Project 5: ExploitMe Mobile Lab 2: Parameter Manipulation (15 points)

What You Need for This Project

Purpose

To use Burp to modify network traffic and steal money. This demonstrates another security flaw in the "FalseSecure Mobile" app.

Setup

You should have Android Studio running, with an emulated phone running the "FalseSecure Mobile" app, as shown below.

You should have the server app running, listening on port 8081, as shown below.

Burp should be running, forwarding traffic from port 8080 to port 8081, as shown below.

In the emulator, click Statement. If you are prompted to log in, log in with a password of P@ssw0rd

In the lower left of the emulator, click the back button.

In the emulator, click on Accounts.

Burp should show intercepted HTTP traffic, as shown below.

Performing a Normal Transfer

In the emulator, click on Transfer.

Note your current balances. When I did it, I had $170 in Debit, and $920 in Credit.

Also notice your account numbers. You have two accounts, one ending in "6789" and one ending in "4321".

Enter an amount of 10 but do NOT click the "Transfer" button yet, as shown below.

In Burp, on the Proxy tab, click the Intercept tab.

Click the "Intercept is off" button.

Now the button says "Intercept is on" as shown below.

In Burp, on the Proxy tab, click the Options tab.

Scroll down to the "Intercept Client Requests" section.

Check the "Intercept responses based on the following rules:" box.

In the list of rules, check only the last item "HTTP method Matches (get|POST)", as shown below.

In the emulator, click the Transfer button.

In Burp, click the Intercept tab. You see the intercepted request. In the center of the Burp window, click the Params tab.

You see the parameters of the request, including "amount", "to_account", and "from_account", as shown below.

In Burp, click the Forward button to allow this request to pass through.

Another request is intercepted within a few seconds.

Click the Forward button again.

The emulator shows a "Transfer complete" message.

In the emulator, return to the Transfers screen.

In Burp, forward the traffic, as required.

The balances have changed--Debit has gone down by $10 and Credit has gone up, as shown below.

Stealing Money

In the emulator, in the Transfer screen, enter an amount of 49.99 and click the Transfer button.

Burp intercepts the POST request.

In Burp, on the "from_account" line, double-cick the account number of 123456789.

Change that number to 111111111, and press Enter, as shown below.

Note: This is someone else's account. You are stealing that person's money.

Saving a Screen Image

Make sure these items are visible in your Burp window: Save a full-desktop image. On a Mac, press Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 5a", replacing "YOUR NAME" with your real name.

Completing the Theft

In Burp, click the Forward button to allow this request to pass through.

Another request is intercepted within a few seconds.

Click the Forward button again.

The emulator shows a "Transfer complete" message.

In the emulator, return to the Transfers screen.

In Burp, forward the traffic, as required.

Now your Credit balance ends in 99 cents, as shown below.

Saving a Screen Image

Make sure the Credit balance ends in 99 cents, as shown above.

Save a full-desktop image. On a Mac, press Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 5b", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the images to to cnit.128sam@gmail.com with the subject line: Proj 5 from YOUR NAME

Solution

The solution here is the same as it would be in a regular web app, we have to perform some validation on the server, as shown below:
#validate that accounts belong to user:
if to_account.user != session.user or from_account.user != session.user:
      return error("E6")

Source

ExploitMe Mobile Android Labs: Lab 2 - Parameter Manipulation


Last modified 1-21-15 2:07 pm