BugBazaar: Mobile penetration testing on the Android platform

by ddos ·

Android BugBazaar: Your mobile appsec playground to Explore, Exploit, Excel

BugBazaar is a comprehensive mobile application intentionally designed to be vulnerable, featuring over 30 vulnerabilities. Developed to emulate real-world scenarios, it includes more than 10 modules and features, each replicating real-world functions and the vulnerabilities surrounding them.

Vulnerabilities

WEBVIEW

 

  • Opening arbitrary URLs in the webview
  • XSS
  • OPEN REDIRECTION
  • Account Takeover via Stealing Session ID (Host validation bypass)
  • Stealing User token Via JavaScriptInterface class
  • Access of Arbitrary files via insecure Flags
    • Note: Only exploitable until API level 28
  • Stealing of Arbitrary files via Insecure WebResourceResponse

INTENT

 

  • Intent interception
  • Account takeover via intent Spoofing
  • Steal User’s Contact via Insecure Pending Intent
  • RCE through insecure Dynamic Code Loading

Deep Link

 

  • CSRF to add the product to cart
  • Deep link hijacking to load URLs in webview
  • Content Spoofing on Offers activity

IPC COMPONENTS

 

  • Exported Components
  • Steal User’s Contact via typo permission in Content Provider
  • Insecure broadcast receiver
  • Access to Protected Components via broadcast Receiver
  • Insecure services
  • Fragment injection in Refer-Us

Injections

 

  • SQL Injection via user input in My order
  • Content Provider SQL Injection in Address
  • Data insertion via insecure Content Provider in Address

Unintended Data Leakage

 

  • Copy/Paste buffer Caching
  • Application backgrounding
  • Insecure Logging (logging user creds

Insecure Storage

 

  • Unencrypted database
  • Man in the Disk Attack
  • Storing sensitive info in SharedPref
  • Hardcoded secrets

OTHERS

 

  • Improper Input Validation
  • Unrestricted file upload
  • Misconfigured firebase’s firestore
  • Passcode Bypass
  • Tapjacking
  • Improper exception Handling
  • Debuggable application
  • Backup enabled
  • Task Hijacking
  • Improper cache handling

Runtime exploitation

 

  • Runtime code modification
  • Login pin bypass via Frida/Objection

APP Protection

 

  • EASY LEVEL:
    • RootBear Library
  • MEDIUM LEVEL:
    • Magisk detect
    • Emulator Check
    • FRIDA DETECTION
  • ADVANCE LEVEL – ⚠️IN PROGRESS WILL UPDATE IN UPCOMING Release⚠️

Download

Tags: BugBazaarMobile penetration testing