I believe the security is a complex and very important process. Due to the lack of permission,
the name of the application is not mentioned, and I call it an Android application.
I did a security test for an Android app for a programming company a couple of months back. I can’t share the app’s name because of permission stuff, so I’ll just call it the Android app.
Testing Android apps can be tricky compared to web apps. You kinda need to know how Android emulators work, a little about Android programming, and how to take apart APK files.
I used my usual Android security checklist, and luckily, I found a few holes on day one. I want to talk about one of the coolest finds I made.
First off, I used the app like anyone else to see how it worked. I took note of all the places the app was talking to. At this point, I wasn’t just trying to find tech issues, but also any weird logic problems. Like, I messed with the search bar and user profile using common attack strings for things like SQL injection and XSS, but nothing hit.
Then, looking through the HTTP history in BurpSuite, I saw a POST request that seemed interesting. It was used to update the user’s profile. One thing caught my eye: User_Id, which was just the user’s phone number. What was strange: there wasn’t any check to make sure you were allowed to change it. So, yeah, it was an IDOR thing, meaning you could mess with other people’s data just by changing the phone number.
IDOR
I can simply change “User_Id” parameter and change other user’s profile, it was work for all of
user’s because application use phone number for identification and don’t have any validation.
I can implementation some attack like Brute-Force for user phone number discovery and Next
change user’s profile information or in another scenario if i know any application user’s phone
number i can change that user profile information.
Information Disclosure + XSS
In second day when i review HTTP History in Burp-Suite suddenly one GET request catch my
attention and it contain all of user information in response without any validation, the GET URL
like this:
https://target.com/api/user_v3_6/profile/09396
I can found IDOR again but with higher impact and it disclosure user information with have just
one user phone number, user’s information contain first-name,last-name,walletinfo,address,cart-info and etc.
Where is XSS?
So remember how I tried injecting stuff into the app before, like in the search bar and my profile? None of that worked. But get this: with the IDOR thing, when the user info popped up, my payload actually ran! So, it finally worked there.
Maybe you don’t believe but i was used this simple payload for exploit:
<script> alert”XSS” </script>
ـــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــ
The point you should pay attention to is that first of all, don’t be disappointed and check the
same section and route several times and try to test it with different methods and tricks
every time and every EndPoint you find can help you. It helps in discovering a vulnerability, so pay attention to things like HTTP History and try to review it carefully and several times
and examine the cycle and performance path of each part in order to be more successful in
discovering logical and technical vulnerabilities.Itsg can help you in security of your /network and you can get more information from XSS.