SlideShare a Scribd company logo
1 of 18
Download to read offline
OWASP Mobile Top 10
(M7 & M8)
M7 – Client Side Injection.
M8 – Security Decisions via Untrusted Inputs.
By : Shivang Desai
Who am I ?
● Shivang Desai (@5h1vang)
● Researcher at Zscaler Inc.
● Open Source enthusiast
● Small efforts to contribute :
– THC-Hydra [Release 7.6] (Kali Linux)
– OWASP Mobile
– Referenced in “The Mobile Application Hacker's Handbook”
– https://github.com/shivang1989
Next 30 min...
● Understanding client-side injection
● Understanding Security Decisions via untrusted Inputs
● What's their impact ?
● Prevention tips !
Understanding M7
Client Side Injection
• next image of client and server
• Then, mobile app and OS and backend
• Hybrid vs native apps
• Hybrid == client-server
• Native == second image (mobiel-OS-backend)
Understanding M7
Client Side Injection
● The name says it all : “Client-Side”
● Myth : Client-Side Injection == SQL injection
● Few types of client side injections :
– Sql Injection
– Cross Site Scripting
– Local File Injection
– XML Injection
– Binary Code Injection
Demo .. ! ??
A quick demo :
– Sql injection (optional)
– XSS (Box App)
– Binary Code Injection (adb backup vuln)
Impacts !
● Consuming Paid Resources
● Data Exfiltration
● Privilege Escalation
Prevention !
● ALWAYS consider input data as malicious.
● Sanitize and/or Escape untrusted data.
● Use Prepared Statements. (SQL injection)
● Minimize the sensitive native capabilities tied to hybrid web
functionality. (As seen in WebView vuln just now)
● Input Validation (Local File Inclusion):
– Input validation for NSFileManager calls.
– Disable File System Access for any WebView
(webview.getSettings().setAllowFileAccess(false);)
Understanding M8
Security Decisions via Untrusted Inputs.
● Decisions based on weak parameters like cookies, hidden form fields,
Intents, URL schemes etc.
● Client Side Injection is one of the attack vector, along with Malicious
apps
● Main causes:
– Developer thinks values (cookies, environment variables, and hidden form
fields) cannot be modified
– Developer thinks client cannot manipulate and update application code
– Lack of proper encryption and/or encoding during client-server
interaction
Abusing iOS : URL Scheme
● URL Scheme is basically URL Protocol Handler
● Used mainly by browser to call internal apps (Eg: Safari
calling dialer app)
– <iframe src="tel:1-408-555-5555"></iframe>
Problem ?????
Abusing URL Scheme (iOS)
What's the problem ?
● Consider victim had opened skype in past and device has
cached the credentials.
● Attacker embeds iframe in his/her site
– <iframe src="skype://14085555555?call"></iframe>
● User visits the malicious site
● And boom...!
● Masque attack used URL scheme
hijacking
Abusing Android : Intents
What is Intent ?
● Intents acts as mechanism used:
– to start an Activity
– as a broadcast to inform interested programs
– as a way to communicate with background services
– to access data through ContentProviders
– as a callback to handle events like returning results or
errors asynchronously
Abusing Android : Intents
Types of Intent Vulnerbilities
● Two types of Intent Vulnerabilities
(1) Intent interception
● Intercept the generated intents (Broadcast events)
(2) Intent Spoofing
● Generate a spoofed intent and target the victim
Abusing Android : Intents
(PayPal Case Study)
● Android SDK comes along with a small tool called “am”
● Paypal Target Activity : SendMoneyActivity
– am start 
-a android.intent.action.SENDTO 
-d mailto:shiv@ng.com 
--es com.paypal.android.p2pmobile.Amount 9.99 
--ei com.paypal.android.p2pmobile.ParamType 42 
-n com.paypal.android.p2pmobile/.activity.SendMoneyActivity
Effects of M8!
● Device Compromise
● Toll Frauds
● Privilege Escalation
Prevention !
● Check caller’s permissions at input boundaries
● Prompt the user for additional authorization before allowing
● Where permission checks cannot be performed, ensure
additional steps required to launch sensitive actions
References
● https://cwe.mitre.org/data/definitions/807.html
● http://secappdev.org/handouts/2012/Ken%20van%20Wyk/1-3%20Android%20applic
ations.pdf
● http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes-app
les-ios/
● https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html
● http://blog.palominolabs.com/2013/05/13/android-security/
● http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks?next_slideshow
=1
● https://www.owasp.org/index.php/Mobile_Top_10_2014-M7
● https://www.owasp.org/index.php/Mobile_Top_10_2014-M8
Questions ?
Thank You

More Related Content

What's hot

CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at ScaleNordic APIs
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
Magento Security and Us
Magento Security and UsMagento Security and Us
Magento Security and UsLee Saferite
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
 

What's hot (6)

CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
 
Web application security
Web application securityWeb application security
Web application security
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
Magento Security and Us
Magento Security and UsMagento Security and Us
Magento Security and Us
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
 

Viewers also liked

Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
Panel discussion   social engineering - manasdeep - nullmeetblr 21st June 2015Panel discussion   social engineering - manasdeep - nullmeetblr 21st June 2015
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015n|u - The Open Security Community
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephAnthony Jose
 
IOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetIOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetAnthony Jose
 
IE Memory Protector
IE Memory ProtectorIE Memory Protector
IE Memory Protector3S Labs
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social EngineeringNutan Kumar Panda
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 

Viewers also liked (20)

Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
Panel discussion   social engineering - manasdeep - nullmeetblr 21st June 2015Panel discussion   social engineering - manasdeep - nullmeetblr 21st June 2015
Panel discussion social engineering - manasdeep - nullmeetblr 21st June 2015
 
Threat intelligence - nullmeetblr 21st June 2015
Threat intelligence - nullmeetblr 21st June 2015Threat intelligence - nullmeetblr 21st June 2015
Threat intelligence - nullmeetblr 21st June 2015
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto Joseph
 
Grinder talk
Grinder talk Grinder talk
Grinder talk
 
Csp july2015
Csp july2015Csp july2015
Csp july2015
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
The Shellshocker
The ShellshockerThe Shellshocker
The Shellshocker
 
Demystifying captcha Bangalore Meet April 18
Demystifying captcha Bangalore Meet April 18Demystifying captcha Bangalore Meet April 18
Demystifying captcha Bangalore Meet April 18
 
Flashack
FlashackFlashack
Flashack
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
IOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H MeetIOS Security Basics - NULL/ OWASP/G4H Meet
IOS Security Basics - NULL/ OWASP/G4H Meet
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
 
IE Memory Protector
IE Memory ProtectorIE Memory Protector
IE Memory Protector
 
ESAPI
ESAPIESAPI
ESAPI
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014
 
Recon ng null meet April 2015
Recon ng null meet April 2015Recon ng null meet April 2015
Recon ng null meet April 2015
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social Engineering
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Null bufferoverflow
Null bufferoverflowNull bufferoverflow
Null bufferoverflow
 

Similar to Owasp m7-m8-shivang nullmeetblr 21june2015

Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngSecurity Bootcamp
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Advanced monitoring
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...Puppet
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IRelayware
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilJonathan Marcil
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Login cat tekmonks - v3
Login cat   tekmonks - v3Login cat   tekmonks - v3
Login cat tekmonks - v3TEKMONKS
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 

Similar to Owasp m7-m8-shivang nullmeetblr 21june2015 (20)

Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8
 
Toronto mule meetup #5
Toronto mule meetup #5Toronto mule meetup #5
Toronto mule meetup #5
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Sql securitytesting
Sql  securitytestingSql  securitytesting
Sql securitytesting
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub  - A case study of django web applications that are secur...Mr. Mohammed Aldoub  - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Login cat tekmonks - v3
Login cat   tekmonks - v3Login cat   tekmonks - v3
Login cat tekmonks - v3
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsDianaGray10
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 

Recently uploaded (20)

Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projects
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 

Owasp m7-m8-shivang nullmeetblr 21june2015

  • 1. OWASP Mobile Top 10 (M7 & M8) M7 – Client Side Injection. M8 – Security Decisions via Untrusted Inputs. By : Shivang Desai
  • 2. Who am I ? ● Shivang Desai (@5h1vang) ● Researcher at Zscaler Inc. ● Open Source enthusiast ● Small efforts to contribute : – THC-Hydra [Release 7.6] (Kali Linux) – OWASP Mobile – Referenced in “The Mobile Application Hacker's Handbook” – https://github.com/shivang1989
  • 3. Next 30 min... ● Understanding client-side injection ● Understanding Security Decisions via untrusted Inputs ● What's their impact ? ● Prevention tips !
  • 4. Understanding M7 Client Side Injection • next image of client and server • Then, mobile app and OS and backend • Hybrid vs native apps • Hybrid == client-server • Native == second image (mobiel-OS-backend)
  • 5. Understanding M7 Client Side Injection ● The name says it all : “Client-Side” ● Myth : Client-Side Injection == SQL injection ● Few types of client side injections : – Sql Injection – Cross Site Scripting – Local File Injection – XML Injection – Binary Code Injection
  • 6. Demo .. ! ?? A quick demo : – Sql injection (optional) – XSS (Box App) – Binary Code Injection (adb backup vuln)
  • 7. Impacts ! ● Consuming Paid Resources ● Data Exfiltration ● Privilege Escalation
  • 8. Prevention ! ● ALWAYS consider input data as malicious. ● Sanitize and/or Escape untrusted data. ● Use Prepared Statements. (SQL injection) ● Minimize the sensitive native capabilities tied to hybrid web functionality. (As seen in WebView vuln just now) ● Input Validation (Local File Inclusion): – Input validation for NSFileManager calls. – Disable File System Access for any WebView (webview.getSettings().setAllowFileAccess(false);)
  • 9. Understanding M8 Security Decisions via Untrusted Inputs. ● Decisions based on weak parameters like cookies, hidden form fields, Intents, URL schemes etc. ● Client Side Injection is one of the attack vector, along with Malicious apps ● Main causes: – Developer thinks values (cookies, environment variables, and hidden form fields) cannot be modified – Developer thinks client cannot manipulate and update application code – Lack of proper encryption and/or encoding during client-server interaction
  • 10. Abusing iOS : URL Scheme ● URL Scheme is basically URL Protocol Handler ● Used mainly by browser to call internal apps (Eg: Safari calling dialer app) – <iframe src="tel:1-408-555-5555"></iframe> Problem ?????
  • 11. Abusing URL Scheme (iOS) What's the problem ? ● Consider victim had opened skype in past and device has cached the credentials. ● Attacker embeds iframe in his/her site – <iframe src="skype://14085555555?call"></iframe> ● User visits the malicious site ● And boom...! ● Masque attack used URL scheme hijacking
  • 12. Abusing Android : Intents What is Intent ? ● Intents acts as mechanism used: – to start an Activity – as a broadcast to inform interested programs – as a way to communicate with background services – to access data through ContentProviders – as a callback to handle events like returning results or errors asynchronously
  • 13. Abusing Android : Intents Types of Intent Vulnerbilities ● Two types of Intent Vulnerabilities (1) Intent interception ● Intercept the generated intents (Broadcast events) (2) Intent Spoofing ● Generate a spoofed intent and target the victim
  • 14. Abusing Android : Intents (PayPal Case Study) ● Android SDK comes along with a small tool called “am” ● Paypal Target Activity : SendMoneyActivity – am start -a android.intent.action.SENDTO -d mailto:shiv@ng.com --es com.paypal.android.p2pmobile.Amount 9.99 --ei com.paypal.android.p2pmobile.ParamType 42 -n com.paypal.android.p2pmobile/.activity.SendMoneyActivity
  • 15. Effects of M8! ● Device Compromise ● Toll Frauds ● Privilege Escalation
  • 16. Prevention ! ● Check caller’s permissions at input boundaries ● Prompt the user for additional authorization before allowing ● Where permission checks cannot be performed, ensure additional steps required to launch sensitive actions
  • 17. References ● https://cwe.mitre.org/data/definitions/807.html ● http://secappdev.org/handouts/2012/Ken%20van%20Wyk/1-3%20Android%20applic ations.pdf ● http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes-app les-ios/ ● https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html ● http://blog.palominolabs.com/2013/05/13/android-security/ ● http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks?next_slideshow =1 ● https://www.owasp.org/index.php/Mobile_Top_10_2014-M7 ● https://www.owasp.org/index.php/Mobile_Top_10_2014-M8