Hacking the VulnWebView Lab
Lab Link: https://github.com/t4kemyh4nd/vulnwebview
In this blog post, I’ll walk you through how I hacked the VulnWebView lab, an Android application designed to demonstrate common WebView vulnerabilities. By exploiting these vulnerabilities, I was able to achieve Cross-Site Scripting (XSS), token theft, and local file exfiltration. Let’s dive into the details!
1. Reconnaissance
Before diving into exploitation, I started by analyzing the app using the Drozer framework. This helped me understand the attack surface and identify potential vulnerabilities.
Drozer Commands
❯ drozer console connect
dz> run app.package.list -f vulnwebview
Attempting to run shell module
com.tmh.vulnwebview (Vuln Web View)
dz> run app.package.info -a com.tmh.vulnwebview
Attempting to run shell module
Package: com.tmh.vulnwebview
Application Label: Vuln Web View
Process Name: com.tmh.vulnwebview
Version: 1.0
Data Directory: /data/user/0/com.tmh.vulnwebview
APK Path: /data/app/~~APm9rOCvrbng9-T3LMK5cg==/com.tmh.vulnwebview-rqHlBHSQpZJBVQmg8fONOA==/base.apk
UID: 10132
GID: [3003]
Shared Libraries: [/system/framework/android.test.base.jar]
Shared User ID: null
Uses Permissions:
- android.permission.INTERNET
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.ACCESS_MEDIA_LOCATION
Defines Permissions:
- None
dz> run app.package.attacksurface com.tmh.vulnwebview
Attempting to run shell module
Attack Surface:
3 activities exported
0 broadcast receivers exported
0 content providers exported
0 services exported
is debuggableFindings
The app has 3 exported activities.
It is debuggable, which makes it easier to analyze.
It uses WebView components, which are often prone to vulnerabilities.
2. Analyzing the Android Manifest
Next, I decompiled the app using Jadx to inspect the AndroidManifest.xml file. This revealed the exported activities and their configurations.
Exported Activities
Key Observations
SupportWebView and RegistrationWebView are exported without intent filters, making them accessible to other apps.
MainActivity has an intent filter and is the launcher activity.
3. Inspecting the Source Code
I then analyzed the source code of the exported activities to identify vulnerabilities.
SupportWebView
Vulnerabilities in SupportWebView
JavaScript Enabled:
Enabling JavaScript allows for potential XSS attacks.
JavaScript Interface:
This exposes the
WebAppInterfaceto JavaScript, allowing attackers to call Java methods.
Loading URLs from Intent Extras:
Loading URLs from intent extras without validation can lead to malicious URL loading.
RegistrationWebView
Vulnerabilities in RegistrationWebView
Universal Access from File URLs:
This allows JavaScript running in the context of a file URL to access content from any origin, leading to local file exfiltration.
Loading URLs from Intent Extras:
Similar to
SupportWebView, this can lead to malicious URL loading.
4. Exploitation
Exploit Exported SupportWebView
Exploiting SupportWebView for Token Theft
The WebAppInterface exposes a method (getUserToken) that returns a token. An attacker can steal this token using JavaScript.
Exploit JavaScript Code:
Steps:
Host the exploit script on a server (e.g., using Ngrok).
Launch the
SupportWebViewactivity with the malicious URL:The token will be sent to the attacker's server.
Exploiting SupportWebView for Cross Site Scripting XSS
Steps:
Host the exploit script on a server (e.g., using Ngrok).
Launch the
SupportWebViewactivity with the malicious URL:The token will be sent to the attacker's server.
Exploiting RegistrationWebView for Local File Exfiltration
The setAllowUniversalAccessFromFileURLs(true) setting allows JavaScript to read local files and exfiltrate them.
Exploit JavaScript Code:
Steps:
Save the exploit script as
poc.htmland push it to the device:Launch the
RegistrationWebViewactivity with the malicious file URL:The contents of
MainActivity.xmlwill be exfiltrated to the attacker's server.
Resources
Last updated
Was this helpful?