Weak Host Validation

The class com.insecureshop.WebViewActivity contains the following code. As per the code, the application registers a path webview and a query parameter url. The application implements a URL validation and only allows URLs that ends with insecureshopapp.com to be loaded in Webview.

} else if (kotlin.text.StringsKt.equals$default(uri.getPath(), "/webview", false, 2, (java.lang.Object) null)) {
                android.content.Intent intent3 = getIntent();
                kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent3, "intent");
                android.net.Uri data3 = intent3.getData();
                if (data3 == null) {
                    kotlin.jvm.internal.Intrinsics.throwNpe();
                }
                java.lang.String queryParameter = data3.getQueryParameter("url");
                if (queryParameter == null) {
                    kotlin.jvm.internal.Intrinsics.throwNpe();
                }
                kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(queryParameter, "intent.data!!.getQueryParameter(\"url\")!!");
                if (kotlin.text.StringsKt.endsWith$default(queryParameter, "insecureshopapp.com", false, 2, (java.lang.Object) null)) {
                    android.content.Intent intent4 = getIntent();
                    kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent4, "intent");
                    android.net.Uri data4 = intent4.getData();
                    if (data4 != null) {
                        str = data4.getQueryParameter("url");
                    }
                    data = str;
                }
            }

Since the application implements a weak host validation, a malicious application can bypass the host validation by loading arbitrary URL owned by attacker that ends with insecureshopapp.com. In such a case something like attackerinsecureshopapp.com would stand valid.

PreviousInsufficient URL Validation NextArbitrary Code Execution

Last updated 3 years ago