If you've seen any of my previous write-ups on the DIVA APK's, you would know that today we are going to cover the last and final section: Access Control Issues. Access Control Issues arise when we, as normal users, can gain access to data that we are not suppose to access either directly or via malicious methods. This is mostly due to poor data/access protection mechanisms put in place by developers. 🤠
Now, with this section there are three parts. Without any further lollygagging, let's jump into it!
When we open the Access Control Issues - Part 1 section on our device we are met with the following objective: try to access the API credentials from outside the app. This means that instead of just clicking the View API Credentials button, we should try and access the credentials on the activity using other methods, such as via the terminal.
For coverage sake, this is what happens when we do press the View API Credentials button directly. We can see that we get instant access to credentials that we shouldn't have access to!
Okay, let's start with the fun things. Let's see if we can see what happened in our LogCat after we opened the api credentials. LogCat is powerful since it can reveal useful information for us as the attacker, such as the activity that was opened, which we can use to exploit. Open up your terminal using CTRL + ALT + T and enter the following command.
adb shell logcat
We can see that it opens an activity called .APICredsActivity. Let's open jadx.gui and see if we can see where the activity pulls the credentials from.
Okay, so the data is hardcoded. Now that we know which activity is used to store the hardocded api credentials, we can use the terminal to bypass the "View API Credentials" button and show us the credentials directly. In other words, we will start the activity's Intent directly from the terminal. 👾
adb shell am start -n jakhar.aseem.diva/.APICredsActivity
-
amis used to manage the activity. -
startis used to start the activity. -
-nis used to indicate the name of the activity to open (.APICredsActivity).
Hooray! When we go back to our application we can see that we have successfully opened the activity and revealed the credentials without pressing the button!
