Added File Stealing Attacks via Webview and FileProvider

README.md

@@ -10,10 +10,11 @@ Vuldroid is a Vulnerable Android Application made with security issues in order
 
 
 
-In this first realease i have included some common vulns that occur in apps.
 
-## Vulnerabilities Covered:
 
+## Vulnerabilities Covered:
+- Steal Files via Webview using XHR request
+- Steal Files using Fileprovider via Intents
 - Steal Password ResetTokens/MagicLoginLinks
 - Webview Xss via Exported Activity
 - Webview Xss via DeepLink

app/build.gradle

@@ -26,6 +26,7 @@ android {
 dependencies {
     implementation fileTree(dir: "libs", include: ["*.jar"])
     implementation 'androidx.appcompat:appcompat:1.2.0'
+    implementation 'com.karumi:dexter:6.2.2'
     implementation 'androidx.constraintlayout:constraintlayout:1.1.3'
     implementation 'com.google.firebase:firebase-auth:19.3.2'
     testImplementation 'junit:junit:4.12'

app/src/main/AndroidManifest.xml

@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
     package="com.vuldroid.application">
+    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
 
     <uses-permission android:name="android.permission.INTERNET" />
 
@@ -10,22 +11,25 @@
         android:label="@string/app_name"
         android:roundIcon="@mipmap/ic_launcher_round"
         android:supportsRtl="true"
+        android:usesCleartextTraffic="true"
+        android:requestLegacyExternalStorage="true"
         android:theme="@style/AppTheme">
-        <activity android:name=".EmailViewer">
+        <activity android:name=".RoutingActivity" android:exported="true"></activity>
+        <activity android:name=".EmailViewer"></activity>
 
-        </activity>
-        <receiver android:name=".MyReceiver"
+        <receiver
+            android:name=".MyReceiver"
             android:enabled="true"
             android:exported="true">
             <intent-filter>
-                <action android:name="com.example.Broadcast" >
-                </action>
+                <action android:name="com.example.Broadcast"></action>
             </intent-filter>
-        </receiver>
-        <!-- register the service-->
+        </receiver> <!-- register the service -->
         <activity android:name=".SendMsgtoApp" />
-        <activity android:name=".notesviewer" android:exported="false" />
-        <activity android:name=".blogsviewer">
+        <activity
+            android:name=".NotesViewer"
+            android:exported="false" />
+        <activity android:name=".BlogsViewer">
             <intent-filter>
                 <action android:name="android.intent.action.VIEW" />
 
@@ -40,16 +44,16 @@
                     android:scheme="https" />
             </intent-filter>
         </activity>
-        <activity android:name=".youtubeviewer">
+        <activity android:name=".YoutubeViewer">
             <intent-filter>
                 <action android:name="android.intent.action.MAIN" />
 
                 <category android:name="android.intent.category.DEFAULT" />
                 <category android:name="android.intent.category.BROWSABLE" />
             </intent-filter>
         </activity>
-        <activity android:name=".requestpassword" />
-        <activity android:name=".forgetpassword">
+        <activity android:name=".RequestPassword" />
+        <activity android:name=".ForgetPassword">
             <intent-filter>
                 <action android:name="android.intent.action.VIEW" />
 
@@ -61,10 +65,12 @@
                     android:scheme="https" />
             </intent-filter>
         </activity>
-        <activity android:name=".Dashboard" android:exported="false" />
-        <activity android:name=".signup" />
-        <activity android:name=".login" />
-        <activity android:name=".userlogin" />
+        <activity
+            android:name=".Dashboard"
+            android:exported="false" />
+        <activity android:name=".Signup" />
+        <activity android:name=".Login" />
+        <activity android:name=".UserLogin" />
         <activity android:name=".SplashScreen">
             <intent-filter>
                 <action android:name="android.intent.action.MAIN" />
@@ -76,6 +82,15 @@
         <meta-data
             android:name="preloaded_fonts"
             android:resource="@array/preloaded_fonts" />
+        <provider
+            android:name="androidx.core.content.FileProvider"
+            android:authorities="${applicationId}.provider"
+            android:exported="false"
+            android:grantUriPermissions="true">
+            <meta-data
+                android:name="android.support.FILE_PROVIDER_PATHS"
+                android:resource="@xml/provider_paths"/>
+        </provider>
     </application>
 
 </manifest>

app/src/main/java/com/vuldroid/application/blogsviewer.java → app/src/main/java/com/vuldroid/application/BlogsViewer.java

@@ -11,7 +11,7 @@
 import android.webkit.WebView;
 import android.webkit.WebViewClient;
 
-public class blogsviewer extends AppCompatActivity {
+public class BlogsViewer extends AppCompatActivity {
     String gettoken;
 
 
@@ -24,6 +24,7 @@ protected void onCreate(Bundle savedInstanceState) {
              WebView vulnerable =(WebView) findViewById(R.id.loads);
             WebSettings webSettings = vulnerable.getSettings();
             webSettings.setJavaScriptEnabled(true);
+            webSettings.setAllowFileAccessFromFileURLs(true);
             vulnerable.setWebChromeClient(new WebChromeClient());
             WebViewClientImpl webViewClient = new WebViewClientImpl(this);
             vulnerable.setWebViewClient(webViewClient);
@@ -33,6 +34,9 @@ protected void onCreate(Bundle savedInstanceState) {
             WebView vulnerable =(WebView) findViewById(R.id.loads);
             WebSettings webSettings = vulnerable.getSettings();
             webSettings.setJavaScriptEnabled(true);
+            webSettings.setAllowFileAccess(true);
+            webSettings.setAllowFileAccessFromFileURLs(true);
+            webSettings.setAllowUniversalAccessFromFileURLs(true);
             vulnerable.setWebChromeClient(new WebChromeClient());
             WebViewClientImpl webViewClient = new WebViewClientImpl(this);
             vulnerable.setWebViewClient(webViewClient);

app/src/main/java/com/vuldroid/application/Dashboard.java

@@ -12,17 +12,17 @@
 public class Dashboard extends AppCompatActivity {
 
     public void youtubeview(View view){
-        Intent intent =new Intent(getApplicationContext(),youtubeviewer.class);
+        Intent intent =new Intent(getApplicationContext(), YoutubeViewer.class);
         startActivity(intent);
     }
 
     public void blogsview(View view){
-        Intent intent =new Intent(getApplicationContext(),blogsviewer.class);
+        Intent intent =new Intent(getApplicationContext(), BlogsViewer.class);
         startActivity(intent);
     }
 
     public void notesview(View view){
-        Intent intent =new Intent(getApplicationContext(),notesviewer.class);
+        Intent intent =new Intent(getApplicationContext(), NotesViewer.class);
         startActivity(intent);
     }
     public void sendmsgtoapp(View view){
@@ -38,7 +38,7 @@ public  void emailview(View v){
 public void logout(View view){
     FirebaseAuth.getInstance().signOut();
     finish();
-    startActivity(new Intent(getApplicationContext(), userlogin.class));
+    startActivity(new Intent(getApplicationContext(), UserLogin.class));
 }
 
 

app/src/main/java/com/vuldroid/application/forgetpassword.java → app/src/main/java/com/vuldroid/application/ForgetPassword.java

@@ -9,7 +9,7 @@
 import android.webkit.WebSettings;
 import android.webkit.WebView;
 
-public class forgetpassword extends AppCompatActivity {
+public class ForgetPassword extends AppCompatActivity {
 
     @Override
     protected void onCreate(Bundle savedInstanceState) {

app/src/main/java/com/vuldroid/application/login.java → app/src/main/java/com/vuldroid/application/Login.java

@@ -3,12 +3,10 @@
 import androidx.annotation.NonNull;
 import androidx.appcompat.app.AppCompatActivity;
 
-import android.app.ProgressDialog;
 import android.content.Intent;
 import android.os.Bundle;
 import android.text.TextUtils;
 import android.view.View;
-import android.widget.Button;
 import android.widget.EditText;
 import android.widget.ProgressBar;
 import android.widget.RelativeLayout;
@@ -19,17 +17,17 @@
 import com.google.firebase.auth.AuthResult;
 import com.google.firebase.auth.FirebaseAuth;
 
-public class login extends AppCompatActivity {
+public class Login extends AppCompatActivity {
     FirebaseAuth mauth;
     private ProgressBar spinner;
     private RelativeLayout priv;
     public void backtomain(View view){
-        Intent into =new Intent(login.this,userlogin.class);
+        Intent into =new Intent(Login.this, UserLogin.class);
         startActivity(into);
     }
 
     public void forgets(View view){
-        Intent into =new Intent(login.this,requestpassword.class);
+        Intent into =new Intent(Login.this, RequestPassword.class);
         startActivity(into);
     }
     public void firebaselogin(View view)
@@ -63,11 +61,11 @@ public void firebaselogin(View view)
             public void onComplete(@NonNull Task<AuthResult> task) {
                 if(task.isSuccessful())
                 {
-                    Intent intent=new Intent(login.this,Dashboard.class);
+                    Intent intent=new Intent(Login.this,Dashboard.class);
                     startActivity(intent);
                 }
                 else{
-                    Toast.makeText(login.this, "INVALID CREDENTIALS", Toast.LENGTH_SHORT).show();
+                    Toast.makeText(Login.this, "INVALID CREDENTIALS", Toast.LENGTH_SHORT).show();
                 }
             }
         });

app/src/main/java/com/vuldroid/application/notesviewer.java → app/src/main/java/com/vuldroid/application/NotesViewer.java

@@ -3,19 +3,26 @@
 import androidx.appcompat.app.AppCompatActivity;
 
 import android.annotation.SuppressLint;
+import android.graphics.Canvas;
+import android.graphics.Color;
+import android.graphics.Paint;
+import android.graphics.pdf.PdfDocument;
 import android.os.Bundle;
+import android.os.Environment;
+import android.util.Log;
 import android.view.View;
 import android.widget.EditText;
 import android.widget.Toast;
 
 import java.io.BufferedReader;
+import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStreamReader;
 
-public class notesviewer extends AppCompatActivity {
+public class NotesViewer extends AppCompatActivity {
 
     private static final String FILE_NAME = "example.txt";
     EditText mEditText;
@@ -79,4 +86,49 @@ public void load(View v) {
             }
         }
     }
+
+
+
+
+
+
+    public void createPdf(View v){
+        EditText mEditText;
+        mEditText=findViewById(R.id.notesview);
+        String aksh=mEditText.getText().toString();
+        PdfDocument document = new PdfDocument();
+        PdfDocument.PageInfo pageInfo = new PdfDocument.PageInfo.Builder(300, 600, 1).create();
+        PdfDocument.Page page = document.startPage(pageInfo);
+        Canvas canvas = page.getCanvas();
+        Paint paint = new Paint();
+        paint.setColor(Color.RED);
+        canvas.drawCircle(50, 50, 30, paint);
+        paint.setColor(Color.BLACK);
+        canvas.drawText(aksh, 80, 50, paint);
+        document.finishPage(page);
+        pageInfo = new PdfDocument.PageInfo.Builder(300, 600, 2).create();
+        page = document.startPage(pageInfo);
+        canvas = page.getCanvas();
+        paint = new Paint();
+        paint.setColor(Color.BLUE);
+        canvas.drawCircle(100, 100, 100, paint);
+        document.finishPage(page);
+        // write the document content
+        String directory_path = getFilesDir().getPath() + "/mypdf/";
+        File file = new File(directory_path);
+        if (!file.exists()) {
+            file.mkdirs();
+        }
+        String targetPdf = directory_path+"test-2.pdf";
+        File filePath = new File(targetPdf);
+        try {
+            document.writeTo(new FileOutputStream(filePath));
+            Toast.makeText(this, "Done", Toast.LENGTH_LONG).show();
+        } catch (IOException e) {
+            Log.e("main", "error "+e.toString());
+            Toast.makeText(this, "Something wrong: " + e.toString(),  Toast.LENGTH_LONG).show();
+        }
+        // close the document
+        document.close();
+    }
 }

app/src/main/java/com/vuldroid/application/requestpassword.java → app/src/main/java/com/vuldroid/application/RequestPassword.java

@@ -14,7 +14,7 @@
 import com.google.android.gms.tasks.Task;
 import com.google.firebase.auth.FirebaseAuth;
 
-public class requestpassword extends AppCompatActivity {
+public class RequestPassword extends AppCompatActivity {
 FirebaseAuth firebaseAuth;
     EditText useremail;
     Button passreset;
@@ -24,8 +24,8 @@ public void forgets(View view){
             @Override
             public void onComplete(@NonNull Task<Void> task) {
                 if (task.isSuccessful()) {
-                    Toast.makeText(requestpassword.this,"Email sent, Open email app",Toast.LENGTH_LONG).show();
-                    Intent intent=new Intent(requestpassword.this,userlogin.class);
+                    Toast.makeText(RequestPassword.this,"Email sent, Open email app",Toast.LENGTH_LONG).show();
+                    Intent intent=new Intent(RequestPassword.this, UserLogin.class);
                     startActivity(intent);
                 }
             }

app/src/main/java/com/vuldroid/application/RoutingActivity.java

@@ -0,0 +1,29 @@
+package com.vuldroid.application;
+
+import androidx.appcompat.app.AppCompatActivity;
+
+import android.content.ComponentName;
+import android.content.Intent;
+import android.os.Bundle;
+
+public class RoutingActivity extends AppCompatActivity {
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.activity_arbifile);
+    }
+
+    @Override
+    protected void onResume() {
+        super.onResume();
+
+        handleIntentExtras(getIntent()); // anything can be passed to getIntent() here
+    }
+
+    private void handleIntentExtras(Intent intent) {
+
+        Intent routerintent = intent.getParcelableExtra("router_component");
+        startActivity(routerintent);
+    }
+}

app/src/main/java/com/vuldroid/application/signup.java → app/src/main/java/com/vuldroid/application/Signup.java

@@ -15,11 +15,11 @@
 import com.google.firebase.auth.AuthResult;
 import com.google.firebase.auth.FirebaseAuth;
 
-public class signup extends AppCompatActivity {
+public class Signup extends AppCompatActivity {
 FirebaseAuth auth;
 
     public void backtomain(View view){
-        Intent intent =new Intent(signup.this,userlogin.class);
+        Intent intent =new Intent(Signup.this, UserLogin.class);
         startActivity(intent);
     }
     public void signed(View view)
@@ -48,12 +48,12 @@ public void signed(View view)
         auth.createUserWithEmailAndPassword(email,password).addOnCompleteListener(this, new OnCompleteListener<AuthResult>() {
             @Override
             public void onComplete(@NonNull Task<AuthResult> task) {
-                Toast.makeText(signup.this, "User Created Successfully:" + task.isSuccessful(), Toast.LENGTH_LONG).show();
+                Toast.makeText(Signup.this, "User Created Successfully:" + task.isSuccessful(), Toast.LENGTH_LONG).show();
                 if (!task.isSuccessful()) {
-                    Toast.makeText(signup.this, "Authentication failed." + task.getException(),
+                    Toast.makeText(Signup.this, "Authentication failed." + task.getException(),
                             Toast.LENGTH_SHORT).show();
                 } else {
-                    startActivity(new Intent(signup.this, userlogin.class));
+                    startActivity(new Intent(Signup.this, UserLogin.class));
                     finish();
                 }