iBugBazaar: Your mobile appsec playground to Explore, Exploit, Excel

Welcome to iBugBazaar, your gateway to mastering Mobile penetration testing on iOS platform!

📱What is it?

iBugBazaar is a comprehensive mobile application intentionally designed to be vulnerable, featuring over 20+ vulnerabilities. Developed to emulate real-world scenarios, it includes more than 10 modules and features, each replicating real-world functions and the vulnerabilities surrounding them.

🔍Why?

We've bundled 20+ vulnerabilities into a single application, saving you from downloading multiple apps to learn about mobile application pentesting. We've packed a lot into one.

<img width="153" alt="meme" src="https://github.com/payatu/BugBazaar/assets/151744825/04643b7c-6ad2-41bf-8a69-b1779328cf00">

🎯For whom?

Whether you're a security enthusiast, developer, beginner exploring the mobile pentesting arena, or a professional looking to hone your skills, iBugBazaar has something for everyone on the mobile pentesting learning curve.  

🤔What's in for me?

iBugBazaar offers a wide range of vulnerabilities, from  Arbitrary webview exploitation, authentication bypass, Patching the app binary and limit bypass, Runtime Manipulation — we've got a lot of things covered.  

🤓Never-Ending Learning

What's more exciting? Stay in sync with the evolving landscape! BugBazaar regularly updates with fresh vulnerabilities and captivating challenges. Stay vigilant, stay ahead! Get Started Today!

📷Screenshots

⚠️Vulnerabilities

1. API Key Storage: Storing API keys in Plist files.
2. Sensitive Data Storage: Saving information in NSUserDefaults.
3. Shopping Cart Bypass: Attempting to surpass product limits by modifying the app binary.
4. Clipboard Data Exposure: Potential data exposure through copy-paste buffer caching.
5. Insecure Logging during Card Addition: Logging sensitive information insecurely during card addition.
6. Local Card Data Storage: Saving card data locally.
7. Authentication Token Exposure: Allowing users to locally store authentication tokens after logout.
8. Hardcoded Login Credentials: Embedding username and password in code during login.
9. Login Rate Limiting: Potential vulnerability to rate limiting during login.
10. Insecure Login Logging: Logging sensitive information insecurely during login.
11. Hardcoded One-Time Password (OTP): Embedding OTP values directly in the code.
12. Runtime Balance Tampering: Attempting to tamper with the balance during runtime.
13. Background Screenshots: Unauthorised capture of screenshots in the background.
14. WebView Redirection: Unauthorised redirection in web views.
15. HTML Injection and XSS: Vulnerabilities related to HTML injection and cross-site scripting.
16. Link File Theft via Schema: Unauthorised access to files through schema links.
17. HiddenLabelView: Potential security risks associated with the HiddenLabelView.
18. Insecure HTTP Requests: Performing HTTP requests without proper security measures.
19. Vulnerable Functions: Presence of functions with potential security vulnerabilities.
20. Allowing All URL Redirections: Lack of restriction on URL redirections.
21. Jailbreak Detection Bypass: Potential methods to bypass jailbreak detection.
22. Application Debuggable: Enabled for debugging, exposing potential security risks.
23. Improper Input Validation: Lack of proper validation for user inputs, posing security vulnerabilities.

🔒Security Controls

Implemented security Controls including jailbreak detection and hooking detection with difficulty levels. Users can test their skills according to the selected security control level

• EASY
• MEDIUM
• ADVANCED

Core Team

| | | | | | |---|---|---|---|---| | Kapil Gurav | Security Consultant at Payatu- Mobile | GitHub | Twitter | LinkedIn | | Amit Kumar Prajapat | Lead Security Consultant at Payatu- Mobile | GitHub | LinkedIn | Twitter |