DIVA
Table Of Content:
What is DIVA?
DIVA is a vulnerable Android application. According to their official website, "DIVA (Damn insecure and vulnerable App) is an App intentionally designed to be insecure. The aim of the App is to teach developers/QA/security professionals, flaws that are generally present in the Apps due poor or insecure coding practices."
Let's get Starting!!
First starting to download the apk file, then install the application in the emulator by this command
Starting the application and now we can see there is more than one challenge inside it, and we will solve it challenge by challenge and step by step.
Challenges Solutions
1. Insecure Logging
Objective: Find out what is being logged where/how and the vulnerable code.
Hint: Insecure logging occurs when developers intentionally or unintentionally log sensitive information such as credentials, session IDs, financial details etc.
Solution:
s
2. Hardcoding Issues - Part 1
Objective: Find out what is hardcoded and where.
Hint: Developers sometimes will hardcode sensitive information for ease.
Solution:
s
3. Insecure Data Storage - Part 1
Objective: Find out where/how the credentials are being stored and the vulnerable code.
Hint: Insecure data storage is the result of storing confidential information insecurely on the system i.e. poor encryption, plain text, access control issues etc.
Solution:
s
4. Insecure Data Storage - Part 2
Objective: Find out where/how the credentials are being stored and the vulnerable code.
Hint: Insecure data storage is the result of storing confidential information insecurely on the system i.e. poor encryption, plain text, access control issues etc.
Solution:
s
5. Insecure Data Storage - Part 3
Objective: Find out where/how the credentials are being stored and the vulnerable code.
Hint: Insecure data storage is the result of storing confidential information insecurely on the system i.e. poor encryption, plain text, access control issues etc.
Solution:
s
6. Insecure Data Storage - Part 4
Objective: Find out where/how the credentials are being stored and the vulnerable code.
Hint: Insecure data storage is the result of storing confidential information insecurely on the system i.e. poor encryption, plain text, access control issues etc.
Solution:
s
7. Input Validation Issues - Part 1
Objective: Try to access all user data without knowing any user name. There are three users by default and your task is no output data of all the three users with a single malicious search.
Hint: Improper or no input validation issue arise when the input is not filtered or validated before using it. When developing components that take input from outside, always validate it. For ease of testing there are three users already present in the database, for example one of them is admin, you can try searching for admin to test the output.
Solution:
s
8. Input Validation Issues - Part 2
Objective: Try accessing any sensitive information apart from a web URL.
Hint: Improper or no input validation issue arise when the input is not filtered or validated before using it. When developing components that take input from outside, always validate it.
Solution:
s
9. Access Control Issues - Part 1
Objective: You are able to access the API credentials when you click the button. Now, try to access the API credentials from outside the app.
Hint: Components of an app can be accessed from other apps or users if they are not properly protected. Components such as activities, services, content providers are prone to this.
Solution:
s
10. Access Control Issues - Part 2
Objective: You are able to access the Third Part app TVEETER API credentials after you have registered with tveeter. The App request you to register online and vendor gives you a pin, which you can use to register with the app. Now, try to access the API credentials from outside the app without knowing the PIN. This is a business login problem so you may need to see the code.
Hint: Components of an app can be accessed from other apps or users if they are not properly protected and some may also accept external inputs. Components such as activities , services, content providers are prone to this.
Solution:
s
11. Access Control Issues - Part 3
Objective: This is a private notes application. You can create a PIN once and access your notes after entering the correct PIN. Now, try to access the private notes from outside the app without knowing the PIN.
Hint: Components of an app can be accessed from other apps or users if they are not properly protected and some may also accept external inputs. Components such as activities, services, content providers are prone to this.
Solution:
s
12. Hardcoding Issues - Part 2
Objective: Find out what is hardcoded and where.
Hint: Developers sometimes will hardcode sensitive information for ease.
Solution:
s
13. Input Validation Issues - Part 3
Objective: This is a Missile Launch App. Spread love not War! DOS the Damn thing! Your object here is to NOT find the code and then launch the missiles, rather it is to crash the app (and then find the root cause the crash).
Hint: Improper or no input validation issue arise when the input is not filtered or validated before using it. When developing components that take input from outside, always validate it. This is a classic memory corruption vulneraility. If you can get code execution, I would love to hear from you. I don't expect anyone to go that far though.
Solution:
s
Last updated
Was this helpful?
