Saturday, December 31, 2016

ANDROID PT - DIVA / 7 - Input Validation Issues 1 - SQL Injection Vulnerability


- Layout for this exercise:

- Connecting from Santoku to Nexus 5 with ADB:

- Launching the application: 

- Clicking the tab for challenge 7:

- The application prompts the user to introduce an username. If the username is invalid the applications outputs a "not found" message:

- The goal of this challenge is to get data related with users stored into the local database. 

- Examining the Java source code for this activity,

- The Java source code informs about an SQLite database storing the users credentials:

- The SQL sentence embedded into the Java code queries from users stored in the database:

- This query is vulnerable to a typical SQL injection like this:

SELECT*FROM sqliuser WHERE user = 'Thomas' or '2'='2'--

- Examining the previous sentence, the final string is composed of two parts. The first part corresponds to an invalid user, but it is linked to the second part with an OR binary operation. The second part is always "true" ('2'='2'), so the whole string is also "true" (0 OR 1 = 1). The remaining two hyphens -- mean that everything after the hyphens is considered a comment.

- Introducing as input the expression Thomas' or '2'='2'--, the SQLite database validates it as "true", giving access to all the data stored at the database: