WebView File same-origin Policy Bypass Vulnerability Analysis

WebView File same-origin Policy Bypass Vulnerability Analysis
1. WebView File field same-origin Policy Bypass Vulnerability description

In May October 2013, a file domain same-origin policy bypass vulnerability exists in FireFox Android, which may cause leakage of sensitive information such as cookies. Hackers can exploit this vulnerability to obtain all FireFox files. Earlier Android versions of WebView have the same vulnerability. Once WebView is used by applications and File domains are supported, the application will be attacked by this vulnerability. This vulnerability is caused by JavaScript's delayed execution that can bypass the same-source check of the file protocol and access all private files of the affected application, that is, through WebView's delayed execution of Javascript, deleting the current Html file, and pointing to other files through soft connections, you can read the file referred to by the symbolic link, and then read the HTML file again through JavaScript, you can get the file referred to by the symbolic link.
Most applications that use WebView are affected by this vulnerability. malicious applications can use this vulnerability to steal any private files of an application, especially browsers, without special permissions, attackers can exploit this vulnerability to obtain sensitive information such as passwords, cookies, favorites, and historical records stored in the browser, resulting in leakage of sensitive information;

2. WebView File same-origin Policy Bypass Vulnerability impact Scope

Android system

3. WebView File domain same-origin Policy Bypass Vulnerability details 1) vulnerability location:

WebView

2) Prerequisites for vulnerability triggering:

WebView does not prohibit the use of file fields;
WebView supports JavaScript;

3) vulnerability principle:

Through WebView's delayed execution of Javascript and deletion of the current Html file and soft connection to other files, you can read the file referred to by the symbolic link, and then read the HTML file again through JavaScript, you can get the file referred to by the symbolic link.

4. Proof of the WebView File same-Source Policy Bypass Vulnerability 1) use the File domain protocol of WebView to read private files of any readable files or affected applications. Enable the Java code snippet of WebView that supports File domain protocol:

Run the following command to view the hosts file "/system/etc/hosts ":

The result is displayed as follows:

Run the following command to view the private application file "databases/webview. db ":

The result is displayed as follows:

2) use the file protocol to read private files of any readable files or affected applications and upload them to a remote server (alert only ).
Enable the Java code snippet of WebView that supports JavaScript Execution:

Malicious HTML code snippets:

Run the following command to start the WebView of the application and start malicious HTML code to steal files:

3) Use WebView to execute Javascript in a delayed manner, delete the current Html file, and point to another file to read the file referred to by the symbolic link, and then read the HTML file again through JavaScript, you can obtain the file referred to by the symbolic link, causing leakage of sensitive information such as the Stored Password and Cookie. For detailed attack steps, see the following description:

 

The main Activity of the application or the exported WebView Activity:

Enable the Java code snippet of WebView that supports JavaScript Execution and does not prohibit File domain protocol:

Malicious HTML code snippets that attack WebView construction [1]:

Code snippet of the affected app WebView:

If the attack result shows that the private file databases/webview. db of the affected application is read, it can be sent to a remote server (alert only ):

5. WebView File same-Source Policy Bypass Vulnerability repair Suggestion 1. Set unnecessary export components to not export [2]

If the application components do not need to be exported, we recommend that you explicitly set the "android: exported" attribute of the registered component to false;

2. If you need to export components, File fields are not allowed.

If the application needs to export components that contain WebView, we recommend that you disable the File domain protocol:

MyWebView. getSettings. setAllowFileAccess (false); 3. Disable the File protocol from calling JavaScript.

If the application's WebView needs to use the File domain protocol, we recommend that you disable the File domain protocol from calling JavaScript:

MyWebView. getSettings. setJavaScriptEnabled (false );