Note Box is a Flutter powered mobile app that makes use of remote storage to keep safe users' notes. It is built with a mobile front-end a Golang powered back-end.
Insecure Authentication exploits vulnerable authentication schemes by faking or bypassing authentication. They do so by submitting service requests to the mobile app’s backend server, in order to bypass any direct interaction with the mobile app.
The main goal of this app is to discuss how Insecure Authentication vulnerabilities can be exploited and to encourage developers to send secDevLabs Pull Requests on how they would mitigate these flaws.
Before we start, it's important to mention that this app's code is divided into two parts: a back-end server, which can be found in the server folder, and the mobile app's code itself in the mobile folder. In order for the app to run as intended, the back-end server must be up and running, but no need to worry, we'll walk you through it! 😁
To start this intentionally insecure application, you will need Flutter, Docker and Docker Compose. After forking secDevLabs, you'll need to start the server, which can be done through the commands:
cd secDevLabs/owasp-top10-2016-mobile/m4/note-box/servermake installNote: It is important to mention, that you should have an emulator up and running or an available device to run the app in. For instructions on how to set up an emulator, click here.
After properly setting up your editor and emulator/device to run Flutter apps, open the main.dart file with VS Code. You can find it's path here:
secDevLabs/owasp-top10-2016-mobile/m4/note-box/mobile/lib/main.dart
Now, in order to be sure all packages were successfully downloaded, run the following command inside the lib folder:
flutter packages getAfter that, all you need to do is to click Run > Run Without Debugging on VS Code top menu bar and it should begin building the app to launch it in no time!
Then, you should see Note Box's app launch successfully in the emulator/device you're using! 📲
Note: In case an Android licenses errors shows up, you may need to run the following command on your terminal and accept them:
flutter doctor --android-licensesTo properly understand how this application works, you can follow these simple steps:
- Register a new user. 👩💻
- Try writing down some notes so you don't forget them, maybe a groceries list? 🍫
Now that you know the purpose of this app, what could go wrong? The following section describes how an attacker could identify and eventually exploit some of the app's flaws to compromise it's users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜
When in the app's login screen, after inputting wrong credentials many times, no warning or extra validation is required to perform another request, as shown by the image below:
This lack of validation allows for an attacker to try and brute force his way into another user's account, which can be seen in the following image:
After successfully login in and using the app, when trying to terminate their session by clicking the back button in the system's UI, the app returns to the log in screen without any messages. This behavior indicates that, maybe, no validation is being made whether or not the user tried to log out.
When trying to perform another log in, the following message is shown:
Without a way to properly end their session, aside being stuck outside, if an attacker came to possession of the user's session token it could be used until it's expiration date.
When registering a new user, it is possible to click the Register button withouth having input anything in the password field, as we can see from the image below:
Without passwords, an attacker could simply type in the username of the user and log in to the account.
How would you mitigate this vulnerability? After your changes, an attacker should not be able to:
- Perform a brute force attack through the app's interface.
- Use user tokens indefinitely, as the logout mechanism should be working.
- Register an user with blank password.
[Spoiler alert 🚨] To understand how this vulnerability can be mitigated, check out these pull requests!
We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉