Added Featherweight DVHMA, a version of DVHMA that is designed to be as small and simple as possible while still intersting for security researchers.

2015-05-13 21:11:19 +02:00 · 2015-05-13 21:11:19 +02:00 · 04c3f5f0f2
parent 96e911d395
commit 04c3f5f0f2
9 changed files with 490 additions and 0 deletions
--- a/DVHMA-Featherweight/.gitignore
+++ b/DVHMA-Featherweight/.gitignore
@ -0,0 +1,2 @@
+platforms/
+plugins/
--- a/DVHMA-Featherweight/config.xml
+++ b/DVHMA-Featherweight/config.xml
@ -0,0 +1,11 @@
+<?xml version='1.0' encoding='utf-8'?>
+<widget id="de.zertapps.dvhma.dvhma-featherweight" version="0.0.1" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
+    <name>DVHMA</name>
+    <description>
+        Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities. 
+
+	This version of DVHMA, called Featherweight DVHMA, is designed to be a small as possible (e.g., avoiding large UI libraries such as Open UI5) while still beeing useful for security researchers.
+    </description>
+    <content src="index.html" />
+    <access origin="*" />
+</widget>
--- a/DVHMA-Featherweight/hooks/README.md
+++ b/DVHMA-Featherweight/hooks/README.md
@ -0,0 +1,196 @@
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+-->
+# Cordova Hooks
+
+Cordova Hooks represent special scripts which could be added by application and plugin developers or even by your own build system  to customize cordova commands. Hook scripts could be defined by adding them to the special predefined folder (`/hooks`) or via configuration files (`config.xml` and `plugin.xml`) and run serially in the following order:
+* Application hooks from `/hooks`;
+* Application hooks from `config.xml`;
+* Plugin hooks from `plugins/.../plugin.xml`.
+
+__Remember__: Make your scripts executable.
+
+__Note__: `.cordova/hooks` directory is also supported for backward compatibility, but we don't recommend using it as it is deprecated.
+
+## Supported hook types
+The following hook types are supported:
+
+    after_build/
+    after_compile/
+    after_docs/
+    after_emulate/
+    after_platform_add/
+    after_platform_rm/
+    after_platform_ls/
+    after_plugin_add/
+    after_plugin_ls/
+    after_plugin_rm/
+    after_plugin_search/
+    after_plugin_install/   <-- Plugin hooks defined in plugin.xml are executed exclusively for a plugin being installed
+    after_prepare/
+    after_run/
+    after_serve/
+    before_build/
+    before_compile/
+    before_docs/
+    before_emulate/
+    before_platform_add/
+    before_platform_rm/
+    before_platform_ls/
+    before_plugin_add/
+    before_plugin_ls/
+    before_plugin_rm/
+    before_plugin_search/
+    before_plugin_install/   <-- Plugin hooks defined in plugin.xml are executed exclusively for a plugin being installed
+    before_plugin_uninstall/   <-- Plugin hooks defined in plugin.xml are executed exclusively for a plugin being uninstalled
+    before_prepare/
+    before_run/
+    before_serve/
+    pre_package/ <-- Windows 8 and Windows Phone only.
+
+## Ways to define hooks
+### Via '/hooks' directory
+To execute custom action when corresponding hook type is fired, use hook type as a name for a subfolder inside 'hooks' directory and place you script file here, for example:
+
+    # script file will be automatically executed after each build
+    hooks/after_build/after_build_custom_action.js
+
+
+### Config.xml
+
+Hooks can be defined in project's `config.xml` using `<hook>` elements, for example:
+
+    <hook type="before_build" src="scripts/appBeforeBuild.bat" />
+    <hook type="before_build" src="scripts/appBeforeBuild.js" />
+    <hook type="before_plugin_install" src="scripts/appBeforePluginInstall.js" />
+
+    <platform name="wp8">
+        <hook type="before_build" src="scripts/wp8/appWP8BeforeBuild.bat" />
+        <hook type="before_build" src="scripts/wp8/appWP8BeforeBuild.js" />
+        <hook type="before_plugin_install" src="scripts/wp8/appWP8BeforePluginInstall.js" />
+        ...
+    </platform>
+
+    <platform name="windows8">
+        <hook type="before_build" src="scripts/windows8/appWin8BeforeBuild.bat" />
+        <hook type="before_build" src="scripts/windows8/appWin8BeforeBuild.js" />
+        <hook type="before_plugin_install" src="scripts/windows8/appWin8BeforePluginInstall.js" />
+        ...
+    </platform>
+
+### Plugin hooks (plugin.xml)
+
+As a plugin developer you can define hook scripts using `<hook>` elements in a `plugin.xml` like that:
+
+    <hook type="before_plugin_install" src="scripts/beforeInstall.js" />
+    <hook type="after_build" src="scripts/afterBuild.js" />
+
+    <platform name="wp8">
+        <hook type="before_plugin_install" src="scripts/wp8BeforeInstall.js" />
+        <hook type="before_build" src="scripts/wp8BeforeBuild.js" />
+        ...
+    </platform>
+
+`before_plugin_install`, `after_plugin_install`, `before_plugin_uninstall` plugin hooks will be fired exclusively for the plugin being installed/uninstalled.
+
+## Script Interface
+
+### Javascript
+
+If you are writing hooks in Javascript you should use the following module definition:
+```javascript
+module.exports = function(context) {
+    ...
+}
+```
+
+You can make your scipts async using Q:
+```javascript
+module.exports = function(context) {
+    var Q = context.requireCordovaModule('q');
+    var deferral = new Q.defer();
+
+    setTimeout(function(){
+    	console.log('hook.js>> end');
+		deferral.resolve();
+    }, 1000);
+
+    return deferral.promise;
+}
+```
+
+`context` object contains hook type, executed script full path, hook options, command-line arguments passed to Cordova and top-level "cordova" object:
+```json
+{
+	"hook": "before_plugin_install",
+	"scriptLocation": "c:\\script\\full\\path\\appBeforePluginInstall.js",
+	"cmdLine": "The\\exact\\command\\cordova\\run\\with arguments",
+	"opts": {
+		"projectRoot":"C:\\path\\to\\the\\project",
+		"cordova": {
+			"platforms": ["wp8"],
+			"plugins": ["com.plugin.withhooks"],
+			"version": "0.21.7-dev"
+		},
+		"plugin": {
+			"id": "com.plugin.withhooks",
+			"pluginInfo": {
+				...
+			},
+			"platform": "wp8",
+			"dir": "C:\\path\\to\\the\\project\\plugins\\com.plugin.withhooks"
+		}
+	},
+	"cordova": {...}
+}
+
+```
+`context.opts.plugin` object will only be passed to plugin hooks scripts.
+
+You can also require additional Cordova modules in your script using `context.requireCordovaModule` in the following way:
+```javascript
+var Q = context.requireCordovaModule('q');
+```
+
+__Note__:  new module loader script interface is used for the `.js` files defined via `config.xml` or `plugin.xml` only.
+For compatibility reasons hook files specified via `/hooks` folders are run via Node child_process spawn, see 'Non-javascript' section below.
+
+### Non-javascript
+
+Non-javascript scripts are run via Node child_process spawn from the project's root directory and have the root directory passes as the first argument. All other options are passed to the script using environment variables:
+
+* CORDOVA_VERSION - The version of the Cordova-CLI.
+* CORDOVA_PLATFORMS - Comma separated list of platforms that the command applies to (e.g.: android, ios).
+* CORDOVA_PLUGINS - Comma separated list of plugin IDs that the command applies to (e.g.: org.apache.cordova.file, org.apache.cordova.file-transfer)
+* CORDOVA_HOOK - Path to the hook that is being executed.
+* CORDOVA_CMDLINE - The exact command-line arguments passed to cordova (e.g.: cordova run ios --emulate)
+
+If a script returns a non-zero exit code, then the parent cordova command will be aborted.
+
+## Writing hooks
+
+We highly recommend writing your hooks using Node.js so that they are
+cross-platform. Some good examples are shown here:
+
+[http://devgirl.org/2013/11/12/three-hooks-your-cordovaphonegap-project-needs/](http://devgirl.org/2013/11/12/three-hooks-your-cordovaphonegap-project-needs/)
+
+Also, note that even if you are working on Windows, and in case your hook scripts aren't bat files (which is recommended, if you want your scripts to work in non-Windows operating systems) Cordova CLI will expect a shebang line as the first line for it to know the interpreter it needs to use to launch the script. The shebang line should match the following example:
+
+    #!/usr/bin/env [name_of_interpreter_executable]
--- a/DVHMA-Featherweight/www/css/style.css
+++ b/DVHMA-Featherweight/www/css/style.css
@ -0,0 +1,107 @@
+/* Copyright 2015 SAP SE
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+
+ *     http://www.apache.org/licenses/LICENSE-2.0
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+button {
+	background: #ECECEC;
+	border-radius: 15px;
+	padding: 5px 10px;
+	font-family: arial;
+	font-weight: bold;
+	color: #7f7f7f;
+	text-decoration: none;
+	text-shadow: 0px 1px 0px #fff;
+	border: 1px solid #a7a7a7;
+	margin: 1px auto;
+	width: 80px;
+	box-shadow: 0px 2px 1px white inset, 0px -2px 8px white, 0px 2px 5px
+		rgba(0, 0, 0, 0.1), 0px 8px 10px rgba(0, 0, 0, 0.1);
+	-webkit-transition: box-shadow 0.5s;
+}
+
+button i {
+	float: right;
+	margin-top: 2px;
+}
+
+button:hover {
+	box-shadow: 0px 2px 1px white inset, 0px -2px 20px white, 0px 2px 5px
+		rgba(0, 0, 0, 0.1), 0px 8px 10px rgba(0, 0, 0, 0.1);
+}
+
+button:active {
+	box-shadow: 0px 1px 2px rgba(0, 0, 0, 0.5) inset, 0px -2px 20px white,
+		0px 1px 5px rgba(0, 0, 0, 0.1), 0px 2px 10px rgba(0, 0, 0, 0.1);
+	background: -webkit-linear-gradient(top, #d1d1d1 0%, #ECECEC 100%);
+}
+
+table thead th {
+	border-bottom: 1px solid #999;
+	padding: 10px;
+}
+
+header {
+	height: 40px;
+	width: calc(100% - 16px);
+	position:fixed;
+}
+
+#items {
+	width: calc(100% - 16px);
+	overflow: auto;
+	position:fixed;
+	bottom: 68px;
+	top: 100px;
+}
+
+footer {
+	height: 60px;
+	position:fixed;
+	bottom: 8px;
+	width: calc(100% - 16px);
+}
+
+.editRemoveButtons {
+	display: table-cell;
+	vertical-align: middle;
+	height: 90px;
+	width: 90px;
+}
+
+p {
+	display: table-cell;
+	vertical-align: middle;
+	text-align: left;
+	word-break: break-all;
+}
+
+.title {
+	display: table;
+	width: 100%;
+}
+
+#newItemButton {
+	width: 100%;
+}
+
+span {
+	display: table-cell;
+	vertical-align: middle;
+	width: 20px;
+	padding: 5px;
+}
+
+img {
+	height: 20px;
+}
--- a/DVHMA-Featherweight/www/img/ic_action_collapse.png
+++ b/DVHMA-Featherweight/www/img/ic_action_collapse.png
--- a/DVHMA-Featherweight/www/img/ic_action_expand.png
+++ b/DVHMA-Featherweight/www/img/ic_action_expand.png
--- a/DVHMA-Featherweight/www/img/logo.png
+++ b/DVHMA-Featherweight/www/img/logo.png
--- a/DVHMA-Featherweight/www/index.html
+++ b/DVHMA-Featherweight/www/index.html
@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<!--
+  Copyright 2015 SAP SE
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<html>
+<head>
+<meta charset="utf-8" />
+<meta name="format-detection" content="telephone=no" />
+<meta name="msapplication-tap-highlight" content="no" />
+<!-- WARNING: for iOS 7, remove the width=device-width and height=device-height attributes. See https://issues.apache.org/jira/browse/CB-4323 -->
+<meta name="viewport"
+	content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width, height=device-height, target-densitydpi=device-dpi" />
+<title>Simple List</title>
+<link rel="stylesheet" type="text/css" href="css/style.css" />
+<script type="text/javascript" src="cordova.js"></script>
+<script type="text/javascript" src="js/index.js"></script>
+</head>
+<body>
+	<header>
+		<h1>Todo List</h1>
+		<hr />
+	</header>
+	<div id="items"></div>
+
+	<footer>
+		<hr />
+		<button id="newItemButton" onclick="onNewItemClick()">New Item</button>
+	</footer>
+</body>
+</html>
--- a/DVHMA-Featherweight/www/js/index.js
+++ b/DVHMA-Featherweight/www/js/index.js
@ -0,0 +1,132 @@
+/*  Copyright 2015 SAP SE
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+
+ *     http://www.apache.org/licenses/LICENSE-2.0
+
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+function onDeviceReady() {
+	checkForExtraText();
+}
+
+function checkForExtraText() {
+	window.plugins.webintent.hasExtra(window.plugins.webintent.EXTRA_TEXT, function(hasExtra) {
+		if (hasExtra) {
+			window.plugins.webintent.getExtra(window.plugins.webintent.EXTRA_TEXT, function(content) {
+				window.plugins.webintent.hasExtra(window.plugins.webintent.EXTRA_SUBJECT, function(hasSubjectExtra) {
+					if (hasSubjectExtra) {
+						window.plugins.webintent.getExtra(window.plugins.webintent.EXTRA_SUBJECT, function(title) {
+							window.todo.create([{"title" : title, "content" : content}], reloadItems, console.log);
+						}, console.log);
+					} else {
+						window.todo.create([{"title" : "NewTitle", "content" : content}], reloadItems, console.log);
+					}
+				}, console.log);
+			}, console.log);
+		} else {
+			window.todo.get(reloadItems, console.log);
+		}
+	}, console.log);
+}
+
+function onRemoveItem(e) {
+	window.todo.delete([e.target.parentNode.parentNode.dataset.id], reloadItems, console.log);
+}
+
+function onEditItem(e) {
+	var id = e.target.parentNode.parentNode.dataset.id;
+	window.todo.get(function(items) {
+		var oldTitle = items[id]["title"];
+		var oldContent = items[id]["content"];
+		var newTitle = prompt("Enter title", oldTitle);
+		if (newTitle == null) {
+			newTitle = oldTitle;
+		}
+		var newContent = prompt("Enter content", oldContent);
+		if (newContent == null) {
+			newContent = oldContent;
+		}
+		window.todo.edit([id, {"title" : newTitle, "content" : newContent}], reloadItems, console.log);
+	}, alert);
+}
+
+function onLoadContent(e) {
+	var contentDiv = e.target.parentNode.parentNode.parentNode.getElementsByClassName("content")[0];
+	if (contentDiv.dataset.loaded == "true") {
+		contentDiv.innerHTML = '';
+		contentDiv.dataset.loaded = false;
+		contentDiv.parentNode.getElementsByTagName("img")[0].src = "img/ic_action_expand.png";
+	} else {
+		window.todo.get(function(items) {
+			var id = e.target.parentNode.parentNode.dataset.id;
+			contentDiv.parentNode.getElementsByTagName("img")[0].src = "img/ic_action_collapse.png";
+			contentDiv.innerHTML = items[id]["content"];
+			contentDiv.dataset.loaded = true;
+		}, console.log);
+	}
+}
+
+function reloadItems(items) {
+	var itemsDiv = document.getElementById("items");
+	while (itemsDiv.hasChildNodes()) {
+		itemsDiv.removeChild(itemsDiv.firstChild);
+	}
+	
+	for (i = 0; i < items.length; i++) {
+		var entry = items[i]["title"];
+	
+		var div = document.createElement("div");
+		
+		var headDiv = document.createElement("div");
+		headDiv.setAttribute("data-id", i);
+		headDiv.className = "title";
+		
+		var span = document.createElement("span");
+		var img = document.createElement("img");
+		img.src = "img/ic_action_expand.png";
+		img.onclick = onLoadContent;
+		span.appendChild(img);
+		headDiv.appendChild(span);
+		
+		var p = document.createElement("p");
+		p.innerHTML = entry;
+		headDiv.appendChild(p);
+		
+		var buttonDiv = document.createElement("div");
+		buttonDiv.className = "editRemoveButtons";
+		
+		var editButton = document.createElement("button");
+		editButton.innerHTML = "Edit";
+		editButton.onclick = onEditItem;
+		buttonDiv.appendChild(editButton);
+		
+		var removeButton = document.createElement("button");
+		removeButton.innerHTML = "Remove";
+		removeButton.onclick = onRemoveItem;
+		buttonDiv.appendChild(removeButton);
+		headDiv.appendChild(buttonDiv);
+		
+		div.appendChild(headDiv);
+		
+		var contentDiv = document.createElement("div");
+		contentDiv.className = "content";
+		contentDiv.dataset.loaded = false;
+		div.appendChild(contentDiv);
+		
+		itemsDiv.appendChild(div);
+	}
+}
+
+function onNewItemClick() {
+	window.todo.create([{"title" : "NewTitle", "content" : "New Content"}], reloadItems, console.log);
+}
+
+document.addEventListener("deviceready", onDeviceReady);