Unprotected Data URIs

The com.insecureshop.WebView2Activity contains the following code. The code takes untrusted URL in loadUrl method and passes it to webview.

if (!(dataString == null || kotlin.text.StringsKt.isBlank(dataString))) {
            android.content.Intent intent2 = getIntent();
            kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent2, "intent");
            webview.loadUrl(intent2.getDataString());
            return;
}

Going an extra mile

Analyze the intent-filter used by this activity carefully. Can you convert this attack into a remote exploitation by utilizing intent scheme URIs?

Reference:

https://www.mbsd.jp/Whitepaper/IntentScheme.pdf

PreviousIntent Redirection (Access to Protected Components)NextTheft of Arbitrary files from LocalStorage

Last updated 3 years ago