Vulnerability #5: Insufficient URL Validation

PreviousVulnerability #4: Lack of SSL Certificate Validation NextVulnerability #6: Weak Host Validation

Last updated 1 year ago

Vulnerability #5: Insufficient URL Validation

Building up on vulnerabilities related to com.insecureshop.WebViewActivity, we continue to review the logic on how it handles the urls sent via deeplink. Open up the activity on jadx-gui and focus on lines 31-45.

It gets the data from the intent and stores it into the uri variable, continues to check if the path of the uri is one of the following values: /web or /webview.

If we use the /web path, it takes the query parameter ?url from the uri and stores it into the data variable which is being used in webview.loadUrl on line 45. This code block does not properly validate the URLs that are passed, this is a vulnerability since malicious apps can open up any arbitrary website/content.

POC adb command is the same with Vulnerability #4.

C:\Users\Aniket\Downloads\InsecureShop>adb shell am start -a android.intent.action.VIEW -c android.intent.category.BROWSABLE -d insecureshop://com.insecureshop/web?url=https://google.com
Starting: Intent { act=android.intent.action.VIEW cat=[android.intent.category.BROWSABLE] dat=insecureshop://com.insecureshop/web?url=https://google.com }

PreviousVulnerability #4: Lack of SSL Certificate Validation NextVulnerability #6: Weak Host Validation

Last updated 1 year ago