What address for server in 'untrusted input' and admin ?

[Samuel-BF]

Hello,

Now I'm on "Mobile Security Decisions via Untrusted Input" lesson. It was OK to launch the '****' activity, but it failed to fetch the result.

• first problem I encountered is that "address" field in preferences doesn't work if you only put IP or dns domain name (you have to prepend http:// or https:// to the server address), but the error message doesn't tell you this way (it just says "address should not be null" or something like that) ... maybe renaming this option would make it more clear that protocol is needed ? "Server URI" ? Set default value with http:// ?
• second problem: i'm unable to figure out which server is supposed to give the answer. By running nc -l 80on my machine and setting address to my IP, I was able to grasp an API key ('mobileKey'), but this is not the answer key, so where is the server supposed to answer to such a request ? (I tried http://my_owasp_instance/, of course, but it failed because of invalid certificates as owasp instance redirects to https, and from curl -k it gives me 404). Was there an initial value set for "server address" that I erased in my previous attempts ? (and is there a way to recover it without downloading the full OVA again ? - yes, I didn't made a copy...).

Of course, if this is part of the challenge, just tell me and close this report.

Note: digging into the code, the same API calls are made from "ShepherdLogin" app (MobileShepherd/ShepherdLogin/app/src/main/java/com/mobshep/shepherdlogin/LoggedIn.java)

Thanks!

[SeanDuggan]

Hi @Samuel-BF ,

Thanks for raising this. From your description I see two changes that need to be made here:

1) Prepending "https://" to the server URI as well as message showing the user how the address was saved. I am replacing this feature with a global server URI saved in a Android Preferences function on the next iteration of the Mobile App. (which will include all levels in one app)

2) The server should be the IP or URL of the shepherd instance you're running. So the goal in this challenge is to call up an exported activity using adb shell or a tool like drozer and then get the key. With the configured server URI the key is called from the shepherd web instance and the key is revealed. This should be made more clear to the user, but if a server uri is configured in the global setting which is planned, this should be a seamless process.

I will investigate this further and post an update.

[Samuel-BF]

2. The server should be the IP or URL of the shepherd instance you're running. So the goal in this challenge is to call up an exported activity using adb shell or a tool like drozer and then get the key. With the configured server URI the key is called from the shepherd web instance and the key is revealed. This should be made more clear to the user, but if a server uri is configured in the global setting which is planned, this should be a seamless process.

OK. It didn't worked for me for 3 reasons :

1. My fault : i tried to fix #458 locally by simply re-importing jsp pages. I should also have imported back some other pieces of software. By the way, in current source tree, VulMobileAPI.java has totally disappeared.
2. My configuration : initially, I set the MobileShepherd VM network connection to be host-only (or no connection). For this challenge, it is necessary to give it access to wider network (at least where the owaspShepherd instance is located). Maybe it would be useful to specify it on the lesson page ?
3. Cert fail : the docker instance generates autosigned TLS certificates (which is expected), but MobileShepherd VM refuses to connect to the shepherd instance with this certificate. The global setting should also includes exceptions for this domain (case of single-user instance, don't care if the certificate is invalid) or a way to import the valid certificate (case of multi-user instance, where MitM attacks should be expected :-) ).