Posts

About addJavascriptInterface abuse in Android Browsers

Image
So I started out writing this post like most of the other posts I've been writing this year, just another rash vulnerability disclosure; but I decided to turn it into more of a discussion about the addJavascriptInterface vulnerability.

I base my discussions here on some vulnerabilities I've found in various Android Browser apps. I'm going to specifically talk about some novel methods I used to enumerate Browser applications using JavaScript bridges insecurely. Obviously, in finding out how to detail the existence of the vulnerability you will also learn how to protect your applications from the discussed exploitation methods.


Path Traversal Vulnerability in OI File Manager for Android

Image
# Disclosure Date: 12/02/2014
# Author: Keith Makan
# Vendor or Software Link:org.openintents.filemanager
# Version: 2.0.5
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash










Path Traversal Vulnerability in 'com.smartwho.SmartFileManager' 3.1.2 for Android

Image
# Disclosure Date: 30/01/2014
# Author: Keith Makan
# Vendor or Software Link:com.smartwho.SmartFileManager
# Version: 3.1.2
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash




Critical Information Leakage Vulnerabilities in 'Next Browser' 1.16 for Android

Image
# Disclosure Date: 30/01/2014
# Author: Keith Makan
# Vendor or Software Link:https://play.google.com/store/apps/details?id=com.jiubang.browser&hl=en
# Version: 1.16
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash

Path Traversal Vulnerability in File Explorer (FX) for Android

Image
# Disclosure Date: 31 Jan 2014
# Author: Keith Makan
# Vendor or Software Link:https://play.google.com/store/apps/details?id=nextapp.fx&hl=en
# Version: 2.3.0.10 
# Tested on: Android 3.2.1 (HTC Flyer)
# Tools : Drozer, Bash

About.me Cookie Based XSS

Image
About.me suffered from a Cross Site Scripting flaw I found a few days ago. The interesting thing about this flaw is that it was cookie based. The following post details how I found it and what I did to confirm that it was exploitable, it also discusses some interesting points to consider when you find a XSS triggered by Cookie Values.



Even Faster Blind SQL injection methods

Image
A method presented at DerbyCon and BlackHat involves extracting not the bits of the character but the bits of a characters position in a look up table which contains a number of character ascii values---more on this later. This post discusses the conceptual advantages and fundamental drawbacks of the bin2pos method and introduces a new variant I've developed which provides better stability and only requires a maximum of 4 requests per character extraction but imposes some configurational requirements to the target web server.