Open Samuel-BF opened 5 years ago
Hi @Samuel-BF ,
Thanks for raising this. From your description I see two changes that need to be made here:
1) Prepending "https://" to the server URI as well as message showing the user how the address was saved. I am replacing this feature with a global server URI saved in a Android Preferences function on the next iteration of the Mobile App. (which will include all levels in one app)
2) The server should be the IP or URL of the shepherd instance you're running. So the goal in this challenge is to call up an exported activity using adb shell or a tool like drozer and then get the key. With the configured server URI the key is called from the shepherd web instance and the key is revealed. This should be made more clear to the user, but if a server uri is configured in the global setting which is planned, this should be a seamless process.
I will investigate this further and post an update.
2. The server should be the IP or URL of the shepherd instance you're running. So the goal in this challenge is to call up an exported activity using adb shell or a tool like drozer and then get the key. With the configured server URI the key is called from the shepherd web instance and the key is revealed. This should be made more clear to the user, but if a server uri is configured in the global setting which is planned, this should be a seamless process.
OK. It didn't worked for me for 3 reasons :
Hello,
Now I'm on "Mobile Security Decisions via Untrusted Input" lesson. It was OK to launch the '****' activity, but it failed to fetch the result.
nc -l 80
on my machine and setting address to my IP, I was able to grasp an API key ('mobileKey'), but this is not the answer key, so where is the server supposed to answer to such a request ? (I tried http://my_owasp_instance/, of course, but it failed because of invalid certificates as owasp instance redirects to https, and fromcurl -k
it gives me 404). Was there an initial value set for "server address" that I erased in my previous attempts ? (and is there a way to recover it without downloading the full OVA again ? - yes, I didn't made a copy...).Of course, if this is part of the challenge, just tell me and close this report.
Note: digging into the code, the same API calls are made from "ShepherdLogin" app (MobileShepherd/ShepherdLogin/app/src/main/java/com/mobshep/shepherdlogin/LoggedIn.java)
Thanks!