Challenges
Search
K

Weak Host Validation

The class com.insecureshop.WebViewActivity contains the following code. As per the code, the application registers a path webview and a query parameter url. The application implements a URL validation and only allows URLs that ends with insecureshopapp.com to be loaded in Webview.
} else if (kotlin.text.StringsKt.equals$default(uri.getPath(), "/webview", false, 2, (java.lang.Object) null)) {
android.content.Intent intent3 = getIntent();
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent3, "intent");
android.net.Uri data3 = intent3.getData();
if (data3 == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
java.lang.String queryParameter = data3.getQueryParameter("url");
if (queryParameter == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(queryParameter, "intent.data!!.getQueryParameter(\"url\")!!");
if (kotlin.text.StringsKt.endsWith$default(queryParameter, "insecureshopapp.com", false, 2, (java.lang.Object) null)) {
android.content.Intent intent4 = getIntent();
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent4, "intent");
android.net.Uri data4 = intent4.getData();
if (data4 != null) {
str = data4.getQueryParameter("url");
}
data = str;
}
}
Since the application implements a weak host validation, a malicious application can bypass the host validation by loading arbitrary URL owned by attacker that ends with insecureshopapp.com. In such a case something like attackerinsecureshopapp.com would stand valid.