Insecure Input Validation

Insecure input validation is one of the mistakes of careless developers. This is not a new issue. We see lots of development based vulnerabilities in the web world too. such as:

• XSS
• CSRF
• File Inclusion
• SQL Injection

In the journey of solving DIVA, we see two related tasks. The purpose is very simple. It warns us to validate any data entered whether by the user or other application.

07. Input Validation Issues — Part 1 (SQL Injection)

Start the activity and read the label on the top. You can infer there are three users and one of them is ‘admin’. We have to find other users. Enter ‘admin’ in the EditBox and press search. you’ll see the following result:

The application shows the password and credit card of the ‘admin’. Entering the wrong value triggers an error.

Web application penetration testers have an interesting habit. They always try special characters in every input. Sometimes they cause interesting events. Some of special characters are:

• $
• #
• ‘
• “
• etc.

By testing the mentioned characters, you’ll see when we enter admin‘ or ' the application takes no action (may be an invisible error).

This may be SQL Injection but we are not sure yet. We need to be sure by adding SQL comment characters. SQL comment syntax is:

• /* some text */
• -- some text two hyphen and then one space

Great. The result says our query in the background is something like:

SELECT * FROM userTable WHERE user='<USER INPUT>'

By adding our payload, query becomes the following string:

SELECT * FROM userTable WHERE user='admin'-- '

Lets make the query true for every row 1=1 in the table and see what happens.

SELECT * FROM userTable WHERE user='' or 1=1-- '

Interesting, Toast shows all users in the table. In other words, mission complete.

There are many different answers for this task. It is based on your knowledge about SQL Injection. Try different SQL injection methods. In the end write your SQL Injection method for me in the comments.

08. Input Validation Issues — Part 2

Android has developed very intelligently. There are many ways for just starting one simple intent. Developers learn common methods. Sometimes they are not aware of alternatives. we’ll discuss one of these alternatives here.

Task number 08 of DIVA is a WebViewer. You just need to enter a URL and tries to load the website below. The application fails to load because the INTERNET permission has not included in the manifest. but it is not a problem for us.

In the android, every message between applications is as a URL. For example, we created a file in the earlier parts and if we try to read that file, only we need to type the following text in the browser address bar.

file:///sdcard/.uinfo.txt

And the Chrome or WebViewer will be able to read and synthesize that file.

and in our DIVA application:

In the image, we see the application loads a file except loading a URL. This is a kind of mistake that new developers may cause. WebViewer can be controlled by flags. There are some security checks you should be aware of in WebViewer.

• Java Script
• SSL Chcecking
• External Storage Access

We’ll create a complete course for WebViewers in the future so that is Enough for now. Please comment your ideas about the tutorial and help us improve content quality.

Final words

We prepared a Step by Step list of Android penetration testing guide based on our own experience here. check for new posts from time to time.

Feel free to add comments to help us improve our posts. by the way, security belongs to everyone.