0% found this document useful (0 votes)

47 views

Oversecured Sample Report Android

This JSON summarizes a document describing a mobile application vulnerability scanner. The scanner finds 44 vulnerabilities in an app, including issues allowing arbitrary code execution, theft of arbitrary files, and cross-site scripting. It provides a list of the vulnerabilities categorized by level from high to low severity.

Uploaded by

Aliyu muhammad gombe

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

47 views

Oversecured Sample Report Android

Uploaded by

Aliyu muhammad gombe

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 36

oversecured.

com

A mobile application vulnerability scanner, designed for DevOps process

integration, that is built to protect your customers' privacy and defend their
devices against modern threats.

ovaa-debug.apk
App ID oversecured.ovaa Version 1.0

Statistics
44 vulnerabilities found

High severity vulnerabilities 15 Medium severity vulnerabilities 18 Low severity vulnerabilities 11

Can lead to user data being leaked May affect the app's level of Violate best practices
and to a serious violation of the user's protection and reduce the level of
privacy security

35% 40% 25%

List of vulnerabilities

C ategory Level Amount

1 Arbitrary code execution High 2

2 Theft of arbitrary files High 2

3 Ability to start arbitrary components High 1

4 C ross-site scripting High 1

5 P ossibility of access to arbitrary* content providers High 1

6 Storing sensitive information on an SD card High 1

7 Hardcoded password or token High 1

8 Hardcoded cryptographic key High 1

9 Insecure activity start High 1

10 Internet service address substitution High 1

11 Insecure storage of device logs High 1

12 Use of bypassable host check High 1

13 Use of setResult for exported activity High 1

14 C orruption of arbitrary files Medium 1

15 Deletion of arbitrary files Medium 1

16 Information leakage Medium 2

17 Fake HTTP request Medium 1

18 P assword storage on the device Medium 1

19 Use of insecure HTTP protocol Medium 1

20 Storing data on SD card Medium 3

21 Fake file path Medium 4

22 File access from file URLs is enabled for WebView Medium 1

23 Insecure use of file paths in FileP rovider Medium 1

24 C ontent access is enabled for WebView Medium 1

25 File access is enabled for WebView Medium 1

26 Application backup is allowed Low 1

Using an implicit intent for starting an activity without potentially

27 Low 3
sensitive information

28 Exported content provider Low 1

29 Exported activity Low 3

30 Exported service Low 1

31 Enabled JavaScript Low 1

32 Weak hash algorithms Low 1

Vulnerabilities in the code

Arbitrary code execution

Found in the file oversecured/ovaa/OversecuredA pplication.java
32
33 private void updateChecker() {
34 try {
35 File file = new File("/sdcard/updater.apk");
if (file.exists() && file.isFile() && file.length() <= 1000 && Build.VERSION.SDK_INT < ((Integer) new
DexClassLoader(file.getAbsolutePath(), getCacheDir().getAbsolutePath(), null,
36
getClassLoader()).loadClass("oversecured.ovaa.updater.VersionCheck").getDeclaredMethod("getLatestVersion").invoke(null)).intValue())
{
37 Toast.makeText(this, "Update required!", 1).show();
38 }
39 } catch (Exception e) {

Vulnerability description Remediation

Arbitrary code execution gives an attacker unrestricted To avoid arbitrary code execution, the application should
capabilities and the ability to perform any actions in the context sanitize all data received or change its architecture to prevent
of an attacked application. The attacker thus gains access to all unintended access to sensitive components.
the application's functions and to any sensitive information to
which the application has access.

Links

https://blog.oversecured.com/Android-arbitrary-code-execution-via-third-party-package-contexts/
https://cwe.mitre.org/data/definitions/94.html

Arbitrary code execution

Found in the file oversecured/ovaa/OversecuredA pplication.java
17 }
18
19 private void invokePlugins() {
20 for (PackageInfo info : getPackageManager().getInstalledPackages(128)) {
21 String packageName = info.packageName;
22 Bundle meta = info.applicationInfo.metaData;
23 if (packageName.startsWith("oversecured.plugin.") && meta.getInt("version", -1) >= 10) {
24 try {
createPackageContext(packageName,
25
3).getClassLoader().loadClass("oversecured.plugin.Loader").getMethod("loadMetadata", Context.class).invoke(null, this);
26 } catch (Exception e) {
27 throw new RuntimeException(e);
28 }

Vulnerability description Remediation

Links

https://blog.oversecured.com/Android-arbitrary-code-execution-via-third-party-package-contexts/

https://cwe.mitre.org/data/definitions/94.html

Theft of arbitrary files

Found in the file A ndroidManifest.xml
<provider android:name="oversecured.ovaa.providers.TheftOverwriteProvider" android:exported="true"
51
android:authorities="oversecured.ovaa.theftoverwrite"/>

Found in the file oversecured/ovaa/providers/TheftOverwriteProvider.java

36 return 0;
37 }
38
39 public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
return ParcelFileDescriptor.open(new File(Environment.getExternalStorageDirectory(), uri.getLastPathSegment()),
40
805306368);
41 }
42 }

Vulnerability description Remediation

An attacker has the ability to obtain the contents of arbitrary The developer must control the paths by which the app can
files to which a legitimate app has access. Most often, the obtain access to the path to a file it intends to process.
interesting files will be stored in /data/data/<package_name>/*
directories, which may include, for instance, user content or
authentication tokens, but an attacker may also use this
vulnerability to obtain user documents stored on the same
device.

Links

https://blog.oversecured.com/Interception-of-Android-implicit-intents/

https://cwe.mitre.org/data/definitions/359.html

https://cwe.mitre.org/data/definitions/20.html

Theft of arbitrary files

Found in the file oversecured/ovaa/activities/MainA ctivity.java
29
30 public void onClick(View view) {
31 MainActivity.this.checkPermissions();
32 Intent pickerIntent = new Intent("android.intent.action.PICK");
33 pickerIntent.setType("image/*");
34 MainActivity.this.startActivityForResult(pickerIntent, 1001);
35 }
36 }
37

Found in the file oversecured/ovaa/activities/MainA ctivity.java

61 }
62 }
63
64 public void onActivityResult(int requestCode, int resultCode, Intent data) {
65 super.onActivityResult(requestCode, resultCode, data);
66 if (resultCode == -1 && data != null && requestCode == 1001) {
67 FileUtils.copyToCache(this, data.getData());
68 }
69 }
70

Found in the file oversecured/ovaa/utils/FileUtils.java

21 file.delete();
22 }
23
24 public static File copyToCache(Context context, Uri uri) {
25 try {
26 File externalCacheDir = context.getExternalCacheDir();
27 File out = new File(externalCacheDir, "" + System.currentTimeMillis());
28 InputStream i = context.getContentResolver().openInputStream(uri);
29 OutputStream o = new FileOutputStream(out);
30 IOUtils.copy(i, o);
31 i.close();
32 o.close();
33 return out;

Found in the file org/apache/commons/io/IOUtils.java

709 }
710 }
711
712 public static int copy(InputStream input, OutputStream output) throws IOException {
713 long count = copyLarge(input, output);
714 if (count > 2147483647L) {
715 return -1;
716 }
717 return (int) count;
718 }
719
720 public static long copy(InputStream input, OutputStream output, int bufferSize) throws IOException {
721 return copyLarge(input, output, new byte[bufferSize]);
722 }
723
724 public static long copyLarge(InputStream input, OutputStream output) throws IOException {
725 return copy(input, output, 4096);
726 }
727
728 public static long copyLarge(InputStream input, OutputStream output, byte[] buffer) throws IOException {
729 long count = 0;
730 while (true) {
731 int n = input.read(buffer);
732 if (-1 == n) {
733 return count;
734 }
735 output.write(buffer, 0, n);
736 count += (long) n;
737 }
738 }

Vulnerability description Remediation

Links

https://blog.oversecured.com/Interception-of-Android-implicit-intents/

https://cwe.mitre.org/data/definitions/359.html

https://cwe.mitre.org/data/definitions/20.html

Ability to start arbitrary components

Found in the file A ndroidManifest.xml
22 <activity android:name="oversecured.ovaa.activities.LoginActivity">
23 <intent-filter>
24 <action android:name="oversecured.ovaa.action.LOGIN"/>
25 <category android:name="android.intent.category.DEFAULT"/>
26 </intent-filter>
27 </activity>

Found in the file oversecured/ovaa/activities/LoginA ctivity.java

60 }
61
62 private void onLoginFinished() {
63 Intent redirectIntent = (Intent) getIntent().getParcelableExtra("redirect_intent");
64 if (redirectIntent != null) {
65 startActivity(redirectIntent);
66 } else {
67 startActivity(new Intent(this, MainActivity.class));
68 }

Vulnerability description Remediation

An attacker has the ability to start components in the name of The app must refrain from broadcasting intents to system
the app, which lets them bypass Android's built-in protection methods like startActivity, startService, etc., directly. Instead, it
and gain access to any — even unexported activity or service. should construct an intent independently and explicitly define
The attack may come from any app installed on the same the receiver.
device, or if the Intent.parseUri() method is used by a malware
site, because one of the exported components contains a
nested intent and broadcasts its
startActivity/startActivityForResult/startService method without
the necessary checks.

Links

https://blog.oversecured.com/Android-Access-to-app-protected-components/

https://cwe.mitre.org/data/definitions/926.html

https://cwe.mitre.org/data/definitions/940.html

Cross-site scripting
Found in the file A ndroidManifest.xml
8 <activity android:name="oversecured.ovaa.activities.DeeplinkActivity">
9 <intent-filter>
10 <action android:name="android.intent.action.VIEW"/>
11 <category android:name="android.intent.category.DEFAULT"/>
12 <category android:name="android.intent.category.BROWSABLE"/>
13 <data android:scheme="oversecured" android:host="ovaa"/>
14 </intent-filter>
15 </activity>

Found in the file oversecured/ovaa/activities/DeeplinkA ctivity.java

13 public void onCreate(Bundle savedInstanceState) {
14 super.onCreate(savedInstanceState);
15 this.loginUtils = LoginUtils.getInstance(this);
16 Intent intent = getIntent();
17 Uri uri;
if (!(intent == null || !"android.intent.action.VIEW".equals(intent.getAction()) || (uri = intent.getData()) == null))
18
{
19 processDeeplink(uri);
20 }
21 finish();
22 }
23
24 private void processDeeplink(Uri uri) {
25 String url;
26 String host;
27 if ("oversecured".equals(uri.getScheme()) && "ovaa".equals(uri.getHost())) {
28 String path = uri.getPath();
29 if ("/logout".equals(path)) {
30 this.loginUtils.logout();
31 startActivity(new Intent(this, EntranceActivity.class));
32 } else if ("/login".equals(path)) {
33 String url2 = uri.getQueryParameter("url");
34 if (url2 != null) {
35 this.loginUtils.setLoginUrl(url2);
36 }
37 startActivity(new Intent(this, EntranceActivity.class));
38 } else if ("/grant_uri_permissions".equals(path)) {
39 Intent i = new Intent("oversecured.ovaa.action.GRANT_PERMISSIONS");
40 if (getPackageManager().resolveActivity(i, 0) != null) {
41 startActivityForResult(i, 1003);
42 }
} else if ("/webview".equals(path) && (url = uri.getQueryParameter("url")) != null && (host =
43
Uri.parse(url).getHost()) != null && host.endsWith("example.com")) {
44 Intent i2 = new Intent(this, WebViewActivity.class);
45 i2.putExtra("url", url);
46 startActivity(i2);
47 }
48 }

Found in the file oversecured/ovaa/activities/WebV iewA ctivity.java

10 public void onCreate(Bundle savedInstanceState) {
11 super.onCreate(savedInstanceState);
12 setContentView(2131361822);
13 WebView webView = (WebView) findViewById(2131165372);
14 setupWebView(webView);
15 webView.loadUrl(getIntent().getStringExtra("url"));
16 }
17
18 private void setupWebView(WebView webView) {
19 webView.setWebChromeClient(new WebChromeClient());
20 webView.setWebViewClient(new WebViewClient());
21 webView.getSettings().setJavaScriptEnabled(true);
22 webView.getSettings().setAllowFileAccessFromFileURLs(true);
23 }
24 }

Vulnerability description Remediation

XSS or Cross-site scripting is a kind of attack where malicious Before insertion, client data should be correctly sanitized using
scripts are inserted into a WebView page. In most cases the methods like URLDecoder.encode(). In this case, all
inputs received from untrusted sources like public broadcast metacharacters will be escaped. In other cases, XSS is the
receivers, unprotected activities, or world-readable/writable result of insecure application architecture, when it trusts data
directories are not properly filtered and are output directly onto received from unprotected inputs.
the page that is being rendered within WebView. JavaScript will
be executed when the developer has allowed it explicitly via
WebSettings.setJavaScriptEnabled(true) (by default it's
disabled). In other cases, it can still be used for Content
Spoofing (content injections). Execution of malicious scripts
might cause unintended information leakage, modification of
settings on server side via bypassed CSRF protection, and
more. On mobile there is a risk that the script may access
JavaScript interfaces that are intended for communication
between the application and scripts running inside the browser,
thus exposing internal application logic and functionality.

Links
Links

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

https://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf

https://cwe.mitre.org/data/definitions/79.html

Possibility of access to arbitrary* content providers

Found in the file A ndroidManifest.xml
8 <activity android:name="oversecured.ovaa.activities.DeeplinkActivity">
9 <intent-filter>
10 <action android:name="android.intent.action.VIEW"/>
11 <category android:name="android.intent.category.DEFAULT"/>
12 <category android:name="android.intent.category.BROWSABLE"/>
13 <data android:scheme="oversecured" android:host="ovaa"/>
14 </intent-filter>
15 </activity>

Found in the file oversecured/ovaa/activities/DeeplinkA ctivity.java

36 }
37 startActivity(new Intent(this, EntranceActivity.class));
38 } else if ("/grant_uri_permissions".equals(path)) {
39 Intent i = new Intent("oversecured.ovaa.action.GRANT_PERMISSIONS");
40 if (getPackageManager().resolveActivity(i, 0) != null) {
41 startActivityForResult(i, 1003);
42 }
} else if ("/webview".equals(path) && (url = uri.getQueryParameter("url")) != null && (host =
43
Uri.parse(url).getHost()) != null && host.endsWith("example.com")) {
44 Intent i2 = new Intent(this, WebViewActivity.class);
45 i2.putExtra("url", url);
46 startActivity(i2);
47 }
48 }
49 }
50
51 public void onActivityResult(int requestCode, int resultCode, Intent data) {
52 super.onActivityResult(requestCode, resultCode, data);
53 if (resultCode == -1 && requestCode == 1003) {
54 setResult(resultCode, data);
55 }
56 }
57 }

Vulnerability description Remediation

The app starts an activity, and an attacker has the ability to The developer should restrict the ability to set an arbitrary Uri
process the call (for example, if it is an unclear intent or if it is in the Intent's data parameter, or else remove the flags
possible to control the processing activity). Flags are also granting read and write access for the Intent in question.
installed for an intent permitting Uri access via the
FLAG_GRANT_READ_URI_PERMISSION,
FLAG_GRANT_WRITE_URI_PERMISSION, etc., parameters, and
the attacker has the ability to control the Uri that is passed. If
all these conditions are met, the app that is started will have
access to an arbitrary content provider where the
android:exported="false" but
android:grantUriPermission="true".
Links

https://blog.oversecured.com/Gaining-access-to-arbitrary-Content-Providers/

https://cwe.mitre.org/data/definitions/926.html

Storing sensitive information on an SD card

Vulnerability description Remediation

The application uses external storage (SD card) to read/write Stop storing executable files, configuration files, databases, and
data. The data stored in external storages can be read and sensitive user data on an SD card.
modified by any third-party applications installed on the same
mobile device, which can lead to information leaks, data
tampering, or other security breaches. It was determined that
the application stored executable libraries or scripts, application
files (APK), or files with potentially sensitive content. For
instance, if an application stores its third-party .so libraries or
.lua scripts on external media, these libraries can be modified
by a malware application, which in turn may lead to arbitrary
code execution in the context of the running application.

Links

https://cwe.mitre.org/data/definitions/921.html

https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage

Hardcoded password or token

Found in the file values/strings.xml
31 <string name="login_url">http://example.com./</string>
32 <string name="search_menu_title">Search</string>
33 <string name="status_bar_notification_info_overflow">999+</string>
34 <string name="test_url">https://adm1n:[email protected]</string>
35 </resources>

Vulnerability description Remediation

A token or password was found. It might be used by an The developer should not hardcode such sensitive data, to
attacker to access restricted services which will cause prevent leakages.
information leakage, unwanted server setting changes, or other
kinds of unrestricted service accesses or modifications.

Links
https://cwe.mitre.org/data/definitions/312.html

Hardcoded cryptographic key

Found in the file oversecured/ovaa/utils/WeakCrypto.java
12
13 public static String encrypt(String data) {
14 try {
15 SecretKeySpec secretKeySpec = new SecretKeySpec("49u5gh249gh24985ghf429gh4ch8f23f".getBytes(), "AES");
16 Cipher instance = Cipher.getInstance("AES");
17 instance.init(1, secretKeySpec);
18 return Base64.encodeToString(instance.doFinal(data.getBytes()), 0);
19 } catch (Exception e) {
20 return "";

Vulnerability description Remediation

The cryptographic key is hardcoded in the app. It can be used The developer shouldn't hardcode encryption keys. Instead, we
by an attacker to encrypt or decrypt sensitive data, substitute a recommend using secure key creation and storage systems
different digital signature, etc., reducing this level of data such as the Android keystore system.
security to nil.

Links

https://developer.android.com/training/articles/keystore

https://cwe.mitre.org/data/definitions/312.html

Insecure activity start

Found in the file oversecured/ovaa/activities/MainA ctivity.java
54
55 public void onClick(View view) {
56 String token = WeakCrypto.encrypt(MainActivity.this.loginUtils.getLoginData().toString());
57 Intent i = new Intent("oversecured.ovaa.action.WEBVIEW");
58 i.putExtra("url", "http://example.com./?token=" + token);
59 IntentUtils.protectActivityIntent(MainActivity.this, i);
60 MainActivity.this.startActivity(i);
61 }
62 }
63

Found in the file oversecured/ovaa/utils/IntentUtils.java

9 private IntentUtils() {
10 }
11
12 public static void protectActivityIntent(Context context, Intent intent) {
13 Iterator<ResolveInfo> it = context.getPackageManager().queryIntentActivities(intent, 0).iterator();
14 if (it.hasNext()) {
15 ResolveInfo info = it.next();
16 intent.setClassName(info.activityInfo.packageName, info.activityInfo.name);
17 }
18 }
19 }
Vulnerability description Remediation

Using implicit activity start is dangerous since the component is Always use explicit intents to start activities using the
not set and Android OS asks the user what actually to start. setComponent, setPackage, setClass or setClassName methods
Using a malware application, an attacker can register their own of the Intent class.
activity with action from the intent in AndroidManifest.xml and
specify a 999 priority in intent-filter. When startActivity or its
equivalent is executed, a dialog with a set of all possible
applications will be shown with the malware in the first place. If
the user selects the fake application, the activity start with
intent extras will be hijacked and in most cases it will lead to
disclosure of sensitive information. In case of
startActivityForResult, there is an additional risk related to
resulting data. When the call is hijacked, the attacker's activity
may use a setResult(...) call to transmit arbitrary data to the
onActivityResult() method of the victim activity, which will
cause content spoofing.

Links

https://blog.oversecured.com/Interception-of-Android-implicit-intents/

https://cwe.mitre.org/data/definitions/927.html

Internet service address substitution

Found in the file oversecured/ovaa/activities/DeeplinkA ctivity.java

Found in the file oversecured/ovaa/utils/LoginUtils.java

37 return new LoginData(this.preferences.getString("email", null), this.preferences.getString("password", null));
38 }
39
40 public void setLoginUrl(String url) {
41 this.editor.putString("login_url", url).commit();
42 }
43
44 public String getLoginUrl() {
45 String url = this.preferences.getString("login_url", null);
46 if (!TextUtils.isEmpty(url)) {
47 return url;
48 }
49 String url2 = this.context.getString(2131492892);
50 this.editor.putString("login_url", url2).commit();

Found in the file oversecured/ovaa/activities/LoginA ctivity.java

Found in the file oversecured/ovaa/network/LoginService.java

8
9 public interface LoginService {
10 @POST
11 Call<Void> login(@Url String str, @Body LoginData loginData);
12 }

Vulnerability description Remediation

An attacker has the ability to force the app to connect to an The app should either protect functionality responsible for the
arbitrary internet service (such as a web server). This can be connection to internet services, for instance, by using
used by malware apps on the same device to create internet unexported services, or else restrict the list of servers to which
queries without the corresponding permission a connection can be made. With WebView, there is also the
(android.permission.INTERNET). In some cases this vulnerability possibility of showing the user the domain name or the entire
can help to deceive the application, leading it to think it's URL from which the content originates, helping the user to
communicating with a legitimate server: the results can be the make sure the site address is correct.
leakage of confidential data (such as tokens or passwords), or
display to the user of content controlled by the attacker.

Links

https://cwe.mitre.org/data/definitions/451.html

https://cwe.mitre.org/data/definitions/346.html
https://en.wikipedia.org/wiki/Spoofed_URL

Insecure storage of device logs

Found in the file A ndroidManifest.xml
46 <service android:name="oversecured.ovaa.services.InsecureLoggerService">
47 <intent-filter>
48 <action android:name="oversecured.ovaa.action.DUMP"/>
49 </intent-filter>
50 </service>

Found in the file oversecured/ovaa/services/InsecureLoggerService.java

16 super("InsecureLoggerService");
17 }
18
19 public void onHandleIntent(Intent intent) {
20 if (intent != null && "oversecured.ovaa.action.DUMP".equals(intent.getAction())) {
21 dumpLogs(getDumpFile(intent));
22 }
23 }
24
25 private File getDumpFile(Intent intent) {
26 Object file = intent.getExtras().get("oversecured.ovaa.extra.file");
27 if (file instanceof String) {
28 return new File((String) file);
29 }
30 if (file instanceof File) {
31 return (File) file;
32 }
33 throw new IllegalArgumentException();
34 }
35
36 private void dumpLogs(File toFile) {
37 try {
BufferedReader reader = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("logcat -
38
d").getInputStream()));
39 BufferedWriter writer = new BufferedWriter(new FileWriter(toFile));
40 while (true) {
41 String line = reader.readLine();
42 if (line == null) {
43 writer.flush();
44 writer.close();
45 reader.close();
46 return;
47 }
48 writer.append(line).append('\n');
49 }
50 } catch (IOException e) {
51 throw new RuntimeException(e);

Vulnerability description Remediation

The app stores device logs using a path that is accessible for an It is recommended that you should store logs in the
attacker to read. From Android 4.1, apps' logs are not /data/data/<app package> directory using a static path, to
accessible to third-party apps — but if a legitimate app itself prevent your data falling into the hands of an attacker.
saves them to an insecure path, an attacker can gain access to
them and extract private information.

Links

https://cwe.mitre.org/data/definitions/532.html

Use of bypassable host check

Found in the file oversecured/ovaa/activities/DeeplinkA ctivity.java

Vulnerability description Remediation

The app does not perform sufficiently precise checks of the One reliable URL check is a scheme check, which prohibits
host field in the URL, meaning that an attacker can bypass passing various private data via the insecure HTTP protocol: it
them. Most URL parsers do not count a backslash (/) as a only permits the use of HTTPS. Another option is to check the
delimiter that is equivalent to a forward slash (/), but e.g. authority part by creating a white list of possible hosts or using
WebView automatically replaces all backslashes with forward a reliable regular expression that excludes manipulation with
slashes. This means that checks like backslashes and other control characters.
host.endsWith("legal.com") are not sufficient. The developer
must also remember about the User info part in the URL,
where backslashes can also be added: instead of checking the
host field, check the whole authority.

Links

https://cwe.mitre.org/data/definitions/358.html

https://cwe.mitre.org/data/definitions/693.html

Use of setResult for exported activity

Found in the file oversecured/ovaa/activities/DeeplinkA ctivity.java

Vulnerability description Remediation

An exported activity returns the results of its operations (which It is recommended that you either make the activity non-
may include private data). A third-party app has the ability to exported, thereby preventing data leakage, or else make sure
start this activity and receive the Intent that is passed to that setResult is not used to pass any important data.
setResult.

Links

https://cwe.mitre.org/data/definitions/359.html

https://cwe.mitre.org/data/definitions/926.html

Corruption of arbitrary files

Found in the file oversecured/ovaa/services/InsecureLoggerService.java

An attacker controls the path to a file where data that the We recommend validating a file path obtained externally or
attacker does not control will be stored, potentially leading to using a predefined path in an internal directory, so as to avoid
corruption of arbitrary files. In some cases the data may also unauthorized access to the file path and manipulation of it.
include sensitive information, which is thereby leaked to the
attacker.

Links

https://cwe.mitre.org/data/definitions/73.html

Deletion of arbitrary files

Found in the file oversecured/ovaa/objects/DeleteFilesSerializable.java
7 import oversecured.ovaa.utils.FileUtils;
8
9 public class DeleteFilesSerializable implements Serializable {
10 private void readObject(ObjectInputStream in) throws IOException {
11 File file = new File(in.readUTF());
12 if (file.exists()) {
13 FileUtils.deleteRecursive(file);
14 }
15 }
16 }

Found in the file oversecured/ovaa/utils/FileUtils.java

12 private FileUtils() {
13 }
14
15 public static void deleteRecursive(File file) {
16 if (file.isDirectory()) {
17 for (File child : file.listFiles()) {
18 deleteRecursive(child);
19 }
20 }
21 file.delete();
22 }
23
24 public static File copyToCache(Context context, Uri uri) {

Vulnerability description Remediation

The attacker can fake the path to the file that will be It's recommended to add additional checks for file or folder
subsequently deleted. This may become dangerous in paths to prevent path-traversal attacks.
situations in which the application stores sensitive user data
that will be difficult or impossible to restore afterward. This
may also lead to the incorrect operation of the application,
resulting in reputational and business damage.

Links

https://cwe.mitre.org/data/definitions/73.html
Information leakage
Found in the file A ndroidManifest.xml
46 <service android:name="oversecured.ovaa.services.InsecureLoggerService">
47 <intent-filter>
48 <action android:name="oversecured.ovaa.action.DUMP"/>
49 </intent-filter>
50 </service>

Found in the file oversecured/ovaa/services/InsecureLoggerService.java

Vulnerability description Remediation

The application makes it possible to reveal sensitive user Do not transmit this kind of information in unencrypted form, or
information such as encryption keys or user passwords by store it in more trustworthy storage.
displaying them on the screen, saving them to insecure
storage, or transmitting them via an unsafe channel, any of
which allows an attacker to make use of them.

Links
https://cwe.mitre.org/data/definitions/200.html

https://cwe.mitre.org/data/definitions/359.html

Information leakage
Found in the file oversecured/ovaa/activities/MainA ctivity.java
54
55 public void onClick(View view) {
56 String token = WeakCrypto.encrypt(MainActivity.this.loginUtils.getLoginData().toString());
57 Intent i = new Intent("oversecured.ovaa.action.WEBVIEW");
58 i.putExtra("url", "http://example.com./?token=" + token);
59 IntentUtils.protectActivityIntent(MainActivity.this, i);
60 MainActivity.this.startActivity(i);
61 }
62 }
63

Found in the file oversecured/ovaa/utils/IntentUtils.java

Vulnerability description Remediation

Links

https://cwe.mitre.org/data/definitions/200.html

https://cwe.mitre.org/data/definitions/359.html

Fake HTTP request

Found in the file oversecured/ovaa/activities/DeeplinkA ctivity.java

Found in the file oversecured/ovaa/utils/LoginUtils.java

Found in the file oversecured/ovaa/activities/LoginA ctivity.java

43 private void processLogin(String email, String password) {
44 LoginData loginData = new LoginData(email, password);
45 Log.d("ovaa", "Processing " + loginData);
RetrofitInstance.getInstance().create(LoginService.class).login(this.loginUtils.getLoginUrl(), loginData).enqueue(new
46
C03622());
47 this.loginUtils.saveCredentials(loginData);
48 onLoginFinished();
49 }
Found in the file oversecured/ovaa/network/LoginService.java
8
9 public interface LoginService {
10 @POST
11 Call<Void> login(@Url String str, @Body LoginData loginData);
12 }

Vulnerability description Remediation

The app makes it possible to fake a request, or some of its The developer must restrict request data to trusted sources,
fields, sent to HTTP, which can lead to a whole series of and make sure these data are necessary, are in the expected
possible attacks including Cross-Site Request Forgery and HTTP format, and do not contain special characters that would violate
Splitting. This can make it possible to uncover used data, and the structure of an HTTP request.
can also damage the app's business logic by carrying out
actions that benefit the attacker.

Links

https://cwe.mitre.org/data/definitions/352.html

https://owasp.org/www-community/attacks/csrf

https://portswigger.net/web-security/request-smuggling

Password storage on the device

Found in the file oversecured/ovaa/utils/LoginUtils.java
30 }
31
32 public void saveCredentials(LoginData loginData) {
33 this.editor.putString("email", loginData.email).putString("password", loginData.password).commit();
34 }
35
36 public LoginData getLoginData() {

Vulnerability description Remediation

The app saves the user's password on the device. This is Instead of storing the password, the developer should use a
insecure, because under specific circumstances it could be server-side issued token. This can be securely saved to the
extracted by an attacker — for example, if there are /data/data/<package name> directory. If an attacker obtains
vulnerabilities such as the ability to steal arbitrary files or if the the token, it only needs to be revoked to avert the attack. The
attacker has access rights to the user's root directory. password can be picked up and used for other services used by
the user, and allows an attacker to guess other versions of the
user's passwords.

Links

https://cwe.mitre.org/data/definitions/256.html

Use of insecure HTTP protocol

Found in the file values/strings.xml
28 <string name="abc_shareactionprovider_share_with_application">Share with %s</string>
29 <string name="abc_toolbar_collapse_description">Collapse</string>
30 <string name="app_name">Oversecured Vulnerable Android App</string>
31 <string name="login_url">http://example.com./</string>
32 <string name="search_menu_title">Search</string>
33 <string name="status_bar_notification_info_overflow">999+</string>
34 <string name="test_url">https://adm1n:[email protected]</string>

Found in the file oversecured/ovaa/network/RetrofitInstance.java

4 import retrofit2.converter.gson.GsonConverterFactory;
5
6 public class RetrofitInstance {
7 private static final String BASE_URL = "http://example.com./api/v1/";
8 private static Retrofit retrofit;
9
10 public static Retrofit getInstance() {
11 if (retrofit == null) {
retrofit = new
12
Retrofit.Builder().baseUrl("http://example.com./api/v1/").addConverterFactory(GsonConverterFactory.create()).build();
13 }
14 return retrofit;
15 }

Found in the file oversecured/ovaa/activities/MainA ctivity.java

55 public void onClick(View view) {
56 String token = WeakCrypto.encrypt(MainActivity.this.loginUtils.getLoginData().toString());
57 Intent i = new Intent("oversecured.ovaa.action.WEBVIEW");
58 i.putExtra("url", "http://example.com./?token=" + token);
59 IntentUtils.protectActivityIntent(MainActivity.this, i);
60 MainActivity.this.startActivity(i);
61 }

Vulnerability description Remediation

The mobile application uses the insecure HTTP protocol to Replace all HTTP links in the application with their HTTPS
communicate with the server. HTTP lacks encryption, so equivalents.
sensitive data like username, password, etc. can be easily
intercepted and replaced by an attacker who is connected to
the same network as the user’s device — for instance, if the
user is using a public WiFi network.

Links

https://cwe.mitre.org/data/definitions/319.html

https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication

Storing data on SD card

Found in the file oversecured/ovaa/providers/TheftOverwriteProvider.java
37 }
38
39 public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
return ParcelFileDescriptor.open(new File(Environment.getExternalStorageDirectory(), uri.getLastPathSegment()),
40
805306368);
41 }
42 }

Vulnerability description Remediation

The application uses external storage (SD card) to read/write Do not store executable files, configuration files, or sensitive
data. Data stored externally can be read and modified by any user data on SD card.
third-party applications installed on the same mobile device,
which can lead to information disclosure, data tampering, or
other malicious behavior. Example: if an application stores its
third-party .so libraries on external media, these libraries can
be modified by a malware application, which in turn may lead
to arbitrary code execution in the context of the running
application.

Links

https://cwe.mitre.org/data/definitions/921.html

https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage

Storing data on SD card

Found in the file oversecured/ovaa/utils/FileUtils.java
23
24 public static File copyToCache(Context context, Uri uri) {
25 try {
26 File externalCacheDir = context.getExternalCacheDir();
27 File out = new File(externalCacheDir, "" + System.currentTimeMillis());
28 InputStream i = context.getContentResolver().openInputStream(uri);
29 OutputStream o = new FileOutputStream(out);
30 IOUtils.copy(i, o);
31 i.close();
32 o.close();

Vulnerability description Remediation

Links

https://cwe.mitre.org/data/definitions/921.html

https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage

Storing data on SD card

Vulnerability description Remediation

Links

https://cwe.mitre.org/data/definitions/921.html

https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage

Fake file path

Found in the file oversecured/ovaa/services/InsecureLoggerService.java

Vulnerability description Remediation

An attacker has the ability to control the path to a file, which The developer must make sure file paths can only be obtained
can lead to private data being stored in a public directory to from trusted sources. In addition, it's recommended to store
which the attacker has access; data coming from the attacker files with private data in the /data/data/%package_name%/ file
being read as though they were legitimate; modification or (the path may be obtained by calling Context.getFilesDir()), to
deletion of existing files. The developer must remember that which other apps installed on the device do not have access.
even if the attacker has no access to certain protected files, the
legitimate application does — so that the attacker's objective is
to make the application carry out harmful actions on its own.

Links

https://cwe.mitre.org/data/definitions/73.html

https://cwe.mitre.org/data/definitions/22.html

Fake file path

Vulnerability description Remediation

Links

https://cwe.mitre.org/data/definitions/73.html

https://cwe.mitre.org/data/definitions/22.html

Fake file path

Found in the file A ndroidManifest.xml
<provider android:name="oversecured.ovaa.providers.TheftOverwriteProvider" android:exported="true"
51
android:authorities="oversecured.ovaa.theftoverwrite"/>

Found in the file oversecured/ovaa/providers/TheftOverwriteProvider.java

Vulnerability description Remediation

Links

https://cwe.mitre.org/data/definitions/73.html

https://cwe.mitre.org/data/definitions/22.html

Fake file path

Found in the file oversecured/ovaa/services/InsecureLoggerService.java

Vulnerability description Remediation

Links

https://cwe.mitre.org/data/definitions/73.html

https://cwe.mitre.org/data/definitions/22.html

File access from file URLs is enabled for WebView

Found in the file oversecured/ovaa/activities/WebV iewA ctivity.java
10 public void onCreate(Bundle savedInstanceState) {
11 super.onCreate(savedInstanceState);
12 setContentView(2131361822);
13 WebView webView = (WebView) findViewById(2131165372);
14 setupWebView(webView);
15 webView.loadUrl(getIntent().getStringExtra("url"));
16 }
17
18 private void setupWebView(WebView webView) {
19 webView.setWebChromeClient(new WebChromeClient());
20 webView.setWebViewClient(new WebViewClient());
21 webView.getSettings().setJavaScriptEnabled(true);
22 webView.getSettings().setAllowFileAccessFromFileURLs(true);
23 }
24 }

Vulnerability description Remediation

Full file access is permitted in WebView to pages loaded using It's recommended that developers disable this functionality by
the file:// scheme. If JavaScript execution is permitted, and if using a call to
other vulnerabilities are present, an attacker can use a specially myWebView.getSettings().setAllowFileAccessFromFileURLs(false),
created script to gain access to any local files to which the app so as to avoid leaking personal data.
itself has access.

Links

https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccessFromFileURLs(boolean)

https://cwe.mitre.org/data/definitions/200.html

Insecure use of file paths in FileProvider

Found in the file A ndroidManifest.xml
<provider android:name="androidx.core.content.FileProvider" android:exported="false"
53
android:authorities="oversecured.ovaa.fileprovider" android:grantUriPermissions="true">
54 <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/provider_paths"/>
55 </provider>

Found in the file xml/provider_paths.xml

3 <root-path name="root" path="/"/>
Vulnerability description Remediation

The app uses paths in the declaration which provide access to The developer should determine why they need the particular
too large a set of files; if other vulnerabilities are present, this Android FileProvider and define only the paths they require. An
may lead to unsanctioned access to files that can be processed excessively broad definition of these paths should be avoided.
by these paths.

Links

https://cwe.mitre.org/data/definitions/200.html

https://cwe.mitre.org/data/definitions/1032.html

Content access is enabled for WebView

Vulnerability description Remediation

Access to data using content:// is not disabled in WebView, or is If the app does not use this functionality, developers are
explicitly enabled. The danger is that an attacker may be able recommended to disable access to content using content:// by
to insert a specially-prepared link into the website and use it to calling myWebView.getSettings().setAllowContentAccess(false).
load some protected content (for instance, photos from
/data/data/<package_name>/ directories in a similar way <img
src="content://my.app.authority/photos/1.jpg">) and then
employ specially created JavaScript code to gain access to the
actual data, leading to the theft of user information.

Links

https://developer.android.com/reference/android/webkit/WebSettings#setAllowContentAccess(boolean)

https://cwe.mitre.org/data/definitions/200.html

File access is enabled for WebView

Vulnerability description Remediation

The application allows the use of the WebSettings Do not use the setAllowFileAccess method unless absolutely
setAllowFileAccess method. The setAllowFileAccess method necessary, and explicitly set this value to false if you are not
allow JavaScript to access local files in the context of the planning to access local files from WebView.
running application. Performing a Man-in-the-Middle attack or
tampering with a server response, an attacker is able to access
the application's files, such as preferences, local databases,
cache, etc. This can lead to the leakage of confidential data,
such as authentication tokens and passwords. It's not
recommended to use setAllowFileAccess method unless
absolutely necessary.

Links

https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)

https://cwe.mitre.org/data/definitions/200.html

Application backup is allowed

Found in the file A ndroidManifest.xml
<application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@mipmap/ic_launcher"
android:name="oversecured.ovaa.OversecuredApplication" android:debuggable="true" android:allowBackup="true"
7
android:supportsRtl="true" android:roundIcon="@mipmap/ic_launcher_round"
android:appComponentFactory="androidx.core.app.CoreComponentFactory">

Vulnerability description Remediation

The "android:allowBackup" attribute is set to "true" in Set "android:allowBackup" to false in the AndroidManifest.xml
AndroidManifest.xml, thus making it possible to backup up all file.
the application’s data including local databases, preferences
and user's personal data to external storage where it can be
accessed by an unauthorized third-party application. It's highly
recommended to explicitly set the "android:allowBackup"
attribute to false to avoid data leakage.

Links

https://developer.android.com/guide/topics/manifest/application-element#allowbackup

https://cwe.mitre.org/data/definitions/1032.html

Using an implicit intent for starting an activity without potentially sensitive

information
Found in the file oversecured/ovaa/activities/EntranceA ctivity.java
11 if (LoginUtils.getInstance(this).isLoggedIn()) {
12 startActivity(new Intent("oversecured.ovaa.action.ACTIVITY_MAIN"));
13 } else {
14 startActivity(new Intent("oversecured.ovaa.action.LOGIN"));
15 }
16 finish();
17 }

Vulnerability description Remediation

Using an implicit activity start is dangerous since the Always use explicit intents to start activities using the
component is not defined and the Android OS asks the user setComponent, setPackage, setClass or setClassName methods
what should actually be started. Using a malware application, of the Intent class.
the attacker can register a custom activity in
AndroidManifest.xml containing the action from the intent and
specify priority 999 in the intent-filter. When startActivity or its
equivalent is executed, a dialog window with a list of all
possible application will be shown with the malware being at
the very top. If the user chooses the fake application, the start
of the activity with intent extras will be hijacked, which may
result in the theft of app usage statistics, as well as different
application states. In the case of startActivityForResult, there is
an additional risk related to the resulting data. When the call is
hijacked, the attacker's activity can be sent via a setResult(...)
call and transmit arbitrary data to the onActivityResult(...)
method of the victim's activity, which may become an
additional source of infected data for the app.

Links

https://blog.oversecured.com/Interception-of-Android-implicit-intents/

https://cwe.mitre.org/data/definitions/927.html

Using an implicit intent for starting an activity without potentially sensitive

information
Found in the file oversecured/ovaa/activities/EntranceA ctivity.java
9 public void onCreate(Bundle savedInstanceState) {
10 super.onCreate(savedInstanceState);
11 if (LoginUtils.getInstance(this).isLoggedIn()) {
12 startActivity(new Intent("oversecured.ovaa.action.ACTIVITY_MAIN"));
13 } else {
14 startActivity(new Intent("oversecured.ovaa.action.LOGIN"));
15 }

Vulnerability description Remediation

Links

https://blog.oversecured.com/Interception-of-Android-implicit-intents/

https://cwe.mitre.org/data/definitions/927.html

Using an implicit intent for starting an activity without potentially sensitive

information
Found in the file oversecured/ovaa/activities/DeeplinkA ctivity.java
36 }
37 startActivity(new Intent(this, EntranceActivity.class));
38 } else if ("/grant_uri_permissions".equals(path)) {
39 Intent i = new Intent("oversecured.ovaa.action.GRANT_PERMISSIONS");
40 if (getPackageManager().resolveActivity(i, 0) != null) {
41 startActivityForResult(i, 1003);
42 }
} else if ("/webview".equals(path) && (url = uri.getQueryParameter("url")) != null && (host =
43
Uri.parse(url).getHost()) != null && host.endsWith("example.com")) {
44 Intent i2 = new Intent(this, WebViewActivity.class);

Vulnerability description Remediation

Links

https://blog.oversecured.com/Interception-of-Android-implicit-intents/

https://cwe.mitre.org/data/definitions/927.html

Exported content provider

Found in the file A ndroidManifest.xml
<provider android:name="oversecured.ovaa.providers.TheftOverwriteProvider" android:exported="true"
51 android:authorities="oversecured.ovaa.theftoverwrite"/>

Vulnerability description Remediation

One or more of the application’s content providers are not Set exported=false for all broadcast receivers that should not
protected by signature permission in AndroidManifest.xml file be started by third-party applications at all.
and can be exported. For applications that set either
android:minSdkVersion or android:targetSdkVersion to "17" and
higher, all of the providers are non-exported by default unless
the android:exported attribute is set to "true" or an intent-filter
element is defined. For applications that set either
android:minSdkVersion or android:targetSdkVersion to "16" or
lower, a default exported status is true.Using a malware
application, an attacker can read or write the exported content
provider, which can lead to leakage of sensitive information or
unpredictable application behavior. To enable the most
restrictive and therefore secure policy, you should minimize the
number of exported intents by explicitly setting the "exported"
flag to false, or by using signature permissions.

Links

https://cwe.mitre.org/data/definitions/926.html

Exported activity
Found in the file A ndroidManifest.xml
8 <activity android:name="oversecured.ovaa.activities.DeeplinkActivity">
9 <intent-filter>
10 <action android:name="android.intent.action.VIEW"/>
11 <category android:name="android.intent.category.DEFAULT"/>
12 <category android:name="android.intent.category.BROWSABLE"/>
13 <data android:scheme="oversecured" android:host="ovaa"/>
14 </intent-filter>
15 </activity>

Vulnerability description Remediation

One or more of the application’s activities are not protected by Make sure you are exporting only activities that really need the
signature permission in the AndroidManifest.xml file and can be ability to be started by any third-party application; or create
exported. All activities are non-exported by default, unless the permissions using the android:protectionLevel="signature"
android:exported attribute is set to "true" or the intent-filter parameter in the AndroidManifest.xml file for all activities that
element is defined. Using a malware application, an attacker are intended to be started only by your application, and set the
can send arbitrary data to an exported activity, which can lead parameter exported=false for all activities that may not be
to data spoofing or even code execution. For example, such started by third-party applications at all.
activities as WebViews can be vulnerable to JavaScript injection
attacks, content spoofing or clickjacking. Despite the fact that
activities are less exploitable than services, it's still highly
recommended to check all the data passed to them. To secure
the application it is recommended to minimize the number of
exported intents by explicitly setting the "exported" flag to
false, or use signature permissions.

Links

https://cwe.mitre.org/data/definitions/926.html
Exported activity
Found in the file A ndroidManifest.xml
22 <activity android:name="oversecured.ovaa.activities.LoginActivity">
23 <intent-filter>
24 <action android:name="oversecured.ovaa.action.LOGIN"/>
25 <category android:name="android.intent.category.DEFAULT"/>
26 </intent-filter>
27 </activity>

Vulnerability description Remediation

Links

https://cwe.mitre.org/data/definitions/926.html

Exported activity
Found in the file A ndroidManifest.xml
34 <activity android:name="oversecured.ovaa.activities.MainActivity">
35 <intent-filter>
36 <action android:name="oversecured.ovaa.action.ACTIVITY_MAIN"/>
37 <category android:name="android.intent.category.DEFAULT"/>
38 </intent-filter>
39 </activity>

Vulnerability description Remediation

Links
Links

https://cwe.mitre.org/data/definitions/926.html

Exported service
Found in the file A ndroidManifest.xml
46 <service android:name="oversecured.ovaa.services.InsecureLoggerService">
47 <intent-filter>
48 <action android:name="oversecured.ovaa.action.DUMP"/>
49 </intent-filter>
50 </service>

Vulnerability description Remediation

One or more of the application’s services are not protected by Make sure you are only exporting services that really need the
signature permission in the AndroidManifest.xml file and can be ability to be started by any third-party applications; or create a
exported. All of the services are non-exported by default, permission with android:protectionLevel="signature" in the
unless the android:exported attribute is set to "true" or an AndroidManifest.xml file and use it for all services that are to
intent-filter element is defined. Using a malware application, an be started only by your applications, setting exported="false"
attacker can send arbitrary data to the exported service, which for all services that should not be started by third-party
can lead to invocation of other components of the application applications at all.
or to code execution. For example, if a service can send files
via email and a file path is passed to the service as a
parameter an attacker can choose any file owned by the
running application and send it to an arbitrary email. Services
are the most exploitable component among other Intents, so
it's highly recommended to check all the data passed to them.
To enable the most restrictive, and therefore secure policy, you
should minimize the number of exported intents by explicitly
setting the "exported" flag to false, or by using signature
permissions.

Links

https://cwe.mitre.org/data/definitions/926.html

Enabled JavaScript
Found in the file oversecured/ovaa/activities/WebV iewA ctivity.java
18 private void setupWebView(WebView webView) {
19 webView.setWebChromeClient(new WebChromeClient());
20 webView.setWebViewClient(new WebViewClient());
21 webView.getSettings().setJavaScriptEnabled(true);
22 webView.getSettings().setAllowFileAccessFromFileURLs(true);
23 }
24 }

Vulnerability description Remediation

The application has the WebSettings setJavaScriptEnabled Set setJavaScriptEnabled to false, or make sure the server uses
method set to true. The "setJavaScriptEnabled" method allows an encrypted channel (using https and correct certificate
the execution of JavaScript in the context of a running verification) and there are no vulnerabilities in the server part
application. Performing a Man-in-the-Middle attack or tampering of the application.
with a server response, an attacker is able to inject and
execute arbitrary JavaScript code. This can lead to information
leakage or remote code execution. It's not recommended to
use setJavaScriptEnabled unless absolutely necessary. Disable
this setting to enforce security.

Links

https://cwe.mitre.org/data/definitions/79.html

Weak hash algorithms

Found in the file org/apache/commons/io/input/MessageDigestCalculatingInputStream.java
38 }
39
40 public MessageDigestCalculatingInputStream(InputStream pStream) throws NoSuchAlgorithmException {
41 this(pStream, MessageDigest.getInstance("MD5"));
42 }
43
44 public MessageDigest getMessageDigest() {

Vulnerability description Remediation

The application uses one or more of broken hash functions. Use SHA-256 or better, instead of other hashing algorithms.
Due to several critical flaws, such as collisions, preimages, it's
not recommended to use these functions.

Links

https://owasp.org/www-project-mobile-top-10/2016-risks/m6-insecure-authorization

https://cwe.mitre.org/data/definitions/327.html

Active Directory Enumeration & Attacks
No ratings yet
Active Directory Enumeration & Attacks
368 pages
A Step-By-Step Android Penetration Testing Guide For Beginners
No ratings yet
A Step-By-Step Android Penetration Testing Guide For Beginners
39 pages
Spotify
No ratings yet
Spotify
200 pages
Bootcamp Attacking and Defending Azure AD Cloud Beginner's Edition
No ratings yet
Bootcamp Attacking and Defending Azure AD Cloud Beginner's Edition
2 pages
Security Information & Event Management: Your Teammate in Cyber Security
No ratings yet
Security Information & Event Management: Your Teammate in Cyber Security
23 pages
HTML Injection Labs
No ratings yet
HTML Injection Labs
3 pages
Usenixsec 05
No ratings yet
Usenixsec 05
36 pages
Android App Protections 1710880812
No ratings yet
Android App Protections 1710880812
95 pages
Mobile Vulnerability Report Template
No ratings yet
Mobile Vulnerability Report Template
9 pages
Android Pentest Notes
No ratings yet
Android Pentest Notes
58 pages
NN2022 - Analisis Malware en Android
No ratings yet
NN2022 - Analisis Malware en Android
63 pages
Deep Dive Into Android Static Analysis and Exploitation: Gaurang Bhatnagar
No ratings yet
Deep Dive Into Android Static Analysis and Exploitation: Gaurang Bhatnagar
66 pages
Source Code Analysis Project - Hs07192 - Ri07157 - Za06539 - Za07168 - Final
No ratings yet
Source Code Analysis Project - Hs07192 - Ri07157 - Za06539 - Za07168 - Final
24 pages
Software Security - SEGI - I
No ratings yet
Software Security - SEGI - I
46 pages
01 - Security Essentials
No ratings yet
01 - Security Essentials
34 pages
Android Shim Attack Surface
No ratings yet
Android Shim Attack Surface
29 pages
A Local Cross-Site Scripting Attack Against
No ratings yet
A Local Cross-Site Scripting Attack Against
6 pages
Dokumen - Tips Protecting Your Apis Akamai Protecting Your Apis With API Gateway and Kona
No ratings yet
Dokumen - Tips Protecting Your Apis Akamai Protecting Your Apis With API Gateway and Kona
41 pages
Radare
No ratings yet
Radare
379 pages
WebGoat Solutions Explained
No ratings yet
WebGoat Solutions Explained
56 pages
Syllabus eMAPT
No ratings yet
Syllabus eMAPT
14 pages
Web Application Security
No ratings yet
Web Application Security
8 pages
Penetration Test Myqsl
No ratings yet
Penetration Test Myqsl
17 pages
Bug Bounty WP
No ratings yet
Bug Bounty WP
25 pages
Frida Tutorial 2 - HackTricks
No ratings yet
Frida Tutorial 2 - HackTricks
7 pages
Learning Objectives of Memory Analysis: SEPTEMBER 27, 2020
No ratings yet
Learning Objectives of Memory Analysis: SEPTEMBER 27, 2020
14 pages
MSRPC Pentesting Best Practices
No ratings yet
MSRPC Pentesting Best Practices
7 pages
Bug Bounty Course Contents
No ratings yet
Bug Bounty Course Contents
6 pages
Owasp Mas Checklist
No ratings yet
Owasp Mas Checklist
40 pages
Unquoted Service Path
No ratings yet
Unquoted Service Path
12 pages
Abuse SVCHost Methods
No ratings yet
Abuse SVCHost Methods
35 pages
Network Forensics
No ratings yet
Network Forensics
34 pages
Comando Shell PDF
No ratings yet
Comando Shell PDF
108 pages
Digital Malware Analysis - V2
No ratings yet
Digital Malware Analysis - V2
33 pages
Security Testing and Assessment of Vulnerability Scanners in Quest of Current Information Security Landscape
No ratings yet
Security Testing and Assessment of Vulnerability Scanners in Quest of Current Information Security Landscape
8 pages
Android Pentest Course - 231111 - 234710
No ratings yet
Android Pentest Course - 231111 - 234710
7 pages
Vlab Demo - Using ASM For Web Vulnerabilities - v12.0.C PDF
No ratings yet
Vlab Demo - Using ASM For Web Vulnerabilities - v12.0.C PDF
22 pages
Web Application Security Exploitation and Countermeasures for Modern Web Applications 1st Edition Andrew Hoffman 2024 scribd download
100% (1)
Web Application Security Exploitation and Countermeasures for Modern Web Applications 1st Edition Andrew Hoffman 2024 scribd download
62 pages
Bug Bounty Career
No ratings yet
Bug Bounty Career
19 pages
DIFO2023 Lab2 Mobile
No ratings yet
DIFO2023 Lab2 Mobile
13 pages
6.system Hacking
No ratings yet
6.system Hacking
50 pages
PT07 20 Aws Pentesting Preview
No ratings yet
PT07 20 Aws Pentesting Preview
11 pages
Reverse Engineer Your Favorite Android App - by Tanuj Soni - Helpshift-Engineering - Medium
100% (1)
Reverse Engineer Your Favorite Android App - by Tanuj Soni - Helpshift-Engineering - Medium
6 pages
Blue Team Guides 1697397586
No ratings yet
Blue Team Guides 1697397586
94 pages
Pwning the Domain- Credentialess & Username.pdf
No ratings yet
Pwning the Domain- Credentialess & Username.pdf
31 pages
Bug Hunting
No ratings yet
Bug Hunting
2 pages
Advanced Malware Analysis and Intelligence
No ratings yet
Advanced Malware Analysis and Intelligence
538 pages
A Detailed Guide On Pwncat
No ratings yet
A Detailed Guide On Pwncat
16 pages
The Art of Linux Persistence 1702715971
No ratings yet
The Art of Linux Persistence 1702715971
28 pages
Cyber Security
No ratings yet
Cyber Security
59 pages
Hacking and Securiting Docker Containers
No ratings yet
Hacking and Securiting Docker Containers
119 pages
Android Memory Analysis and Acquisition
No ratings yet
Android Memory Analysis and Acquisition
12 pages
Automated Analysis and Deobfuscation of Android Apps & Malware
No ratings yet
Automated Analysis and Deobfuscation of Android Apps & Malware
84 pages
Ethical Hacking PDF
No ratings yet
Ethical Hacking PDF
2 pages
Radare2 + Frida: Better Together /by @trufae + @oleavr
No ratings yet
Radare2 + Frida: Better Together /by @trufae + @oleavr
19 pages
ITB1 Documentation Detection of Phishing Website Using ML
No ratings yet
ITB1 Documentation Detection of Phishing Website Using ML
49 pages
Dvwa Report
No ratings yet
Dvwa Report
10 pages
Udemy - Web Pentesting Course Slides
No ratings yet
Udemy - Web Pentesting Course Slides
103 pages