optiv/InsecureShop optiv/InsecureShop

  • This repository has been archived on 30/Mar/2022
  • Stars
    star
    224
  • Rank 174,273 (Top 4 %)
  • Language
    Kotlin
  • License
    MIT License
  • Created about 3 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
optiv/InsecureShop
github

optiv

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An Intentionally designed Vulnerable Android Application built in Kotlin.

⚠️ Important - Change in Repository

Please note, any further releases and development of InsecureShop will now take place at https://github.com/hax0rgb/InsecureShop

You can update your local copy to track the new repo:

git remote set-url origin https://github.com/hax0rgb/InsecureShop.git

📱 InsecureShop

  • InsecureShop is an Android application that is designed to be intentionally vulnerable.
  • The aim of creating this app is to teach developers and security professionals about the vulnerabilities that are present in modern Android applications.
  • This also serves as a platform to test your Android pentesting skills.
  • Developed in Kotlin, this application was created primarily for research on Android Deeplinks and Webviews. However, several more vulnerabilities were added in this app which were found in real-world Android applications. The vulnerabilities present in this app are real and have been found during mobile pentests.

⚙️ Usage

You can compile the source code in Android Studio or simply download the APK file from here

📌 Note:

  • Rooted device is not required. All vulnerabilities can be exploited on a non-rooted device.
  • No API's being used by the app.

🤔 How InsecureShop is different from other Damn Vulnerable Apps?

  • More Realistic: Mimics a shopping Application.
  • Built-in Kotlin: Just because most of the apps are now using Kotlin.
  • Contains Real-World Vulnerabilities: Unlike other Damn Vulnerable Apps which contain hypothetical or unrealistic scenarios, most of the vulnerabilities in this app were recently found in actual pentest. Some of the vulnerable implementations are also taken which were highlighted in the research done by several security researchers.

❗️Vulnerabilities:

  1. Hardcoded Credentials: Credentials are hardcoded somewhere that can be used to login to the application
  2. Insufficient URL Validation: Possible to load any arbitrary URL in webview via Deeplink.
  3. Weak Host Validation Check: Possible to bypass host validation check to load any arbitrary URL in webview.
  4. Arbitrary Code Execution: Arbitrary Code Execution via third-party package contexts.
  5. Access to Protected Components: The app takes an embedded Intent and passes it to method like startActivity. This allows any third party app to launch any protected component.
  6. Unprotected Data URIs: The untrusted URI's passed via loadUrl method allows attackers to pass arbitrary URL in webview.
  7. Theft of Arbitrary: Possible to steal files from app's local storage via ChooserActivity.
  8. Using Components with Known Vulnerabilities: Identify the vulnerable components or libraries used in the app that can allow you to exfiltrate local files to remote domain.
  9. Insecure Broadcast Receiver: An exported activity registers a broadcast during onCreate method execution. An attacker can trigger this broadcast and provide arbitrary URL in 'web_url' parameter.
  10. AWS Cognito Misconfiguration: The misconfigured AWS cognito instance can be used to accesss AWS S3 bucket.
  11. Insecure use of FilePaths in FileProvider: The use of wide file sharing declaration can be used to access root directory via content Provider.
  12. Use of Implicit intent to send a broadcast with sensitive data: The use of Implicit intent can allow third-party apps to steal credentials.
  13. Intercepting Implicit intent to load arbitrary URL: The use of Implicit intent can allow third-party apps to load any arbitrary URL in webview.
  14. Insecure Implementation of SetResult in exported Activity: The insecure implementation used in ResultActivity can be used to access arbitrary content providers.
  15. Insecure Content Provider: The content provider can be accessed by any third-party app to steal user credentials.
  16. Lack of SSL Certificate Validation: The unsafe implementation of OnReceived SSL Error can be used to eavesdrop all the traffic loaded in webview.
  17. Insecure Webview Properties Enabled: Insecure Webview properties are enabled that can allow third-party apps to exfiltrate local data to remote domain.
  18. Insecure Data Storage: The app stores user credentials locally without encrypting them.
  19. Insecure Logging: User credentials are leaked in logcat. Only attackers with physical access to the device can access this information.

🕵 Hints:

The provided link doesn't provide you with solutions but can point you in the right direction 😉:

https://docs.insecureshopapp.com (This is still under development)

🙌 Thanks:

  • Rujul Gandhi: Thank you for your contributions towards this app
  • Sergey Toshin (Oversecured): Thank you for your amazing research on Android security which prompted me to start this project

More Repositories

1

ScareCrow

ScareCrow - Payload creation framework designed around EDR bypass.
Go
2,665
star
2

Freeze

Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
Go
1,379
star
3

Mangle

Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs
Go
1,129
star
4

Ivy

Ivy is a payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.
Go
729
star
5

Freeze.rs

Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
Rust
700
star
6

Go365

An Office365 User Attack Tool
Go
604
star
7

Talon

A password guessing tool that targets the Kerberos and LDAP services within the Windows Active Directory environment.
Go
428
star
8

mobile-nuclei-templates

352
star
9

Registry-Recon

Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon
317
star
10

Dent

A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
Go
294
star
11

OSINT_Encyclopedia

Your go-to resource for all things OSINT
150
star
12

Microsoft365_devicePhish

A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow
Python
89
star
13

blemon

Universal BLE Monitoring with Frida (or Objection)
JavaScript
85
star
14

rest-api-goat

Python
62
star
15

KnockKnock

Enumerate valid users within Microsoft Teams and OneDrive with clean output.
Python
58
star
16

rustyIron

rustyIron is a tool that takes advantage of functionality within Ivanti's MobileIron MDM solution to perform single-factor authentication attacks. rustyIron can locate the MobileIron MDM authentication endpoint, validate the authentication strategy of the environment, perform user enumeration, brute-force registration PIN values, and perform single-factor authentication attacks.
Go
45
star
17

airCross

airCross is a tool that takes advantage of API functionality within VMWare's AirWatch MDM solution to perform single-factor authentication attacks. airCross can locate AirWatch authentication endpoint, validate the authentication strategy of the environment, collect GroupID authentication values, conduct single-factor authentication, and perform user enumeration, in some instances.
Go
40
star
18

CVE-2020-15931

Netwrix Account Lockout Examiner 4.1 Domain Admin Account Credential Disclosure Vulnerability
Go
25
star
19

nvdsearch

A National Vulnerability Database (NVD) API query tool
Go
16
star
20

doppelganger

Doppelgänger is firmware that runs on ESP32 devices that can be embedded within commercially available RFID readers with the intent of capturing access control card data while performing physical security assessments. Doppelgänger keeps the operator's ease of access, maintenance, and operational communications in mind.
C++
13
star
21

DATP_Queries

Microsoft Defender ATP Advanced Hunting Queries
11
star
22

Yara-Rules

YARA
10
star
23

netneedle

Network based steganography based control channels and chat.
C
10
star
24

showSSID

Python
9
star
25

Luhn-Calculator

A very simple Burp extension to make it easier to enumerate credit cards in the Intruder.
Python
7
star
26

burp-reset-a-tron

reset-a-tron Burp extension
Python
7
star
27

burp-IBM-WebSphere-Portlet-Decoder

BurpSuite plugin for decoding IBM WebSphere Portlet States
Python
6
star
28

burp-java-deserializer

Java
5
star
29

android-ndk-crackme

A simple NDK-based application on which to demonstrate some important attack strategies.
Java
5
star
30

warmap-go

CSS
5
star
31

VisualLockPickingWorkstation

The Visual Lock Picking Workstation is a Raspberry Pi enclosure which makes it possible to capture live video from a cutaway lock. It is intended as an instructional device which can be used to display the inner workings of a lock while teaching lock picking.
5
star
32

burpshellshock

Shellshock scanner for Apache MOD_CGI
Java
4
star
33

talus

Python
4
star
34

azure_runbooks

3
star
35

talus_client

Python
3
star
36

checkpassword-.net

HIBP Pwned Passwords API Client for .NET apps
C#
3
star
37

checkpassword-java

HIBP Pwned Passwords API client for Java projects
Java
3
star
38

Lightning-Action-Editor

Java
2
star
39

pyautoaws

Simple Python wrapper for Terraform/Ansible to build AWS resources
HCL
2
star
40

azure-api-management-tracing-helper

Java
2
star
41

captcha-solve

Python
2
star
42

terraform-eks

Terraform/Amazon EKS Deployment Starter Scripts
HCL
1
star