In this lab, we are using the responses to enumerate the password of the “administrator” account. First, we need to perform a check on whether the “administrator” account exists and the length of the password. Once this is done, we will perform a substring query to enumerate each of the character of the password.
You can use Burp Repeater or Intruder to enumerate the password. I find both methods to be time-consuming. I wrote a script to enumerate the password instead. The script will look for “Welcome” value in the response. If it is true, the script will note down the character and continue to the next position until all the password character is enumerated.
Just like a Web application, the Mobile app also requires validation of the input. Using the DIVA app, you can see how the common input validation issues affect the app’s behavior.
Part 1: SQL Injection
First, you can input a test case to see the output. The result is showing the user name, password and credit card number. Most likely if the data is stored in the SQLite Database, then it might be vulnerable to SQL Injection issues.
From the source code, you can see that the app is making a concatenated query. Moreover, the app appends whatever the result is given to the output.
"SELECT * FROM sqliuser WHERE user = '" + srchtxt.getText().toString() + "'"
To select all users, enter this input and all the user information will be displayed:
abc' OR '1' = '1
Part 2: URL Scheme Hijacking
It cannot be assumed that the URL input will be what the developer expected it to be. The attacker can manipulate the input to retrieve sensitive files.
For example, if you input this value, the username and password found in shared preference XML file can be retrieved. file:///data/data/jakhar.aseem.diva/shared_prefs/jakhar.aseem.diva_preferences.xml
To prevent this issue, the developer should validate the URl input and also to set the appropriate level of access control for WebView settings such as setting file setting access to False etc. if it is not required for the WebView to access a file.
Part 3: Lack of input length / size constraint
In some input form , there is no constraint on the length / size of the input. For example, in the DIVA app, you can give a large string value and observe that the app crashes.
It turns out that the activity is loading a native code. You will be able to find the native code in the github repo of DIVA. The divajni code is expecting that the string value to have a length of 20 chars. But if you insert a value that is more than 20 chars, the app crashes because of a segmentation fault in the memory.
The good practice is to validate the size / length of the input first to make sure they are constrained to the requirement.