Unprotected Data URIs
The com.insecureshop.WebView2Activity
contains the following code. The code takes untrusted URL in loadUrl
method and passes it to webview.
if (!(dataString == null || kotlin.text.StringsKt.isBlank(dataString))) {
android.content.Intent intent2 = getIntent();
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent2, "intent");
webview.loadUrl(intent2.getDataString());
return;
}
Going an extra mile
Analyze the intent-filter used by this activity carefully. Can you convert this attack into a remote exploitation by utilizing intent scheme URIs?
Reference:
PreviousIntent Redirection (Access to Protected Components)NextTheft of Arbitrary files from LocalStorage
Last updated
Was this helpful?