SlideShare a Scribd company logo

Meet the DIVA - by: Sandeep & Ankit

OWASP Delhi
OWASP Delhi

This Presentation is all about Damn Insecure & Vulnerable App

Internet
1 of 5
Download to read offline
 DIVA (Damn insecure and vulnerable App) is an Android App intentionally designed to be insecure  The vulnerabilities exist from a developer’s perspective  Source: https://github.com/payat u/diva-android  Created by Aseem Jakhar
Current Challenges include: ◦ Insecure Logging ◦ Hardcoding Issues – Part 1 ◦ Insecure Data Storage – Part 1 ◦ Insecure Data Storage – Part 2 ◦ Insecure Data Storage – Part 3 ◦ Insecure Data Storage – Part 4 ◦ Input Validation Issues – Part 1 ◦ Input Validation Issues – Part 2 ◦ Access Control Issues – Part 1 ◦ Access Control Issues – Part 2 ◦ Access Control Issues – Part 3 ◦ Hardcoding Issues – Part 2 ◦ Input Validation Issues – Part 3
For the purpose of the walkthrough of the challenges we need the following tools: ◦ Genymotion or Android Studio AVD ◦ Dex2jar or jadx ◦ JD-GUI ◦ APKTOOL
jadx –d out_folder diva.apk adb devices adb logcat adb shell cd, ls, ls –a, cat sqlite3 database_name select * from table_name;

Recommended

Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Telecommuting 101 - Tips and Tricks for working from home
Telecommuting 101 - Tips and Tricks for working from homeTelecommuting 101 - Tips and Tricks for working from home
Telecommuting 101 - Tips and Tricks for working from homeSeth Fendley
 
Matki
MatkiMatki
Matkifountaindirect
 
Software Testing
Software TestingSoftware Testing
Software TestingAJEET KUMAR YADAV
 
Setting up a cost effective Application Security program from scratch by Tusn...
Setting up a cost effective Application Security program from scratch by Tusn...Setting up a cost effective Application Security program from scratch by Tusn...
Setting up a cost effective Application Security program from scratch by Tusn...OWASP Delhi
 
досвід людської особи
досвід людської особидосвід людської особи
досвід людської особиbiblioteka_c
 
HSE-MS Basic
HSE-MS BasicHSE-MS Basic
HSE-MS BasicMeisam J Moghadam
 

Recommended

Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Telecommuting 101 - Tips and Tricks for working from home
Telecommuting 101 - Tips and Tricks for working from homeTelecommuting 101 - Tips and Tricks for working from home
Telecommuting 101 - Tips and Tricks for working from homeSeth Fendley
 
Matki
MatkiMatki
Matkifountaindirect
 
Software Testing
Software TestingSoftware Testing
Software TestingAJEET KUMAR YADAV
 
Setting up a cost effective Application Security program from scratch by Tusn...
Setting up a cost effective Application Security program from scratch by Tusn...Setting up a cost effective Application Security program from scratch by Tusn...
Setting up a cost effective Application Security program from scratch by Tusn...OWASP Delhi
 
досвід людської особи
досвід людської особидосвід людської особи
досвід людської особиbiblioteka_c
 
HSE-MS Basic
HSE-MS BasicHSE-MS Basic
HSE-MS BasicMeisam J Moghadam
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...OWASP Delhi
 
Izzuddin
IzzuddinIzzuddin
IzzuddinDinGea
 
Civic sports
Civic sportsCivic sports
Civic sportsJack740
 
перелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсійперелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсійbiblioteka_c
 
سمینار آشنائی Ims
سمینار آشنائی Ims سمینار آشنائی Ims
سمینار آشنائی Ims Meisam J Moghadam
 
Visualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical ReflectionVisualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical ReflectionMhermano
 
謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果Uran Bird
 
Ist110s Library Search Skills
Ist110s Library Search SkillsIst110s Library Search Skills
Ist110s Library Search SkillsISTOnlineLearning
 
Jeremiah Jones Resume SBA
Jeremiah Jones Resume SBAJeremiah Jones Resume SBA
Jeremiah Jones Resume SBAJeremiah "Jay" Jones
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNitesh Malviya
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptxJamie Coleman
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftJamie Coleman
 
Ii 1300-java essentials for android
Ii 1300-java essentials for androidIi 1300-java essentials for android
Ii 1300-java essentials for androidAdrian Mikeliunas
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)Sam Bowne
 
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Rizal Aditya
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 

More Related Content

Viewers also liked

Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...OWASP Delhi
 
Izzuddin
IzzuddinIzzuddin
IzzuddinDinGea
 
Civic sports
Civic sportsCivic sports
Civic sportsJack740
 
перелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсійперелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсійbiblioteka_c
 
سمینار آشنائی Ims
سمینار آشنائی Ims سمینار آشنائی Ims
سمینار آشنائی Ims Meisam J Moghadam
 
Visualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical ReflectionVisualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical ReflectionMhermano
 
謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果Uran Bird
 
Ist110s Library Search Skills
Ist110s Library Search SkillsIst110s Library Search Skills
Ist110s Library Search SkillsISTOnlineLearning
 

Viewers also liked (9)

Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
Izzuddin
IzzuddinIzzuddin
Izzuddin
 
Civic sports
Civic sportsCivic sports
Civic sports
 
перелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсійперелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсій
 
سمینار آشنائی Ims
سمینار آشنائی Ims سمینار آشنائی Ims
سمینار آشنائی Ims
 
Visualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical ReflectionVisualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical Reflection
 
謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果
 
Ist110s Library Search Skills
Ist110s Library Search SkillsIst110s Library Search Skills
Ist110s Library Search Skills
 
Jeremiah Jones Resume SBA
Jeremiah Jones Resume SBAJeremiah Jones Resume SBA
Jeremiah Jones Resume SBA
 

Similar to Meet the DIVA - by: Sandeep & Ankit

Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNitesh Malviya
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptxJamie Coleman
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftJamie Coleman
 
Ii 1300-java essentials for android
Ii 1300-java essentials for androidIi 1300-java essentials for android
Ii 1300-java essentials for androidAdrian Mikeliunas
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)Sam Bowne
 
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Rizal Aditya
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisPragati Rai
 
Code to Cloud Workshop
Code to Cloud WorkshopCode to Cloud Workshop
Code to Cloud WorkshopJamie Coleman
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on AndroidPietro F. Maggi
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 

Similar to Meet the DIVA - by: Sandeep & Ankit (20)

Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptx
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the Left
 
Ii 1300-java essentials for android
Ii 1300-java essentials for androidIi 1300-java essentials for android
Ii 1300-java essentials for android
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)
 
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security Analysis
 
Code to Cloud Workshop
Code to Cloud WorkshopCode to Cloud Workshop
Code to Cloud Workshop
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeoverOWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report WritingOWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air GapOWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container EscapesOWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using TerraformOWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat IntelligenceOWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelOWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraOWASP Delhi
 

More from OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 

Recently uploaded

TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 

Recently uploaded (9)

TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 

Meet the DIVA - by: Sandeep & Ankit

  • 1.
  • 2.  DIVA (Damn insecure and vulnerable App) is an Android App intentionally designed to be insecure  The vulnerabilities exist from a developer’s perspective  Source: https://github.com/payat u/diva-android  Created by Aseem Jakhar
  • 3. Current Challenges include: ◦ Insecure Logging ◦ Hardcoding Issues – Part 1 ◦ Insecure Data Storage – Part 1 ◦ Insecure Data Storage – Part 2 ◦ Insecure Data Storage – Part 3 ◦ Insecure Data Storage – Part 4 ◦ Input Validation Issues – Part 1 ◦ Input Validation Issues – Part 2 ◦ Access Control Issues – Part 1 ◦ Access Control Issues – Part 2 ◦ Access Control Issues – Part 3 ◦ Hardcoding Issues – Part 2 ◦ Input Validation Issues – Part 3
  • 4. For the purpose of the walkthrough of the challenges we need the following tools: ◦ Genymotion or Android Studio AVD ◦ Dex2jar or jadx ◦ JD-GUI ◦ APKTOOL
  • 5. jadx –d out_folder diva.apk adb devices adb logcat adb shell cd, ls, ls –a, cat sqlite3 database_name select * from table_name;