1
00:00:01,670 --> 00:00:05,720
So in that case take a look at issues that are related to input validation.

2
00:00:05,720 --> 00:00:11,900
So when we ever get like input from a user we should be validating that input in whatever way that we

3
00:00:11,900 --> 00:00:12,320
can.

4
00:00:12,350 --> 00:00:18,860
So we should be like sanitizing make sure that they don't input anything that's vulnerable or that could

5
00:00:18,860 --> 00:00:21,650
potentially lead to an exploit essentially.

6
00:00:21,650 --> 00:00:27,800
So there are a few different types of input validation errors that can occur inside of interest up.

7
00:00:27,800 --> 00:00:30,580
So we're going to take a look at a few common ones right now.

8
00:00:30,620 --> 00:00:35,960
So for the first set of input validations they have to do with database validation.

9
00:00:35,990 --> 00:00:41,440
So when we're inputting things into this we can see that for instance if I put a user here and press

10
00:00:41,460 --> 00:00:44,310
search we'll see user not found.

11
00:00:44,450 --> 00:00:49,480
So you can see it will echo back would it ever r r value that input it is.

12
00:00:49,700 --> 00:00:54,270
And it will tell us that it's not found or it will echo back at the details that the user presumably

13
00:00:54,380 --> 00:00:59,420
if we had put one that is found if we're looking for the code that's related to this we can go to sequel

14
00:00:59,420 --> 00:01:03,620
injection activity and this will show us exactly what's going on.

15
00:01:03,620 --> 00:01:07,300
So as you can see here it's doing a raw query against the database.

16
00:01:07,340 --> 00:01:12,290
And this is the query that's actually happening and you can actually see that when it encounters an

17
00:01:12,290 --> 00:01:16,130
exception it's going to actually show the exception in the error log.

18
00:01:16,430 --> 00:01:22,550
So this means that if we go in to our log cut which I've got opened here an Android Studio when I input

19
00:01:22,550 --> 00:01:24,490
in something invalid.

20
00:01:24,500 --> 00:01:29,750
So for instance some a very good example of this for testing purposes would be like a single quote a

21
00:01:29,780 --> 00:01:35,040
single code is a piece of sequel syntax visit turpitude like code it should cause an error.

22
00:01:35,060 --> 00:01:39,320
See when I search this we've got this error here that's an unrecognized token.

23
00:01:39,320 --> 00:01:45,500
This tells us that we're interpreting that token as code rather than interpreting it as an input.

24
00:01:45,500 --> 00:01:49,470
So this means immediately to me that this is vulnerable to sequel injection.

25
00:01:49,490 --> 00:01:52,860
So let's take a look at how we can craft sequel injection with this.

26
00:01:52,880 --> 00:01:57,470
We have access to the query here and again this isn't an uncommon thing if we can d compile the code

27
00:01:57,470 --> 00:02:04,670
we can gain access to the queries and as you can see our input is going in right here so comes in right

28
00:02:04,670 --> 00:02:07,730
in the middle here running between two single quotes.

29
00:02:07,850 --> 00:02:12,710
What that tells me is that if I can end the single quote and then input something that's always true

30
00:02:12,770 --> 00:02:18,720
and then maybe put a comment at the end that will allow me to execute where a user equals blank or C

31
00:02:18,740 --> 00:02:23,820
one equals one which is always true which will return to me the whole database back.

32
00:02:23,990 --> 00:02:28,160
So let's take a look at exactly what that looks like if I put the closing quote here.

33
00:02:28,160 --> 00:02:37,280
This will close the user's input and then we'll say or s it or 1 equals 1 and then we can put a comment

34
00:02:37,330 --> 00:02:42,400
so those two dashes at the end is a comment or 1 equals 1 is something that's always true.

35
00:02:42,470 --> 00:02:45,750
And the closing single quote would close off this starting quote here.

36
00:02:45,750 --> 00:02:48,770
So B user equals blank or 1 equals 1.

37
00:02:48,800 --> 00:02:52,970
And if he comments that this and breached here are this end single quote.

38
00:02:52,970 --> 00:03:00,200
Here is an interpret it as code and in doing this it will give us a valid query and valid query is going

39
00:03:00,200 --> 00:03:06,320
to return to us all of the contents inside of the database c c when I click search here it exposes the

40
00:03:06,320 --> 00:03:08,300
whole database credentials.

41
00:03:08,300 --> 00:03:08,630
Right.

42
00:03:09,200 --> 00:03:14,450
So you can see that this is an example of being able to leak information from a database using an invalid

43
00:03:14,590 --> 00:03:15,220
input.

44
00:03:15,260 --> 00:03:21,140
So sequence directions are a very common type of input validation error that happens in a lot of different

45
00:03:21,140 --> 00:03:26,760
instances so this would be one example and this is one thing that you're always able to sort of test.

46
00:03:27,010 --> 00:03:31,520
I'm not always where you get the error is actually printing into the log it's actually quite rare that

47
00:03:31,520 --> 00:03:32,780
someone would give you that.

48
00:03:33,080 --> 00:03:38,810
However again if you just sort of like search for raw query or query in general you should be able to

49
00:03:38,810 --> 00:03:41,910
find instances where this sort of thing happens.

50
00:03:41,940 --> 00:03:44,810
So this is one type of input validation that's relatively common.

51
00:03:44,810 --> 00:03:50,690
I'm going to show you another type of input validation that is rather interesting and a bit different.

52
00:03:50,690 --> 00:03:53,780
So with this one here you see that we can type in a U or L to view.

53
00:03:53,810 --> 00:04:01,940
So if I put it like Google dot S.A. for instance if I press a view you see it brings up the web page

54
00:04:02,000 --> 00:04:03,590
for Google.

55
00:04:03,590 --> 00:04:06,070
So this is just like a simple web browser.

56
00:04:06,080 --> 00:04:10,130
And if we go into the code of it we can get a bit of a better idea of what's actually happening.

57
00:04:10,130 --> 00:04:13,160
C.C. here we have the input validation scheme.

58
00:04:13,160 --> 00:04:15,380
You see that it just does a load you around.

59
00:04:15,690 --> 00:04:20,690
Now on the surface this probably looks quite innocent because load your l would imply to us that we're

60
00:04:20,690 --> 00:04:23,160
just loading any sort of you know web page you roll.

61
00:04:23,480 --> 00:04:29,270
However the interesting point here is that in Android we actually treat files as you heard Alice as

62
00:04:29,270 --> 00:04:29,880
well.

63
00:04:30,050 --> 00:04:34,760
So you can actually access files on the system using the you are all path of them.

64
00:04:34,760 --> 00:04:40,370
So for instance you could do something like this you could say file you go colon and then you put three

65
00:04:40,370 --> 00:04:43,910
back slashes and then you put in the D path to the file.

66
00:04:43,910 --> 00:04:47,400
So we'll see data data for instance.

67
00:04:47,540 --> 00:04:50,270
I'm going to pick a file that I know exists.

68
00:04:50,270 --> 00:04:52,740
So this is inside of the data files that we're looking at.

69
00:04:52,820 --> 00:05:01,420
We were taking a look at insecure storage and we know that there is one here called a card up seemed

70
00:05:01,710 --> 00:05:06,100
to underscore preferences that eczema.

71
00:05:06,620 --> 00:05:15,480
You could see it just put in the whole path of the end of the file itself and now it just crashed there

72
00:05:15,550 --> 00:05:17,370
so let's try that one more time.

73
00:05:17,420 --> 00:05:19,990
Not sure why it crashed there.

74
00:05:20,030 --> 00:05:23,830
We'll give this another try.

75
00:05:24,140 --> 00:05:27,590
There are some instances where this app may crash on you.

76
00:05:27,590 --> 00:05:33,890
It's not overly common but it could be from some other testing that I was doing related to this app

77
00:05:33,890 --> 00:05:35,800
for input validation.

78
00:05:35,930 --> 00:05:37,880
But let's go ahead and try this.

79
00:05:37,890 --> 00:05:42,100
Diva preferences exit no.

80
00:05:42,270 --> 00:05:46,590
You'll see when I click on view here it actually displays the file below here.

81
00:05:46,590 --> 00:05:50,650
So if you remember this is the file that we created in the end.

82
00:05:50,720 --> 00:05:52,310
Improper storage.

83
00:05:52,700 --> 00:05:57,590
So this shows us how we can actually access that storage without necessarily even having root permissions.

84
00:05:57,590 --> 00:06:02,180
If we happen to know this path which they wouldn't be unreasonable for us to know it if we have a really

85
00:06:02,190 --> 00:06:07,700
device we can find it very easily or we can find it through the code we can actually access it if there's

86
00:06:07,700 --> 00:06:12,110
ever like a browser that happens to take in these file parts for instance.

87
00:06:12,140 --> 00:06:17,540
So this is a very critical vulnerability because it allows for information leaks and we can get to really

88
00:06:17,540 --> 00:06:23,330
any sort of file on the system utilizing this and we might even be able to access this from other applications

89
00:06:23,330 --> 00:06:26,820
if it has like a provider that allows us to launch this activity maybe.

90
00:06:26,840 --> 00:06:27,140
Right.

91
00:06:27,170 --> 00:06:31,060
So this is a very common and critical vulnerability.

92
00:06:31,070 --> 00:06:35,990
So this is the type of input validation that you can look out for something as passed like a web page

93
00:06:36,020 --> 00:06:39,880
utilizing this whole this load you are.

94
00:06:40,070 --> 00:06:46,810
It's very possible that we'll be able to load internal user rails which are actually past the files.

95
00:06:46,850 --> 00:06:49,200
So this is another type of common input validation.

96
00:06:49,310 --> 00:06:49,570
Again.

97
00:06:49,580 --> 00:06:55,100
So we have databases and we have your URL loading the third type of input validation is a little bit

98
00:06:55,100 --> 00:06:55,710
different.

99
00:06:55,730 --> 00:07:00,520
And the way that it essentially works is by calling external libraries.

100
00:07:00,620 --> 00:07:08,510
So we'll see here is this uses the D J and I func are not function but class rather and you'll see that

101
00:07:08,510 --> 00:07:12,880
it uses a very specific piece initiate launch sequence.

102
00:07:12,920 --> 00:07:20,270
So what's interesting about this is that if we go to this sum to this input validation three we're able

103
00:07:20,270 --> 00:07:24,530
to use we're able to put in some inputs and attempt to get it to launch and you'll see it gets this

104
00:07:24,560 --> 00:07:26,760
access denied it in these cases.

105
00:07:27,240 --> 00:07:31,670
What we're actually able to do with this is since it's loading a shared object library it means that

106
00:07:31,670 --> 00:07:38,510
it's probably written in C or C++ C and C++ or relatively infamous for buffer overflows if you can input

107
00:07:38,510 --> 00:07:40,390
something way too big into this input.

108
00:07:40,400 --> 00:07:42,500
We may be able to get it to overflow.

109
00:07:42,500 --> 00:07:48,260
So for instance if I just type in like a whole bunch of these and I pushed the red button you'll see

110
00:07:48,260 --> 00:07:53,870
the application crashes when an application crashes like that it tells us that there could potentially

111
00:07:53,870 --> 00:07:59,720
be a problem and it might be related to a buffer overflow if we want to get a bit more detail we can

112
00:07:59,720 --> 00:08:04,850
actually go back into the log catalogs and I'm assuming it's probably going to give us some information

113
00:08:04,850 --> 00:08:06,960
inside of here when we try to crash this.

114
00:08:06,980 --> 00:08:13,810
So let's try this again yeah you'll see there we got the whole lake sort of dump.

115
00:08:13,810 --> 00:08:19,020
So this right here is what we would call a stock trace essentially.

116
00:08:19,400 --> 00:08:22,300
So you can see it gives us a lot of information here.

117
00:08:22,310 --> 00:08:26,300
The main things that you want to get here is that you see the parts of the stock that we've actually

118
00:08:26,360 --> 00:08:31,130
accessed so we can see that we're actually overflowing the stock here and you can see that it's giving

119
00:08:31,130 --> 00:08:33,360
us some errors related to that.

120
00:08:33,360 --> 00:08:40,250
Now what happens here is if we get actually specially crafter input we may be able to get the device

121
00:08:40,250 --> 00:08:47,060
to execute code which may be able to get us access to execute code under the permissions of the application

122
00:08:47,060 --> 00:08:48,170
itself.

123
00:08:48,350 --> 00:08:50,510
And this would be an extremely critical vulnerability.

124
00:08:50,510 --> 00:08:56,720
This is like a CBS as ten point show but even just getting them the stack overflow to happen creates

125
00:08:56,720 --> 00:08:58,650
a very critical vulnerability as well.

126
00:08:58,710 --> 00:09:03,210
So oftentimes like with Java it's not very common to see a stack overflow.

127
00:09:03,230 --> 00:09:08,090
But if you're using C C++ libraries or languages similar to that where you have to do memory management

128
00:09:08,450 --> 00:09:10,460
this is definitely something that's in the possibilities.

129
00:09:10,460 --> 00:09:14,940
So if you're able to find something like this it's an extremely critical vulnerability.

130
00:09:14,960 --> 00:09:19,640
And again the things that you want to look out for for this is any sort of class that is loading a shared

131
00:09:19,670 --> 00:09:20,210
object.

132
00:09:20,240 --> 00:09:26,870
So this deejay and I class we talked about this earlier in this series but you see that it has like

133
00:09:26,870 --> 00:09:28,910
this load library right.

134
00:09:28,910 --> 00:09:34,520
Any time you see that load library you might be loading ISO files which are typically C C++.

135
00:09:34,520 --> 00:09:38,010
Now one other thing that I will note about this is that we rent.

136
00:09:38,030 --> 00:09:44,240
When we rent strings against this library one of the strings that came up was SDR TR C.P. y or string

137
00:09:44,240 --> 00:09:50,300
copy string copy is one of those C functions that is infamous for buffer overflows if things are allocated

138
00:09:50,300 --> 00:09:50,930
properly.

139
00:09:50,960 --> 00:09:56,450
So those are the sort of instances where we can actually utilize strings to see what kind of functions

140
00:09:56,450 --> 00:10:00,680
might be getting called it reveals to us you know the function that's getting called which is s t RCP

141
00:10:00,680 --> 00:10:02,090
wire string copyright.

142
00:10:02,110 --> 00:10:07,510
So and we can see that when that is use it seems like it's causing the buffer overflow.

143
00:10:07,510 --> 00:10:12,710
So it seems like that string copy is what's causing that sort of problem to actually get remote code

144
00:10:12,710 --> 00:10:15,490
execution is a fairly more complex topic.

145
00:10:15,490 --> 00:10:20,090
It won't be one that we'll talk about in this but I wanted to demonstrate how you might be able to identify

146
00:10:20,090 --> 00:10:24,860
those sort of problems in an Android application to be able to report them because again even just finding

147
00:10:24,920 --> 00:10:28,280
a buffer overflow like that is a critical vulnerability.

148
00:10:28,340 --> 00:10:33,020
So this gives you an idea of a few different types of input validations that might commonly be found

149
00:10:33,020 --> 00:10:34,280
in Android applications.

150
00:10:34,280 --> 00:10:39,350
So any of these issues in general are very critical because they mostly allow you to access things you

151
00:10:39,350 --> 00:10:42,670
shouldn't be able to or potentially do remote code execution.

152
00:10:42,680 --> 00:10:48,230
So they're all very critical vulnerabilities in all ones that you should be able to relatively easily

153
00:10:48,230 --> 00:10:50,070
find if they do exist in an application.

154
00:10:50,090 --> 00:10:53,660
So this gives you certain some of the fundamentals to be able to locate those.