Deeplinks

Objective Exploiting a Cross-Site Scripting (XSS) vulnerability in Android WebView to achieve Remote Code Execution (RCE) The post board challenge from Mobile Hacking Lab is available here 👉 https://www.mobilehackinglab.com/course/lab-postboard. Inspecting Android Manifest The application has only one activity com.mobilehackinglab.postboard.MainActivity. The relevant snippet from AndroidManifest.xml is provided below. <activity android:name="com.mobilehackinglab.postboard.MainActivity" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN"/> <category android:name="android.intent.category.LAUNCHER"/> </intent-filter> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="postboard" android:host="postmessage"/> </intent-filter> </activity> As the activity is exported, it can be launched by other applications installed on the same device....

Recon $ frida-ps -Uai | grep ovaa - Oversecured Vulnerable Android App oversecured.ovaa Exploiting Insecure Logger Service Android Manifest Entries - InsecureLoggerService <uses-permission android:name="android.permission.INTERNET"/> <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <service android:name="oversecured.ovaa.services.InsecureLoggerService"> <intent-filter> <action android:name="oversecured.ovaa.action.DUMP"/> </intent-filter> </service> Source Code - InsecureLoggerService // oversecured.ovaa.services.InsecureLoggerService package oversecured.ovaa.services; import android.app.IntentService; import android.content.Intent; import java.io.BufferedReader; import java.io.BufferedWriter; import java.io.File; import java.io.FileWriter; import java.io.IOException; import java.io.InputStreamReader; /* loaded from: classes.dex */ public class InsecureLoggerService extends IntentService { private static final String ACTION_DUMP = "oversecured....