Skip to content

iOS iBugBazaar: Your mobile appsec playground to Explore, Exploit, Excel

Notifications You must be signed in to change notification settings

payatu/iBugBazaar

Repository files navigation

iBugBazaar: Your mobile appsec playground to Explore, Exploit, Excel

Welcome to iBugBazaar, your gateway to mastering Mobile penetration testing on iOS platform!

📱What is it?

iBugBazaar is a comprehensive mobile application intentionally designed to be vulnerable, featuring over 20+ vulnerabilities. Developed to emulate real-world scenarios, it includes more than 10 modules and features, each replicating real-world functions and the vulnerabilities surrounding them.

🔍Why?

We've bundled 20+ vulnerabilities into a single application, saving you from downloading multiple apps to learn about mobile application pentesting. We've packed a lot into one.

meme

🎯For whom?

Whether you're a security enthusiast, developer, beginner exploring the mobile pentesting arena, or a professional looking to hone your skills, iBugBazaar has something for everyone on the mobile pentesting learning curve.  

🤔What's in for me?

iBugBazaar offers a wide range of vulnerabilities, from  Arbitrary webview exploitation, authentication bypass, Patching the app binary and limit bypass, Runtime Manipulation — we've got a lot of things covered.  

🤓Never-Ending Learning

What's more exciting? Stay in sync with the evolving landscape! BugBazaar regularly updates with fresh vulnerabilities and captivating challenges. Stay vigilant, stay ahead! Get Started Today!

📷Screenshots

Untitled (1715 x 1080 px) (1)

⚠️Vulnerabilities

  1. API Key Storage: Storing API keys in Plist files.
  2. Sensitive Data Storage: Saving information in NSUserDefaults.
  3. Shopping Cart Bypass: Attempting to surpass product limits by modifying the app binary.
  4. Clipboard Data Exposure: Potential data exposure through copy-paste buffer caching.
  5. Insecure Logging during Card Addition: Logging sensitive information insecurely during card addition.
  6. Local Card Data Storage: Saving card data locally.
  7. Authentication Token Exposure: Allowing users to locally store authentication tokens after logout.
  8. Hardcoded Login Credentials: Embedding username and password in code during login.
  9. Login Rate Limiting: Potential vulnerability to rate limiting during login.
  10. Insecure Login Logging: Logging sensitive information insecurely during login.
  11. Hardcoded One-Time Password (OTP): Embedding OTP values directly in the code.
  12. Runtime Balance Tampering: Attempting to tamper with the balance during runtime.
  13. Background Screenshots: Unauthorised capture of screenshots in the background.
  14. WebView Redirection: Unauthorised redirection in web views.
  15. HTML Injection and XSS: Vulnerabilities related to HTML injection and cross-site scripting.
  16. Link File Theft via Schema: Unauthorised access to files through schema links.
  17. HiddenLabelView: Potential security risks associated with the HiddenLabelView.
  18. Insecure HTTP Requests: Performing HTTP requests without proper security measures.
  19. Vulnerable Functions: Presence of functions with potential security vulnerabilities.
  20. Allowing All URL Redirections: Lack of restriction on URL redirections.
  21. Jailbreak Detection Bypass: Potential methods to bypass jailbreak detection.
  22. Application Debuggable: Enabled for debugging, exposing potential security risks.
  23. Improper Input Validation: Lack of proper validation for user inputs, posing security vulnerabilities.

🔒Security Controls

Implemented security Controls including jailbreak detection and hooking detection with difficulty levels. Users can test their skills according to the selected security control level

  • EASY
  • MEDIUM
  • ADVANCED

Core Team

Kapil Gurav Security Consultant at Payatu- Mobile GitHub Twitter LinkedIn
Amit Kumar Prajapat Lead Security Consultant at Payatu- Mobile GitHub LinkedIn Twitter