# API BFLA in Android

In this lab environment, you will get access to a Debian machine, which has all the required tools installed on it for this lab, along with an Android emulator. To start the Android emulator, run the "startemulator.sh" script present at "Desktop."

**Objective:** Identify and exploit a Broken Function Level Authorization (BFLA) vulnerability.

The following Android application can be useful:

* NovaTech.apk: Intentionally vulnerable Android application. (Pre-installed on the emulator).

The following credentials can be useful:

```
Username: alice
Password: pass
```

***

The frist thing we do is exec the android emulator and login with the credentials getting -->

<figure><img src="/files/OGTfr6qS3TXGBX6OCqWq" alt=""><figcaption></figcaption></figure>

We have logged into the user profile of "Alice," where we can view the associated user data and account details.

Click on the "Dashboard" button.

<figure><img src="/files/hpI0Suy5zYRxzkNSWGfW" alt=""><figcaption></figcaption></figure>

We are presented with the user dashboard overview. Here we can see some more user details.

<figure><img src="/files/qwmuNQCzE2UYRfmfpM2h" alt=""><figcaption></figcaption></figure>

Open a new terminal and check the system IP, and set the global HTTP proxy on the Android device to the system IP address.

```
## View us IP
ip addr
## Set Proxy with us IP
adb shell settings put global http_proxy <IP>:8080
```

Now, config the Burp Proxy

<figure><img src="/files/M8uEXjoKk9ownRjbBAWw" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/oyTvleh8GaKxeoBdGtRj" alt=""><figcaption></figcaption></figure>

With it, we can see that the proxy its woking weel. So... Now intercept "Dashboard"peticions -->

<figure><img src="/files/11i7fsaFDLIgHJnWgfUC" alt=""><figcaption></figcaption></figure>

We can manipulate the user\_id, and see information about others user (IDOR)

<figure><img src="/files/Ryyh3NlI8JHIO8M4fpGz" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/ine-emapt/android-dynamic-testing/labs-api/api-bfla-in-android.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.