Challenges
Search…
Weak Host Validation
The class com.insecureshop.WebViewActivity contains the following code. As per the code, the application registers a path webview and a query parameter url. The application implements a URL validation and only allows URLs that ends with insecureshopapp.com to be loaded in Webview.
1
} else if (kotlin.text.StringsKt.equals$default(uri.getPath(), "/webview", false, 2, (java.lang.Object) null)) {
2
android.content.Intent intent3 = getIntent();
3
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent3, "intent");
4
android.net.Uri data3 = intent3.getData();
5
if (data3 == null) {
6
kotlin.jvm.internal.Intrinsics.throwNpe();
7
}
8
java.lang.String queryParameter = data3.getQueryParameter("url");
9
if (queryParameter == null) {
10
kotlin.jvm.internal.Intrinsics.throwNpe();
11
}
12
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(queryParameter, "intent.data!!.getQueryParameter(\"url\")!!");
13
if (kotlin.text.StringsKt.endsWith$default(queryParameter, "insecureshopapp.com", false, 2, (java.lang.Object) null)) {
14
android.content.Intent intent4 = getIntent();
15
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(intent4, "intent");
16
android.net.Uri data4 = intent4.getData();
17
if (data4 != null) {
18
str = data4.getQueryParameter("url");
19
}
20
data = str;
21
}
22
}
23
Copied!
Since the application implements a weak host validation, a malicious application can bypass the host validation by loading arbitrary URL owned by attacker that ends with insecureshopapp.com. In such a case something like attackerinsecureshopapp.com would stand valid.
Last modified 6mo ago
Copy link