PoC frida.re Base Script

demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MASTG-DEMO-0058.md

@@ -0,0 +1,60 @@
+---
+platform: android
+title: Use of Insecure ECB Block Mode in KeyGenParameterSpec
+id: MASTG-DEMO-0058
+code: [kotlin]
+test: MASTG-TEST-0232
+---
+
+### Sample
+
+The code snippet below shows sample code which uses insecure ECB block modes with `KeyGenParameterSpec`.
+
+The method used to configure the block mode is:
+
+```kotlin
+public KeyGenParameterSpec.Builder setBlockModes (String... blockModes)
+```
+
+As the parameter can be variable, the demo sets the ECB block mode in the following ways:
+
+1. ECB as a single parameter
+2. ECB as the second of two parameters
+3. ECB as the first of two parameters
+
+{{ MastgTest.kt # MastgTest_reversed.java }}
+
+### Steps
+
+1. Make sure a mobile phone is attached to your computer with a @MASTG-TOOL-0031 server running on it.
+1. Run the script `run.sh`.
+1. Run the DEMO on Android while the script is running.
+1. Terminate @MASTG-TOOL-0031 by typing `exit` into its shell.
+
+{{ run.sh # hooks.js }}
+
+### Observation
+
+The script will use @MASTG-TOOL-0031 to intercept the methods defined in `hooks.js`.
+
+It will intercept calls to the methods and capture the stacktrace, the decoded parameters the methods is calls with and its decoded return value.
+
+All information will be written as JSON to `output.txt`.
+
+{{ output.txt }}
+
+### Evaluation
+
+The method `setBlockModes` has now been called three times with ECB as one of the block modes.
+
+You can also evaluate the output automatically using tools like `jq`:
+
+```bash
+➜  MASTG-DEMO-0058 git:(DEMO-KeyGenParamSpec) ✗ jq  -s '.[0]|(.class == "android.security.keystore.KeyGenParameterSpec$Builder" and .method == "setBlockModes" and (.inputParameters[0].value | contains(["ECB"])))' output.txt
+
+true
+```
+
+The test fails, as key used with these `KeyGenParameterSpec` can now be used used to insecurely encrypt data.
+
+See @MASTG-TEST-0232 for more information.

demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MastgTest.kt

@@ -0,0 +1,34 @@
+package org.owasp.mastestapp
+
+import android.content.Context
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+
+class MastgTest (private val context: Context){
+
+    fun mastgTest(): String {
+//        val r = DemoResults("0058")
+
+        try {
+            val b = KeyGenParameterSpec.Builder(
+                "testKeyGenParameter",
+                KeyProperties.PURPOSE_ENCRYPT
+            )
+            b.setBlockModes(KeyProperties.BLOCK_MODE_ECB)
+//            r.add(Status.FAIL, "The associated key can only use the insecure symmetric encryption block mode ECB.")
+
+            b.setBlockModes(KeyProperties.BLOCK_MODE_ECB, KeyProperties.BLOCK_MODE_CBC)
+//            r.add(Status.FAIL, "The associated key may use the insecure symmetric encryption block mode ECB.")
+
+            b.setBlockModes(KeyProperties.BLOCK_MODE_CBC, KeyProperties.BLOCK_MODE_ECB)
+//            r.add(Status.FAIL, "The associated key may use the insecure symmetric encryption block mode ECB.")
+
+        }
+        catch (e: Exception){
+//            r.add(Status.ERROR, e.toString())
+        }
+//        return r.toJson()\
+        return "The associated key can use the insecure symmetric encryption block mode ECB."
+    }
+
+}

demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MastgTest_reversed.java

@@ -0,0 +1,31 @@
+package org.owasp.mastestapp;
+
+import android.content.Context;
+import android.security.keystore.KeyGenParameterSpec;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005J\u0006\u0010\u0006\u001a\u00020\u0007R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\b"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "<init>", "(Landroid/content/Context;)V", "mastgTest", "", "app_debug"}, k = 1, mv = {2, 0, 0}, xi = 48)
+/* loaded from: classes3.dex */
+public final class MastgTest {
+    public static final int $stable = 8;
+    private final Context context;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
+    }
+
+    public final String mastgTest() {
+        try {
+            KeyGenParameterSpec.Builder b = new KeyGenParameterSpec.Builder("testKeyGenParameter", 1);
+            b.setBlockModes("ECB");
+            b.setBlockModes("ECB", "CBC");
+            b.setBlockModes("CBC", "ECB");
+            return "The associated key can use the insecure symmetric encryption block mode ECB.";
+        } catch (Exception e) {
+            return "The associated key can use the insecure symmetric encryption block mode ECB.";
+        }
+    }
+}

demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/hooks.js

@@ -0,0 +1,12 @@
+var target = {
+    category: "CRYPTO",
+    demo: "0058",
+    hooks: [
+    {
+      class: "android.security.keystore.KeyGenParameterSpec$Builder",
+      methods: [
+        "setBlockModes"
+      ]
+    }
+  ]
+}

demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/output.json

@@ -0,0 +1,89 @@
+{
+  "id": "95627692-17be-430b-960d-83d0b90fbf37",
+  "category": "CRYPTO",
+  "time": "2025-07-01T06:12:55.558Z",
+  "class": "android.security.keystore.KeyGenParameterSpec$Builder",
+  "method": "setBlockModes",
+  "stackTrace": [
+    "android.security.keystore.KeyGenParameterSpec$Builder.setBlockModes(Native Method)",
+    "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:17)",
+    "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$9$lambda$8(MainActivity.kt:53)",
+    "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PhzGLzmkS_ibruOfiTT32AhzWl4(Unknown Source:0)",
+    "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda0.run(D8$$SyntheticClass:0)",
+    "java.lang.Thread.run(Thread.java:1012)"
+  ],
+  "inputParameters": [
+    {
+      "type": "[Ljava.lang.String;",
+      "value": [
+        "ECB"
+      ]
+    }
+  ],
+  "returnValue": [
+    {
+      "type": "android.security.keystore.KeyGenParameterSpec$Builder",
+      "value": "<instance: android.security.keystore.KeyGenParameterSpec$Builder>"
+    }
+  ]
+}
+{
+  "id": "ba434f74-ac8f-4e0c-a83f-bba8309bf0ba",
+  "category": "CRYPTO",
+  "time": "2025-07-01T06:12:55.560Z",
+  "class": "android.security.keystore.KeyGenParameterSpec$Builder",
+  "method": "setBlockModes",
+  "stackTrace": [
+    "android.security.keystore.KeyGenParameterSpec$Builder.setBlockModes(Native Method)",
+    "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:20)",
+    "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$9$lambda$8(MainActivity.kt:53)",
+    "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PhzGLzmkS_ibruOfiTT32AhzWl4(Unknown Source:0)",
+    "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda0.run(D8$$SyntheticClass:0)",
+    "java.lang.Thread.run(Thread.java:1012)"
+  ],
+  "inputParameters": [
+    {
+      "type": "[Ljava.lang.String;",
+      "value": [
+        "ECB",
+        "CBC"
+      ]
+    }
+  ],
+  "returnValue": [
+    {
+      "type": "android.security.keystore.KeyGenParameterSpec$Builder",
+      "value": "<instance: android.security.keystore.KeyGenParameterSpec$Builder>"
+    }
+  ]
+}
+{
+  "id": "0e47dbdb-968e-4ced-8826-db7cee8bc26a",
+  "category": "CRYPTO",
+  "time": "2025-07-01T06:12:55.563Z",
+  "class": "android.security.keystore.KeyGenParameterSpec$Builder",
+  "method": "setBlockModes",
+  "stackTrace": [
+    "android.security.keystore.KeyGenParameterSpec$Builder.setBlockModes(Native Method)",
+    "org.owasp.mastestapp.MastgTest.mastgTest(MastgTest.kt:23)",
+    "org.owasp.mastestapp.MainActivityKt.MainScreen$lambda$9$lambda$8(MainActivity.kt:53)",
+    "org.owasp.mastestapp.MainActivityKt.$r8$lambda$PhzGLzmkS_ibruOfiTT32AhzWl4(Unknown Source:0)",
+    "org.owasp.mastestapp.MainActivityKt$$ExternalSyntheticLambda0.run(D8$$SyntheticClass:0)",
+    "java.lang.Thread.run(Thread.java:1012)"
+  ],
+  "inputParameters": [
+    {
+      "type": "[Ljava.lang.String;",
+      "value": [
+        "CBC",
+        "ECB"
+      ]
+    }
+  ],
+  "returnValue": [
+    {
+      "type": "android.security.keystore.KeyGenParameterSpec$Builder",
+      "value": "<instance: android.security.keystore.KeyGenParameterSpec$Builder>"
+    }
+  ]
+}

demos/android/MASVS-CRYPTO/MASTG-DEMO-0058/run.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+../../../../frida/android/run.sh ./hooks.js

demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MASTG-DEMO-0059.md

@@ -0,0 +1,40 @@
+---
+platform: android
+title: App Writing Sensitive Data to Sandbox using SharedPreferences
+id: MASTG-DEMO-0059
+code: [kotlin]
+test: MASTG-TEST-0207
+---
+
+### Sample
+
+The code snippet below shows sample code which stores sensitive data using `SharedPreferences`. It stores sensitive data using `String` and `StringSet`.
+
+{{ MastgTest.kt # MastgTest_reversed.java }}
+
+### Steps
+
+1. Make sure a mobile phone is attached to your computer with a @MASTG-TOOL-0031 server running on it.
+1. Run the script `run.sh`.
+1. Run the DEMO on Android while the script is running.
+1. Terminate @MASTG-TOOL-0031 by typing `exit` into its shell.
+
+{{ run.sh # hooks.js }}
+
+### Observation
+
+The script will use @MASTG-TOOL-0031 to intercept the methods defined in `hooks.js`.
+
+It will intercept calls to the methods and capture the stacktrace, the decoded parameters the methods is calls with and its decoded return value.
+
+All information will be written as JSON to `output.txt`.
+
+{{ output.txt }}
+
+### Evaluation
+
+The `SharedPreference` `Editor` was used to write a String and a StringSet unencrypted into the local sandbox.
+
+The test fails, as the data can be potentially extracted from the sandbox using backups or root access on a compromised phone for example.
+
+See @MASTG-TEST-0207 for more information.

demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MastgTest.kt

@@ -0,0 +1,70 @@
+package org.owasp.mastestapp
+
+import android.content.Context
+import android.content.SharedPreferences
+import java.util.HashSet
+
+class MastgTest(private val context: Context) {
+    private val sensitiveData: String = """These are some strings which are considered sensitive data. They should not be stored insecurely: 
+Artifactory: AKCp73pL4kpx91TSG1v2J5sLz6rHbHCVF5S3A
+AWSKey: AKIAIOSFODNN7EXAMPLE
+AzureStorageKey: Eby8vdM02xNO+G6CZDtl/JlEt2k='ExAmPlEkEy
+BasicAuth: dXNlcm5hbWU6cGFzc3dvcmQ=
+Cloudant: 4c9d0a20f5-2f52-4be1-9a27-19e40bd2ac83-bluemix
+DiscordBotToken: ODkxMjI2OTg0ODIxNzcyMDY4.YfP-cw.k5FVSFOjVC0GZ6qHwWr2hsU-34U
+GitHubToken: ghp_1234567890abcdefghijklmnOPQRSTUV
+GitLabToken: glpat-12abc34XYZ5efGHIJKL67mnOpQrSt
+Base64HighEntropyString: QWxhZGRpbjpvcGVuIHNlc2FtZQ==
+HexHighEntropyString: 4a1d2c1f9f835c82d15694e445f7cd9f1db7f6a7
+IbmCloudIam: eyJraWQiOiI2Nzg5eCIsImFsZyI6IkhTMjU2In0
+IbmCosHmac: OUnS6XcBYLArEtyHPtH8/Sdgr7EjIUhe7gZtnrZj
+IPPrivate: 192.168.1.1
+IPPrivate: 172.16.4.5.0
+IPPrivate: 10.0.2.5
+IPLocalHost: 127.0.0.1
+JwtToken: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMSIsImlhdCI6MTYxNzA1NjgwMCwiZXhwIjoxNjE3MDU3MDAwfQ.sJgFhsr5d2JG1hKOnwzzd8qzNx56Z76pRVKkJVGmPAI
+Mailchimp: 9d7c1b4fd8bbddad8ecf841d-us20
+Npm: npm_AZ4D3XFUGYD2HC3YBWLNLFIE
+OpenAI: sk-2t1HcLdKzRrn0pOI5GwIaRn8Z2Xgf9
+PrivateKey: MIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=
+PypiToken: pypi-AgENdGVzdC10b2tlbi0xMjM0
+SendGrid: SG.dummykey12345Uwv5ecA7QG-3W4dUMG
+Slack: xoxb-123456789012-1234567890123-ABCDEFG12345678
+Softlayer: abcdefghijklmnopqrstuvwxyz1234567890abcdef1234567890abcdef1234567890abcdef
+SquareOAuth: sq0atp-1rLNX1q4TaLRcS1Xr1kWlA
+Stripe: sk_test_4eC39HqLyjWDarjtT1zdp7dc
+TelegramBotToken: 123456789:AAHojBo45KxlmdmpI3XlVu3iTDnjFPlwd
+TwilioKey: SKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+PrivateKey: MIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=
+PrivateKey: -----BEGIN RSA PRIVATE KEY-----
+PrivateKey: -----BEGIN RSA PRIVATE KEY-----
+PrivateKey: -----BEGIN DSA PRIVATE KEY-----
+PrivateKey: -----BEGIN DSA PUBLIC KEY-----
+PrivateKey: -----BEGIN EC PRIVATE KEY-----
+PrivateKey: -----BEGIN EC PUBLIC KEY-----
+PrivateKey: -----BEGIN DH PARAMETERS-----
+PrivateKey: -----BEGIN PRIVATE KEY-----
+PrivateKey: -----BEGIN EC PRIVATE KEY-----
+PrivateKey: -----BEGIN ENCRYPTED PRIVATE KEY-----
+PrivateKey: -----END RSA PRIVATE KEY-----
+PrivateKey: -----END EC PRIVATE KEY-----
+PrivateKey: Proc-Type: 4,ENCRYPTED"""
+
+    fun mastgTest(): String {
+        try {
+            val sharedPref = context.getSharedPreferences("MasSharedPref_Sensitive_Data", Context.MODE_PRIVATE)
+            val editor = sharedPref.edit()
+            editor.putString("SensitiveData", sensitiveData)
+            editor.apply()
+
+            val stringSet = HashSet<String>()
+            stringSet.add(sensitiveData)
+            editor.putStringSet("SensitiveDataStringSet", stringSet)
+            editor.apply()
+
+            return "Sensitive data has been written to the sandbox."
+        } catch (e: Exception) {
+            return "Sensitive data has been written to the sandbox."
+        }
+    }
+}

demos/android/MASVS-STORAGE/MASTG-DEMO-0059/MastgTest_reversed.java

@@ -0,0 +1,39 @@
+package org.owasp.mastestapp;
+
+import android.content.Context;
+import android.content.SharedPreferences;
+import java.util.HashSet;
+import java.util.Set;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000\u001a\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0002\b\u0002\b\u0007\u0018\u00002\u00020\u0001B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005J\u0006\u0010\b\u001a\u00020\u0007R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0006\u001a\u00020\u0007X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\t"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "<init>", "(Landroid/content/Context;)V", "sensitiveData", "", "mastgTest", "app_debug"}, k = 1, mv = {2, 0, 0}, xi = 48)
+/* loaded from: classes3.dex */
+public final class MastgTest {
+    public static final int $stable = 8;
+    private final Context context;
+    private final String sensitiveData;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
+        this.sensitiveData = "These are some strings which are considered sensitive data. They should not be stored insecurely: \nArtifactory: AKCp73pL4kpx91TSG1v2J5sLz6rHbHCVF5S3A\nAWSKey: AKIAIOSFODNN7EXAMPLE\nAzureStorageKey: Eby8vdM02xNO+G6CZDtl/JlEt2k='ExAmPlEkEy\nBasicAuth: dXNlcm5hbWU6cGFzc3dvcmQ=\nCloudant: 4c9d0a20f5-2f52-4be1-9a27-19e40bd2ac83-bluemix\nDiscordBotToken: ODkxMjI2OTg0ODIxNzcyMDY4.YfP-cw.k5FVSFOjVC0GZ6qHwWr2hsU-34U\nGitHubToken: ghp_1234567890abcdefghijklmnOPQRSTUV\nGitLabToken: glpat-12abc34XYZ5efGHIJKL67mnOpQrSt\nBase64HighEntropyString: QWxhZGRpbjpvcGVuIHNlc2FtZQ==\nHexHighEntropyString: 4a1d2c1f9f835c82d15694e445f7cd9f1db7f6a7\nIbmCloudIam: eyJraWQiOiI2Nzg5eCIsImFsZyI6IkhTMjU2In0\nIbmCosHmac: OUnS6XcBYLArEtyHPtH8/Sdgr7EjIUhe7gZtnrZj\nIPPrivate: 192.168.1.1\nIPPrivate: 172.16.4.5.0\nIPPrivate: 10.0.2.5\nIPLocalHost: 127.0.0.1\nJwtToken: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMSIsImlhdCI6MTYxNzA1NjgwMCwiZXhwIjoxNjE3MDU3MDAwfQ.sJgFhsr5d2JG1hKOnwzzd8qzNx56Z76pRVKkJVGmPAI\nMailchimp: 9d7c1b4fd8bbddad8ecf841d-us20\nNpm: npm_AZ4D3XFUGYD2HC3YBWLNLFIE\nOpenAI: sk-2t1HcLdKzRrn0pOI5GwIaRn8Z2Xgf9\nPrivateKey: MIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=\nPypiToken: pypi-AgENdGVzdC10b2tlbi0xMjM0\nSendGrid: SG.dummykey12345Uwv5ecA7QG-3W4dUMG\nSlack: xoxb-123456789012-1234567890123-ABCDEFG12345678\nSoftlayer: abcdefghijklmnopqrstuvwxyz1234567890abcdef1234567890abcdef1234567890abcdef\nSquareOAuth: sq0atp-1rLNX1q4TaLRcS1Xr1kWlA\nStripe: sk_test_4eC39HqLyjWDarjtT1zdp7dc\nTelegramBotToken: 123456789:AAHojBo45KxlmdmpI3XlVu3iTDnjFPlwd\nTwilioKey: SKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\nPrivateKey: MIIEvAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALfX7kbfFv3pc3JjOHQ=\nPrivateKey: -----BEGIN RSA PRIVATE KEY-----\nPrivateKey: -----BEGIN RSA PRIVATE KEY-----\nPrivateKey: -----BEGIN DSA PRIVATE KEY-----\nPrivateKey: -----BEGIN DSA PUBLIC KEY-----\nPrivateKey: -----BEGIN EC PRIVATE KEY-----\nPrivateKey: -----BEGIN EC PUBLIC KEY-----\nPrivateKey: -----BEGIN DH PARAMETERS-----\nPrivateKey: -----BEGIN PRIVATE KEY-----\nPrivateKey: -----BEGIN EC PRIVATE KEY-----\nPrivateKey: -----BEGIN ENCRYPTED PRIVATE KEY-----\nPrivateKey: -----END RSA PRIVATE KEY-----\nPrivateKey: -----END EC PRIVATE KEY-----\nPrivateKey: Proc-Type: 4,ENCRYPTED\n";
+    }
+
+    public final String mastgTest() {
+        try {
+            SharedPreferences sharedPref = this.context.getSharedPreferences("MasSharedPref_Sensitive_Data", 0);
+            SharedPreferences.Editor editor = sharedPref.edit();
+            editor.putString("SensitiveData", this.sensitiveData);
+            editor.apply();
+            Set stringSet = new HashSet();
+            stringSet.add(this.sensitiveData);
+            editor.putStringSet("SensitiveDataStringSet", stringSet);
+            editor.apply();
+            return "Sensitive data has been written to the sandbox.";
+        } catch (Exception e) {
+            return "Sensitive data has been written to the sandbox.";
+        }
+    }
+}