bar over here and just i'm surfing a web application and imagine if attacker is able to load his own url into inside
the application so that will make a big phishing attack or you can know uh steal uh the cookies as well if it is access so most common vulnerabilities in webview are first one you should have exported webview without exported thing you cannot exploit anything in android then what are the javascript interface which are used in webview i'll explain it later uh universal file access suppose if you have access to some particle function in webview then you can access internal files of android application which are only restricted to that application that also can be accessible a cross-site scripting which will act as a universal access on that android application so if you are able to uh
achieve access on that particular webview you can perform universal access means you will have access of all the application uh then content provider sometimes you can be used so to exploit the content providers so let me quickly show you uh this code if you guys see this code this is my vulnerable code so i have a web view over here it is exported and takes a capital url parameter if you observe here it takes as extras and i want to exploit this as an attacker i know it is taking as extra parameter so if you observe this here adb shell so i'll explain what is adb adb is android debug bridge it act as a
bridge between mobile application and my terminal so i can perform some action so android provided that to everyone for testing and debugging process so adb android debug bridge shell uh then am is activity manager so i want to start some activities in android application so i'll use adb shell m start and if you observe over here this will be your package name which is in this case uh my vulnerable application package name which is com.example.webview if you want to see it over here i can show it to you guys so this is my package name or this is a source code of vulnerable application in inside android studio and this is the webview activity uh which is actually i'm going to uh i
have declared in my under manifest file and you guys can see it over here so this is browseable browseable means it is i cannot zoom i think it's visible right yeah so this is a browseable one any exported activity can be opened using adb shell am start and we can pass extra capital url because all we have seen that it is accepting a url so let's just quickly open httpsbing.com using our adb shell let me just copy this paste it over it here and as you can see guys can see it adb opened my webview and an extra parameter of bing.com which is loaded over into my vulnerable android application so what do you think it's very easy that we just
have pass extra parameter url and it is going to get open so imagine if attacker is able to open this url remotely so uh so how that will happen so the question is how we can achieve this vulnerability remotely because i am doing it in the adb so any local android application can exploit this but as an attacker i'll always try to you know increase the impact so for that there is a beautiful concept which android has implemented which is the deep links so what are the deep links uh deep links is nothing but i'll just explain simple uh suppose you are surfing on facebook.com and you find your friend's profile like share facebook.com sharon.com and if i click on that url
facebook app will get open with that profile directly so that's a deep link that it will navigate to you from html to your web application with whatever the content which provided and what are the process defined so deep links are nothing but it will help user to navigate between web and application they are basically url uh which navigate user directly to specific content in the android application so this is a structure of deep link uh it starts with first android scheme scheme is nothing but http https or anything you can put a lull you can board or sharon whatever name that can be a scheme so there is no limitation over that then there is
android host uh android host is nothing but www.example.com uh website your url your domain that you can do then the path so if uh www.nautocircular.com whatever the part directory is there i want to you know open something so that you can give as a path prefix or path button or path so if you see this example and if you want to form the deep link the first one will form nss colon slash slash open uh openmyapp.com so this is this will act as a scheme uh this will act as a host okay the second one if you see it https www.nss.com and third one will be an ss.com so this this is an android manifest file you have to go to android
manifest file or intent filter and you have to form a deep links so why how deep links works i'll just quickly show you in our android manifest file so this is my vulnerable application of web activities here so i have defined the scheme https.www.sharon.com and second one is lol colon slash lawl so both this deep links will open my application because the intent filter here it is a browseable so whenever you get a browseable intent filter it is by default exported and you guys can open that using a deep link so let's quickly uh show i'll show you how deep links can be open using adb and a remotely using html the simplest one is how we can open
a deep link is adb so we have to use this intent which is the view intent uh hyperd is a url that we have to give so i will give lol colon slash lol so this is not a url this is just a deep link lol is my scheme and lol is my host and this is my activity name or sorry package name so i will just simply copy over it here so as you guys can see it as i opened uh that view my way view got open but nothing has happened because i haven't provided extra parameter over here so what uh if i'm if i can can i open it through a html
remotely so let me quickly show you that how i have already loaded html with me so if you guys can see it over here it's same deep link which is a href so it's a url lol colon slash lol so i'll just host it on my local server and let's try to open it over here so i'm going to google chrome not in my webview application so i'll just close it so i'm currently imagine i'm surfing something on my facebook and i got this website
okay so long.html i need to open right i'll click on load.html uh which says click here to open so i'm surfing something on internet if i click over here as you guys can see it as soon as i click over it it got opened my webview application so that's the way you guys can attack it remotely how to perform a deep link and provide uh to a victim with 15 clicks on that android application will get open now the question is i can now i can open access open the application remotely now the main thing remains over here the extra parameter hyphen url i cannot pass extras through html there is no way because this table doesn't work in that
way that i can directly pass the extra parameter to internet for that uh chrome google chrome comes with the beautiful content concept which is chrome intents so they whichever application have a google chrome they'll support this chrome intent what is chrome intent uh that is briefly given in uh developer.chrome.com you can study it so what chrome intent do as a as a html you guys can literally pass a package name over here through html you can pass action category component scheme so all these things can be possible uh can be passed through a html using this deep link this is the structure of chrome intent sorry so if you see this s capital or s
is a this is a act as extras inside the entrance so if i want to pass something extra i will do s dot capital url so how to form a deep link using under commentates let so this is here is example so it will start with intent okay so you guys can see it over here intent then colon slash slash uh then there is a uri or a host so my host is if you remember it's a lol so i added a lot over here then we have to pass a hash ash again intent and semicolon then we have to provide what i want to do as an exploit so scheme is again lol which i already
shown you then package name so i can you know literally provide a package name to open this package com.example.webview and here is dot capital url so i'm also able to pass extras which is actually a term intent that cannot you know easily pass the only allowed to pass in android application so let's try to open this using an html so i already [Music]
enter.html so if you guys can see it earlier it's similar intent colon slash slash lol indent then activity name and extra parameters it's open so not so direct.com so let me quickly host this on my local server and see how this happens so i'm again i'm on google chrome okay so this time i'm clicking on intent.html now if i click as a stranger if i click on this as you guys can see it notificate.com is actually open in the application of my vulnerable application and as a victim i have no idea what i'm surfing i don't know it's an autosecure.com i don't know it's a victim attacker website or nothing so there is no way no there is
no address bar in the webview that's a topic of webview there is no address bar so that's where you can exploit uh exported web activity and trust me every activity of a view takes a url as an input parameter because end of the day it has to load the url so as an attacker you guys have to find that entry point that where it is taking the url and and if it is exported you guys can report this vulnerability this will be high vulnerability uh and you will get a good reward of this uh this is the extras we have seen and this way you can if deep link is there you can exploit any deep
link which is supporting extras or any other vulnerabilities also can be exploited if it is using a deep link uh through extra query parameters sometime android also uses a query parameter if url contains some queries like parameter so you can also pass it through question like as a parameter capital url it will work if android application using not as extra as a query parameter so most common deep links are maintained here uh with one of i don't know who's this but he had given very good how you can check all the deep links so if you click on test at the bottom you can see it i don't know you can see it or not you just go to
this android app linking you will search it and you can test all the deep links and you can learn all the deep links over here uh i have also written on small android deep link parser which will i think uh soonly get merged with mobisef uh i have raised the pass request so what it uh we have to just give a python3 a dipling password installed apk if i provide input it to you it will list out all the deep links which are available on the android application into a terminal you can access and you can play with those so i'll explain so you can see the output over here these are all the deep
links which instagram supports so i'll give a demo ahead also and you can just see it over so this is about a web view now you guys will say that's very easy right uh any if i got a url i'll just load it and i'll exploit it so that's not the case every time happens uh what developer does you know he knows that url is getting loading at the end of the day so what i'll do uh i'll do a host validation so if i am a notification.com i'll strictly whitelist my notification.com should only get open inside the webview and no other sites will allow so that is a security implication so i found a similar thing
uh okay so before that i want to mention uh this this is not a report for three one zero zero two you guys can note it though this is a big uh i want to thank like baggy bro everyone knows it he's a great hacker he's a great you know inspiration for me also he's a great hacker you can learn a lot of using his tools so he had given us a golden golden techniques to bypass host validation how we can pass the host name validation you can read this 431002 go through it and i'll just explain two of them or in our talk so there is a problem with the backslash trick the first one so if you guys
observe it here over here attacker.com if i had a for slash and add that legitimate.com so if you see it here so when he passes the uri in android application it prints legitimate.com he actually tried it and when web get loaded it it shows dagger.com so whenever you get leading the legitimate.com will not get loaded loaded at aggregate.com in that way also you can bypass host validation uh so how that can be happen so in using href you just have to pass this url so this will load attacker.com and using our chrome intent also you can pass this so that was a that was the second thing now what is a scheme validation scheme is uh the first point which is
which is in this case is a javascript okay so if that is fails how we can bypass that so this is a simple payload everyone knows if everyone do access this is a default payload guys can use i have just added over here legitimate.com and person zero a this is nothing but a slashing that will entered and alert will print it on the next part let me just quickly copy and show you to you guys what this actually do okay so if i do a javascript colon legitimate.com alert it says alert1 okay now what i'll do i'll just modify the host of it so i'll put anything like lol.com so still it gives me alert one so you
guys can understand there is a hint that you guys can mention any host or anything over there and that trick we can use to bypass our host validation so how that worked in one of my uh flipkart older application how this bug was present there i'll just quickly show you so this was the source code which is using web activity by a flipkart older version this is patched one or this is not just for demonstration purpose i will show you so you can see it a small url is there a capital which is taking bio webview as a input i identified this using a source code and let's try to quickly open that using adb that will be
a quicker way and i have already installed a flipkart app inside my application okay so if i paste it over it here so i'll just show you nothing has happened nothing has happened so url parameter is there but it's not taking anything and flipkart app also has not got open so if you guys see it here nothing has happened so it means that it is exported but it's not taking my input which is a bing.com it means it has some validation okay so let's try to go further in the source code i analyze further and if you guys see it if it starts with fk seller app so that's a scheme which is used by
a flip card which is fk seller app and if it starts with this then load the url and else if they also provided else if it won't starts with also you can load the url so that's saying that doesn't verify the scheme which starts with apk seller app so we can provide any scheme to it so let uh quickly dump let me let me show you how deep android deep link password works uh just go to android tabling password python three deep link passenger flipkart. apk so this is a tool which is available on my github repository and so only i think it will be available in mobis if they approve my merge request so this will uh
decompile the code it will uh you know parse the android manifest file and string.xml androidmanifest.xml which contains all the deep link and sometimes string you know string parameter or string value is given that is also passed and by collecting all the inputs it will form all the deep links so as you guys can see here these all are the deep link which are available in the flipkart app and you can call suppose if you want to call the main activity it supports so it supports uh plenty of deep links and in this case i have to show you for the webview activity which we are exploiting over here so this is a web activity and it shows that i can open a webview
activity using three deep links first one is if uh you can guys can see it or terms of use then privacy policy and last one is a url which is a learning center url so if i found a 3d link now how we can exploit the flip card so if you observe clearly over here first it's a scheme and second if you oppose the seller.flipkart.com in all three dipling the host the domain is common which is seller.flipper.com and i got a sense that it might verifying it requires a seller.flipkart.com so what we'll do as we already seen in the source code it is not a verifying scheme so i will just put a log over
here and i'll do a test.com okay let's see it's just a trial and error let's see what happened as every attacker we do a trial and error so uh so nothing has happened uh application is not loaded uh so scheme is not a i tried a test.com it not work let's try lol colon slash seller dot flipkart.com which is a domain which is used by application so i'll just copy it and paste it over here so as you can can see it as soon as i uh pasted over it as a deep link it opened flipkart app so lol colon slash seller dot flipkart.com a domain verification is there so it is verifying that a domain should be same
and it should not be anything so that was the part so how we can bypass i already shown you the javascript which is uh can be used so if you see it over here a javascript can be added and i already shown you that we can put anything over here we can put anything over this so i put data seller.flipkart.com which actually a application required and i'll just copy i just added alert one two three four five
you got access and this is a universal exercises like uh flipkart application i can access it i can access any component of the application because this is actual webview which runs flipkart application this is patched one so don't try it on the newer one you can go older one you can try that and i already given it on our github so that's way uh you can by bypass the flipkart one and for this they have rewarded me some work this was a medium level vulnerability i was not able to exploit it remotely because the deep link is not a browseable that was not a problem i don't know how they passed it so that one was their
webview uh we'll see universal file access so this was a setting which was introduced by android 2 bypass origin check so if i have a file and if i want to access another file scheme like file scheme atc pass wd and if i want to access through some other file that is not possible right that is not possible because sop will not allow us to do that but for that what android had given uh api level before 30 or they have given this particular check set allowing your access file from url if you access this it allows there is no origin verification so file colon sharon.com can access internal files so that is allowed so if this check is
enabled uh inside a webview sometimes developer do it it is degraded not allowed to like lot i don't know you cannot be used after 31 also so android 108.7 vulnerable if this setting is allowed so how to exploit this will be a simple accessory how to do so what you have to do over here you have to create a exploit inside the sd card so sd card is accessible to every application so file colon slash sd card slash exploit.html that can be accessed by you as a attacker you can access it or browser also can access it okay so you have to create this exploit this is a simple xsr request whenever you access our request in the world this
is a simple one so what we have done in the url what we have given uh a internal path of the vulnerable application which is a webview application you can see it slash data slash data com.example.webview slash cookies the cookies is my internal path so whenever you have if you want to exploit this so you just have to do the same thing instead of url you just have to pass uh exploit.html for that you need to put exploit there should be other ways how we can put that's that you have to find a way how you can put exploit in sd card so once you put exploit in sd card if you call that sd card using our remote
attack or adb shell or whatever you can do using a tabling uh you can actually access the internal or directories of the application and internal directories are only accessible to that application if i have a web view application my internal files will be accessible to me only no other application can access my files that's how android works only sudo user i think can access all the files so that was about in yourself axis let's look at remote debugging of inverview so as a penetration tester if you observed the application which runs as a native app and you want to you know find or you want to analyze you want to analyze the what going inside the application
for example native app is using a web application but you don't know what it is actually so if you want to debug or if you want to understand what are the network traffic what are the dom uh you know elements are using chrome has given a remote debugging for a browser you can say for that so this will allow you to debug a live content android devices from windows mac and linux computer inspect and debug live content of android and dom manipulation so let me quickly show you uh what it is so if i go to a flipkart app again so this is an application okay flipkart and if i click on a register new account how
many of you will say this is a web application so this can be android application or this can be web application right so as an penetration tester your job is to verify so there is uh that already explained that we just have to do age colon slash inspect in chrome you can do a chrome colon slash inspect i'm using edge over here so this will inspect the devices which is available in the network for that usb debugging should be enabled on your application as a penetration tester and if you see it over here seller.flipkart.com is got opened so indirectly flipkart is in the backend is using a web application and if i click on the inspect
you guys can see it so in the chrome browser i am able to access all the dom element all the application all the traffic and if i do a alert over here this will be comes so you can communicate so i guess you will guess that what the advantage of this so you can actually access the dom element you can you can check what are the dom best contains home accesses kind of vulnerability which are sometimes you will fail to identify ssl binning that you can just go to a network tab and check all the requests and response of the android application which is using a web view so native app whatever the native every xjs app are
reusable and if you fail to you know do something you can go a dream debugging and you can access everything of that application so that's the beauty of remote debugging and i in day-to-day job as a person test tester i use this very often so that's about remote debugging now the most important concept comes comes javascript interface so i like this uh concept very much you will also i'll explain why i like it so i have a html page and i want to provide some input to android application like click on this button and go into android application do something so that's amazing right from html i can control android application uh that is a
javascript interface which is implemented by android user for convenience so if i want if i am on html and if i want to perform some action in our application i can do using a javascript interface and suppose i want to return some data from android so i want to you know do a handshake of local cookies and i want to refresh them sometime so i want to access it through local and i want to pass it through my web application suppose to show something some data some content which is pass in the local so javascript interface is a key concept that can be used that communicates between mobile and html or javascript you can say so that
is about javascript interface so i'll just quickly show you what is the interface so this is just a little javascript that will help you to understand i want to explain it so in javascript interface is defined inside the webview only because it's end of the day it's html so we need a webview so we uh to define a javascript you have to add a webview dot add javascript interface and you have to provide interface name which is in this case is a my interface so i just have to check the my interface and this is a function so whenever my interface is a webview and whenever show toast function get called it will show something
so toast is the android application which shows the message in the android application so this is the android part so if i want to show if i want to access it using html i just have to create an html show android test and i will pass the input hello android over here and as you can see it i'm calling my interface which is my javascript interface and i'm calling a short host function which is actually inside android application this is not a javascript or this is not a html function which is an inside function and if i do a toast whatever message i am sending it will be sent to android application so let me quickly show you
how that works
so if i click on say hello so you guys can see it say hello is there so if i click on a say hello it says hello android that's a toast if you see a bottom there is a hello android so that comes from android and i'm on a web application this is a web application i'm clicking on a button and actually calling android application function so that's a web interface and application uses a web interface for a lot of stuff because they want to communicate with the javascript function and everything so how we can as a dagger exploit this so for this you need only one vulnerability you need to open your url inside that webview once
you have open your url into a webview the interface will be exposed to every url which gets open in the webview so that's the disadvantage of javascript interface even google if you go to google help they've also said that they have provided two options to you guys that ensure that the way you do not add objects as a javascript interface and second one ensure that the web view do not load untrusted web content which i am saying that so this so these are the interfaces uh let me quickly show you the interfaces over here in my android application so get user get serial get model get product which i have defined interface in my vulnerable application
so you guys can see it over here all these are get model so it will just written a model inside whatever the model is there this is only accessible to android not html or does the user and lastly i have given uh get authentication token just authentication token which is inside my android application as an attacker how to list these interfaces so we can list these interfaces using remote debugging so we have to do again inspect and we just have to go over here as you can see it over here i just have to call this object object get on properties window so this is just a common property if you click on here you
will you will get the all objects which are available in the webview and here is our objectives are also available like my interface okay now if i if i want to access my interface data i'll just add a window dot my interface and i'll just go to my console so you guys can see it over here there are five components which are exported and as a attacker if i am able to load the url inside of your view i can access all this get earth get brand and get model get product let me quickly show you my interface dot get auth and if i just call this function so imagine i'm in a console i'm calling a
function so it is returning a uh sorry session token okay so remotely how we can exploit this so for that also we just have to create a simple xhr request let me quickly show you so again it's a request so we just have to create access our request so okay and ask it to send to our collaborator and we just have to call the function or object interface name and the function name which i want a data so here you can see my interface dot github that will send data to a data and that will send to my server so let me quickly show you demo of this
okay uh so i'll just open a mine listener post bin you guys know what is the post bin we use we can use above collaborator also so i'll just create a bin over here let me copy a bin inside my interface.html so already there is a script i'll just add access our request over here
okay so whatever the my interface data you will get just send it over to me i'll just run a python server and i haven't implemented http support in my way view that while i will use ngroc to create https site for me a public site you guys know what is ngrukkdo so it will tunnel my local interface to public using this url and if i open this url on internet i'll get interface.html so let's suppose you your attacker clicks on in his webview he clicks on this url okay and it got loaded into webview so i'll just simply open it over here so as soon as i click on it it will show me that simple shared
website is open and victim don't know what happened and if you see our post bin so the token got leaked because the interface which we have added there is no original verification there is nothing will happen whatever the url victim gets load that interface will be exposed to him as as as it is exposed he can access that interface and he can actually uh capture the token or any interface which is open so that's the way you can exploit the web interface so this was the vulnerability which i found in the bug bounty program i cannot reveal the name of it so this was a script i have created for it so it was returning uh data inside the function
which i converted into base64 and i forward that to my post bin so what actually vulnerability was there this is a chat application kind of thing so if i insert a url it is sent to all the victims which if someone clicks on the url it was got open into a webview so so what i did i just as an attacker i just added a url through a web and as an account take core name and this is an url and when victim clicked on that url i got the authentication token of that victim because that view was the interface which i was using by that application was exported and i got the authentication token and for this high reward was for
my high reward was i got for this vulnerability so that's all about webview and its vulnerabilities which are there are that covered so deep link versus appling so we already seen what is deep link it opens the android application right so there is a issue with a deep link that a dialogue you might have seen it that it prompts for the application my apps google chrome like multiple applications support deep link then multiple apps will open if you if you try to open google map url which is in this case it provided me two options a chrome and map so that url can be handled by two application that is chrome as well as google map okay so
that is the issue with the deep link and as i am i'm owner of facebook.com and i don't want this ambiguous dialogue so if i open the facebook.com it should open the facebook.com right because this will be a create a vulnerability if someone clicks on any other application so whatever the data that contains the url that will be passed to that application right so for that app link is implemented by android so what app link is do these are the differences so deep link can be used https http https custom schema like lol we used but applique is only http validation so whatever the http url comes at least that should be verified so what it does if you guys can
see it or a link verification so none for deep link and app link is uses appling verification so like you know big organization like facebook part they have to have the verification because everyone trusts the urls if facebook.com comes facebook should open so what you have to do as you guys also have application if you are a developer you just have to create a dot well known asset link.json into your application so i'll just show you the facebook one which is they have implemented so you guys can see it over here there is a sha fingerprint or 256 sorry shadow 5x3 fingerprint so this is for every application they have created and whenever a facebook url you are surfing
or on the internet if you click on the facebook verifies whatever your domain you have clicked it and if it is matches to that domain then only to open that facebook application so that gives a trust to everyone so this is a well-known asset link json can be implemented if you are passing password reset token by url so many of application if you see if you go to password token if i click on that application code opens so if as in victim if i if i prompt two three application if i'm using a deep link it will prompt two three application if i mystically click on something else token will get passed so that's why applying
comes a big role over here so deep links drawback are fulfilled by app links so password reset pages sign up sign in verification we can exploit this so let me quickly show you simple exploit for this there is what if attacker creates let me quickly open this www.sharon.panago.com inside my vulnerable app so as you guys can see it earlier uh it prompted me two application one is my actual web view and second one is chrome so both can handle it so let's try to create one more vulnerable application which is nothing but appleing sharper so what i'll do i'll add a same deep link the https www.sharon.com inside this is a vulnerable app and what i did here
whatever the intent data came to you just set text to url means set it over there so this is my vulnerable application i'll just run it over inside the android application and let's see what happens so it's building a gradle over here it will take some time okay so it got succeeded it says hello world that's a simple android application and you don't know what you have installed it so now again i'll run my sharon.com so you guys can see there are three application uh by default it's showing as uh applingshava then webview and then chrome so three applications are supporting it now so as a attacker you can create your own and by mystically if
i click on this the sharon.com got you know said vertex so for demonstration purpose i'll just go to my gmail i've added a url so suppose if i received a password reset link of sharan.com and if i click over here as you guys can see here the three apps are supporting it uh i don't know which one to open so that's a drawback of deep links so that's why i have links are game and suppose i missed a click click on our victims attackers sorry app that the token at the end of say you can it got linked to that application and that can be used by that application and that can be passed to so that's the issue that
deep links and app link is the most secured one so android 12 come with the new verification if it is https url it will first try to verify your app link if app link is not exist it will not prompt you this it will directly open in a google chrome so if your guys have these issues you can upload it to android 12 if you are using older version you are still vulnerable deep link so if you guys get any application which supports the older version then android 12 you can report this vulnerability and you will get a good bounty of out of it so that was the one vulnerability now let's look at for the next
uh one already explained what is actually deep link and this is the app link verification step so package manager is there then the internet filter so it goes to well-known dot directory and checks in the catcher that this fingerprint matches the fingerprint in the app link and if it is vulnerable that's where verification is done now android file picker so how many of you share files on whatsapp right if you have some other application like i have some snapchat i want to share a file from snapchat snapchat also has its own file picker so every application who want to share the file or receive file you'll need a file picker for example if you see it already
documents photos sd card that are the file pickers so anyone can create a own file pickers and that can be used to share files uh internally through the application so what are the vulnerability and what are the miss configuration in android file picker uh let me show you that to you so what i'll do i i'll quickly explain uh file figure what it does uh if i am a snapchat dot com and i want to share some file uh so that will share my internal path snap data data com dot snap dot com some folder or photos it has some photos so it will be on my internal structure right so if i want to share that folder
i'll simply share the internal path of the application so that way that's how file picker works so as an attacker what i did i found this vulnerability in readable chromium bug i think that's i haven't provided a reference over it but i learned it from there so what we have to do here we have to create the intent filter which covers all the file pickers so i added all the file pickers which are application need a file figure i am available so that here is the intent filter of it uh that you can use open document a chooser is there then pick is there get content is there so i have a created vulnerable application uh using
this file picker let me quickly show you
that to you okay so if you see android manifest file i've added every file picker indian filter over here so whenever application needs it shows so and now the main comes part here uh so if you see a data data com.google.android.app.docs so this is a package name of google drive okay this is not my application so what i'm doing here here whenever google drive selects me as a file picker i'll provide his internal path a google drive's internal path and let's see what happens will google drive will able to open upload his own file stream to the application so if you see it guys here uh the path which i am giving here under google drive but it is only accessible
to google drive not even google chrome access the google drives folder or path inside the folder that's how the permission are maintained android application so what i have to do if i want to trick this to google drive i have to ask google drive to click on my file picker so let me quickly run this code for you and i'll show you how file picker looks so this will take some time till that time i'll just show you drive and if i want to upload something over here if i click on upload so you guys can see multiple options are available so if you have a google drive or if you have a dropbox dropbox is also file bigger so
as an attacker if i'm a dropbox or as as i have created upload internal as an attacker i just created that function so it's running over here so you guys can see application got opened and installed and nothing has happened because i haven't given any code to her so this is our upload scanner imagine this as a dropbox as a whole application so so if i on a google drive and imagine this drive a url is a shared url so anyone showed you a public url google drive url you have you are going to upload something in that and what you will do uh you will just click on our click on upload and upload internal
which is my vulnerable application imagine this is a dropbox and you're selecting some files over here so if i click on this you guys can see it one file is being uploaded you don't know what got uploaded so as you guys can see it over here this is file is uploaded which is a flag dot of apple which is actually a google drive file uh this is actually a drive drive file let me quickly show you where it is adobe cell i'll do a su cd slash the path which i have provided data slash data then com.google.com dot google dot android dot docs sorry com.box so this is a internal folder of google drive application and we access
a file which is inside cat flags application dot xml so you can see this is the same content which is uploaded over here so google drive by mystically upload his own file and if attacker have the access to the share folder he can actually access i can provide internal cookies session of google drive he can actually you know get everything which is inside his internal domain so that is a vulnerability available for the file picker you guys can report this vulnerability i i recently reported this vulnerability to age and for that they have provided me acknowledgement on their website so age was a browser so i have created html file upload similar to this and when file upload was there and
when a victim clicks on that uh upload internal which i have shown uh edge internal cookies will get uploaded and that are shared over to attacker.com that i was demonstrating on the age and i got acknowledgement on that website so you guys can use this vulnerability so you guys will think what is the patch for this so if i'm a google drive and i want to upload something i should verify my path i should not upload my own file so canonical path a path which is going to upload i should verify the path the file which i'm uploading or which i'm sharing it should not be your own files so that is only a mitigation for this
bug that is also bypassable but for me in time i know only that mitigation uh now we have i think 10 minutes so the android password you should have to exploit it on that application so internal path are only accessible to that application if i want to exploit a google drive google drive need to click on that so i'm uploading on google drive i have provided the internal path of google drive if i want to exploit google chrome i have to provide a path of google chrome internal path of google chrome so that's a limitation there is a limitation with this book you have to firstly install that application the victim then user need interaction so
that's why if you see the google age haven't already a bounty for this because there is there is a huge user interaction actually needed but this is a valid vulnerability valid misconfiguration for a big big auth like facebook and this kind you know sometime it happens because there is a lot of trojan and everything happens so this is a valid vulnerability but impact is low or you can say it's difficult to exploit the next one is android passcode so everyone knows what are the passcode if you are using a finance app if you are using a bank application there is a 2fa so most of the time rate limiting is there sometime rate limiting is not
there this is a case of non rate limiting applications so if red limiting is not present and you want to bypass a 2fa how we can do that using a bash so let me quickly show you uh how android adb is a magical to you guys so uh you need to enable usb debugging and there are some android key events okay so let me quickly show you one of the key events which android supports uh this is i'll just go to google chrome
okay uh i'll just click over here so what i'll do i'm just doing a adb shell input text sharper you guys can see what area so as soon as i oh sorry
so you guys can see it in the android application sharper got type okay so we can provide a input to android application using adb so this exploit how it works if i have a access of any victim's mobile app the 2fa works in that way only because that is implemented for purpose that only if someone has your mobile you should not have access to your application so he can enable usb debugging we can imagine that he can enable that debugging option because he had access to your mobile so he can using edb i can type a sharper and after that i want to press enter right so there is a key events which are available in the android application
so if i do if i do a key event 66 which is for enter
so i am over here and if i do a 66 it got press entered and sharper got searched in google chrome so we can use this trick to bypass a passcode and our question is how the simplest thing you can you already might have got some guesses so we just have to provide an input if it is a four digit character if i want to show you this my vulnerable application has a passcode so if i do of one two three four and i have to press enter this is invalid passcode so i am providing an input and i have to press enter if i press enter it shows in validity so i have to form this kind of
structure so what i'll do i'll use a one liner for a loop which starts with one two we can start with nine nine i'm assuming this is a four character password one two two zero it start with one two to zero then up to nine we just have to do a adb shell input our text which is one two three four that as our attacker have to give and i have to do a key event which is enter so enter this and press enter enter this and press enter we just have to loop this so let me quickly show you how this will work and how this will look okay you guys can see it all so it's
starting brute forcing the application using adb and in this way you can bypass a 2fa so that's a simple bash you guys can use it i have reported this all over to multiple programs i got a reward also so this is a valid bug and you can see it caught bypassed on one two three four that was a code and i got access to it that was easy right so next one i want to show you one more what different as a touch miss so i just show you input now i it is not taking any input this is a touch bar test base so it is difficult to exploit it right i cannot provide input that's
not easy uh to have no uh touchpad so how is our dagger how you guys can imagine how to bypass this touchpad so for that android have one more thing they have given us that they have tap tap tab and if you guys can observe over here adb shell tab let me quickly show you what is it so if i'm over here and if i copy this a tab
okay so if i press enter at tap one so why tap one anyone so if you see observed 300 and 700 the values there are tap that are x and y coordinates so that's the value of x and y coordinates if i increase it to 1100 y coordinate you guys can see forward tab you can check the over there so in in this way you can tap the touch and you can bypass so imagine how we can do that so for that this is i think i have i haven't seen anywhere this script i have created my own so this is integer 1 300 and 700 integer for 300 and 1300 so i've give i have created all the integer
with all the coordinates which are available so we just have to call this function and ask it to tap for me and everything and brute force the application that's it so for that i have written a big one liner over here let me quickly explain what it is so it start with uh for loop similar to one two two five then what i did i have splitted one two two one two three four i split it into four parts one separate two separate three separate four separate because if you see my integer into parameter over here in i want only one because it has to process adb shell input so first i will do into one and if i want to process a
one two three four i'll press first go to one adb cell input one then two into additional input two so in this way i splitted uh our payload into four parts then i have provided an integer as an input and dollar x will be a first you will come one then two then three and four and that's where it will tap it for me and it will bypass the application so let quickly see how this script will work it's using a bash
okay so you guys can see here it started tapping for me and i can bypass the 2fa using this technique so after some time i'll get once it got its code it will get bypassed
so one two three four was a password and you guys can see it so this way you can bypass your 2fa and this is a valid vulnerability uh valid box i think so those points that we have covered in our resource vulnerabilities that was the last bug so key uh workshop takeaways uh that we learned uh from sanjay that how smaller code can be modified to bypass the checks how small how frida can be used to bypass the root detection uh then we've seen how we can you know exploit exodus vulnerabilities like webview which are mostly untouchable by uh bug bounty industry as most of the people look for web application vulnerabilities but these are also very interesting
vulnerabilities these this you guys can check we have seen how we can secure android application uh using remote attacks like deep link are using so you can go for app link or you can instrume use whitelist a good application and uh that's that's how to implement a secure deep links in webview that we have seen and that was end guys thank you
Related talks
1:03:19
33:53
37:31
32:11
41:35
25:25