Weak Host Validation
The class
com.insecureshop.WebViewActivity
contains the following code. As per the code, the application registers a path webview
and a query parameter url
. The application implements a URL validation and only allows URLs that ends with insecureshopapp.com
to be loaded in Webview.} else if (kotlin.text.StringsKt.equals$default(uri.getPath(), "/webview", false, 2, (java.lang.Object) null)) {
android.content.Intent intent3 = getIntent();
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent3, "intent");
android.net.Uri data3 = intent3.getData();
if (data3 == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
java.lang.String queryParameter = data3.getQueryParameter("url");
if (queryParameter == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(queryParameter, "intent.data!!.getQueryParameter(\"url\")!!");
if (kotlin.text.StringsKt.endsWith$default(queryParameter, "insecureshopapp.com", false, 2, (java.lang.Object) null)) {
android.content.Intent intent4 = getIntent();
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent4, "intent");
android.net.Uri data4 = intent4.getData();
if (data4 != null) {
str = data4.getQueryParameter("url");
}
data = str;
}
}
Since the application implements a weak host validation, a malicious application can bypass the host validation by loading arbitrary URL owned by attacker that ends with
insecureshopapp.com
. In such a case something like attackerinsecureshopapp.com
would stand valid.