INPUT VALIDATION ISSUES 2 - FILE PROTOCOL
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN3ysPFDiLz71tKNKtTbQ-gbYIMOvFyzCKI9CWL78TjPKjXRWYpCIlFmXgXhGx2AJ03-cD6Vx-LMBzN8gZzBhlbR1mLbvF3IFft3RoDMDfuNW6_eUA1t68o-9wqG_cxHU7to9FSgnsuPpq/s1600/screenshot.1.jpg)
- Connecting from Santoku to Nexus 5 with ADB:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYPhk653C14QA8vth06HWnXBRzLa4itaCupLrevAArhsXls8xlPnBjqnB7G9OexQ9Gw-iTW0IdEsuYLhnHoyJgNyT3ta6dIQkIP20bRiI7-iGSeLanLEgnTEoAxE4-6vAsDxFRU1Bfsk6C/s1600/screenshot.2.jpg)
- Launching the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz26LudzftvVhlVECnYZvnq2eZHOOhCD0Ku501fUdU0VM2la60N2SRK0UcblEUUP2u7NKDULpBFOE4H4eZbq09qhg1-k-HFMB1AvTWLoaymRoY21KQJ5kMcplr3hUecqXdIup0YuKXvHjT/s400/screenshot.3.jpg)
- Clicking the tab for challenge 8:
- The application asks for an URL, for instance https://dgmsp.blogspot.com:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVL73cXuL1Pl6r-x9mHC1UB9WfRuhmdnynOhf6_HVfeRKRAfo0R6XnxLWpBPwywwydgTFhTAJ1aBMjPAxLSg_20eRrBIYIgIWFRl5NcZNkfTe4y9po3GLAFwIkwdtEPAz5WOBTFC2Z94HL/s1600/screenshot.6.jpg)
- The browser opens the website of this blog, as expected:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpwrFelThUnKLtv7hHHkfvsU8v-NGwwn_k1tHdhTYBX3yTw6czC86pqtpgx70k69Py98_8SENN84yNkJNbuc7NEThZi_N2-7mR8Sw8FDGhthtHWgidsIKJiEk4YBAZM75y6yHvpPqghDcE/s640/screenshot.5.jpg)
- However, this circumstance can be used to exploit the browser using a different protocol than HTTP, for instance the File protocol, to read the contents of the internal file system, or even data at external storage.
- From a previous exercise, we have some credentials stored at this path:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH1xMricgnxOFGGZABwsVwXDSIYD2frtrxMjfbgZB4GfEzgNCUp74TAlokG_gu2u5Ge4H3yIbzKitLifPRgB2txw9WHja5P5por9CNF-tcQxqA8jsae3Z96WQmKE_wSwPT2EzSV0mYoi5p/s1600/screenshot.7.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjDINp0Gjr-5NNjv38yVPSWpSa6TzESsuKm2K1GAVBSdxSPAGbCxskMp0E1WQWeFcqjHArzQpK_QDbZMuUJiYeBb45-0KCVlB33P7B-8IxZO5fNfIEA_-uXRGIQUEXE3yQnpQQkRmFp4vN/s1600/screenshot.8.jpg)
- Using the File protocole, access to the uinfo file can be achieved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLQfe9Gq8h3ta6FQrgMUy8pawUjW4NZ8Nxo6NDQXgsmNHSLdLU57XMhcjlau9V1gPTGPeDfzNGc_0N6WhZ6IbHk0bfUlxxujoVzI3Io1vsrS7jzIv1pZTeWmFj7Qt8htJqZqB77dHhxhaB/s1600/screenshot.9.jpg)
- Introducing the File path as input, the content of the uinfo file is displayed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJpn2hZm6uZ9XdjKXaRQb2_sWhafzjV5nGUbJTyHZVaHzpKJuQkeiwpgennrORhJ2I-QOl0Hoz_9nqpwh8xKQxP5TQoZNO2gQ9EggzX6zzvEaQwioGZPyEI6wl385c_3R3nLsUx-c4XCGT/s640/screenshot.10.jpg)
- In the same way, this input validation vulnerability can be used for accessing data at external storage. For instance, let's say that there is a Key file at the SD card:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJpXEjwwcHdncLvPLb3Z9nTSDlk_8BJPMywSB1sat9UZMC20Q-kLBxdGunKgs497OcIULWxc6_HIt45VsDpybe1Z5Co5GGzUUvdqJG-dSOBF1Pbmr4sRFRd045xAM9WyWoUTX4-ttrF-DN/s400/screenshot.11.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDcDdSTRrlfT1-4gbNZQiL7vdW1pU3B-nc4lVcwGbJj6HtHOEA0hO5ZerbcsaQkz3dw7OEfid4FhxxyBj6cow3XYfid-VpKCQsuntpaD9OYznO_0SRSVxRpX_3NZsynJtCJd_KBNp3rFKb/s400/screenshot.12.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9uxIZIWbXDu2sWUvdXMVmYIf42Hd5NM8zaLMSdukOK5IeN-vLQFWAhWWhtfmdwufWF2QihoXa1XnjOwBPyVISmlpp1nSZTDj8itJifxpVHSxAYy0geqbkf4Rx9X6kGX3-xuN_VNzrPaB1/s1600/screenshot.13.jpg)
- Introducing the path to the external storage or SD card, the content of the Key file is displayed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDF70ORniL71PkDTAsP-Lx-K4nlJHNs_Be5f7LXRVC-vyEFj0Q4rstA1EpWc3glHIQPx01hSPtlDwh0oaF-_Y9mEeSqtbNK7TAPM1GttBeyRhHA2gK1Jvo2p9kxn2yyyOhCYX4nQyvAQuP/s1600/screenshot.14.jpg)