0x00 Science
WebView (Network view) Android loads important components that display Web pages and can be viewed as a browser. KitKat (Android 4.4) used the WebKit rendering engine to load the display page before using Google's own kernel chromium after KitKat.
UXSS (Universal Cross-site Scripting Universal XSS) UXSS is an attack type that exploits a browser or browser extension to create XSS-producing conditions and execute code. Can reach the browser global Remote execution command, bypass homology policy, steal user information and hijack users serious harm.
Homology policy is the same as the same as the security policy that the domain name, protocol, port, browser or browser extensions follow together. See: http://drops.wooyun.org/tips/151
0X01 Events
The recent period of Android UXSS vulnerability outbreak involves Android apps including the main mobile browser, chat software, and so on. Several cases are intercepted below.
Wooyun: Sogou Mobile Browser One of the cross domain script execution vulnerabilities
Wooyun: Mobile phone QQ Android version of two cross-domain problems
Wooyun: Cheetah/360/Oupeng/Baidu/roaming mobile phone browser Android client UXSS (Impact android4.4 the following version)
Wooyun:uc Browser Android Latest version (4.4) Cross-domain Vulnerability (not subject to system version limits)
Reference a vendor's response to this vulnerability
Thank you very much for your report, this issue belongs to the Andriod WebKit vulnerability, please try to use the latest version of the Andriod system.
The reason for this is that the vulnerability is due to a vulnerability left by the WebView component using the WebView kernel before KitKat (Android 4.4). Using the latest Android system is certainly safer and smoother, but how many people can upgrade or use a relatively secure version of Android. The figure below is from Google's official 2014.09.09 statistics.
It doesn't look too bad, with 24.5% of Android users in a relatively secure version. But the official data is to Google Play obvious and the mainland acclimatized. Domestic use of relatively reliable local third party statistics. The following figure is Umeng August statistics
With less than 8% users who can use a relatively secure Android system, the problem is, I'm going to change my phone. Forget that I'm a crazy about, a bolt, a KitKat, and no money to change a cell phone. You can only choose to use a relatively secure application to try to avoid me being attacked. So we collected some high hit POC to verify which apps were more reliable.
https://code.google.com/p/chromium/issues/detail?id=37383
https://code.google.com/p/chromium/issues/detail?id=90222
https://code.google.com/p/chromium/issues/detail?id=98053
https://code.google.com/p/chromium/issues/detail?id=117550
https://code.google.com/p/chromium/issues/detail?id=143437
https://code.google.com/p/chromium/issues/detail?id=143439
cve-2014-6041
To make it easier for everyone to test other applications, we try to write an automated script to do the job.
0x02 test
http://zone.wooyun.org/content/15792
The following image shows the test results for the 360 browser under the Android 4.2.2
The following figure is the test result of Sogou browser under Android 4.4.3
Test code will be placed in GitHub for your reference, welcome to the great God to modify
Code Address: HTTPS://GITHUB.COM/CLICK1/UXSS
Online test Address: http://uxss.sinaapp.com/index.php
0x03 Contrast
We have a horizontal comparison of mainstream mobile browser, testing subjects include: UC Browser, Sogou browser, Baidu Browser, 360 Security browser, Oupeng browser, roaming Cloud browser, Cheetah browser. The test results are shown in the figure below.
0X04 recommendations
Manufacturer (for reference only):
1, the service side prohibits the iframe nesting x-frame-options:deny. See: http://drops.wooyun.org/papers/104
2. The client uses the Setallowfileaccess (Flase) method to prohibit WebView from accessing the local domain. See: Setallowfileaccess (Boolean)
3, the client uses onpagestarted (webview view, String URL, Bitmap favicon) method in the jump money for cross domain judgment. See [Onpagestarted (WebView view, String URL, Bitmap favicon)][8]
4. The client filters the properties of the IFrame object tag.
User:
1, the use of less vulnerable app, timely update app.
2, do not randomly open some inexplicable links.
3, the money you buy a new mobile phone bar, Android L immediately came out. (can be pushed through Google Play security patches, hehe)