Using Mobile Applications for attacking Web Applications

-
Using Mobile Applications for attacking Web Applications:

This simple blog post was motivated by my desire to look at
some mobile applications that I happen to use. I did not choose a specific methodology for testing mobile
applications. What I did was to use some of my knowledge in testing web
applications in general.
To my pleasant surprise I got results that made
​​me happy, or not.


01 - Catalog Application.
Starting my tests, on the first application I
noticed the web server authentication credentials are simply sent in plain text
using a POST method.
Gafisa-borrada
Most of these mobile applications are just simple frontends
for web services.
This behavior has been confirmed in all tested applications.
Some examples.
02 – Auction Application
Screen Shot 2012-09-26 at 2.23.01 PM
Let's start intercepting the requests of the mobile
application and doing a simple SQL Injection test:
Leilao-02-borrada
In this specific case it was possible to notice that the application
consumed by Mobile Application is vulnerable to SQL Injection attacks.
So, one would ask, should I be attacking a Web Application
or the Mobile Application?
The answer for this question is easy, go for the Web
Application.
Extracting information’s
via SQL Injection:
Leilao-03-borrada
Leilao-04-borrada
Leilao-06
Leilao-07-borrada
After that, I’m hungry… and I love sandwich!!
03 – Fast-food Delivery Application
Ohhh no… another application that my credential in being
sent in plain text.
Essa
Conclusion
Because it is a Mobile Application developers might be
forgetting the basics of security.
If your Mobile Application is a simple frontend
the same concepts of web security must be considered.  Think about it and check some of the following
references for security best practices:
OWASP
Development Guide.
OWASP Transport Layer Protection.
OWASP SSL Best Practices.

Comments

Post a Comment

Popular posts from this blog

Protopage a great iGoogle Alternative

-
Well if you haven't heard iGoogle will be shut down by Google in November of 2013, so it may be time to look at some alternatives. I recently came across Protopage you can find them here http://www.protopage.com/ Protopage launched in 2005 and is still going despite nearly every other start page shutting down or becoming derelict. Due to popular demand, they have released better support for tablets and larger smartphones, so that you have the choice between viewing the mobile version or the normal version of Protopage on your device. There isn't much to dislike about Protopage. It has a very nice Web 2.0-oriented design, and it is very solid in every area that you expect from a personalized start page. The ability to view multiple RSS feeds in a single module and the integrated podcasts puts this start page right up there among the best. What’s the business model? No idea. It’s totally free and sans-ads, at least for now. No registration at all is requir...
Read more

A simple Flex Builder contact form

-
Ok here is my simple flex builder contact form. It will validate fields then post form data to a backend page for processing. This Flex Builder Form does not use the httpservice to retrieve information its just a simple post form that keeps the bots from filling out the form on a standard web site   <?xml version="1.0" encoding="utf-8"?> <mx:Application xmlns:validators="validators.*" applicationComplete="validator()" xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute" width="480" height="500" backgroundGradientColors="[#ffffff, #ffffff]"> <mx:Script>                 <![CDATA[                                 private function ...
Read more

Designing a Better Contact Page

-
Image
A good contact page is essential for maintaining relationships with your visitors. Whether we’re talking eCommerce, magazines, personal websites, online services, users will usually seek out a contact page as their first means of communication with you. Oddly enough, many web designers neglect the humble contact page, even considering it one of the least important aspects of a website. Let’s put that right. The Importance of a Good Contact Page A contact page is often overlooked. How many times have you visited a website, wanting to get in touch to complain about a product or service, or ask a question? And how often have you struggled with a contact form? A good contact page can benefit any type of business. It can improve customer satisfaction by helping users with their problems. It can also help a business improve its products and services by providing an avenue for valuable feedback. Other channels can be limited when it comes to user feedback. Television, radio, magazines, news...
Read more