Hey Guys today we explore Web view in android application and how their misconfiguration leads to Cross site scripting
, open redirection , html injection in application.
WHAT IS Web View?
Android Web View is
used to display web page in android. The web page can be loaded from same
application or URL. It is used to display online content in android activity. Android Web View
uses webkit engine to display web page.The
android.webkit.WebView is the subclass of Absolute Layout class.
Web Views are used
in android applications to load content and HTML pages within the application.
For example:
Improper Implementation of Web view
1. Loading Clear Text content
If a Web View load
url that is on http(Clear text communication)
then it would be open to various forms of attack such as MiTM.
webview.loadUrl("http://hellobbc.com");
2 Improper ssl error Handling:
Nowadays Developer
Implement SSL PINNING in android application to protect from any proxy tool to
capture request of application .
If an proxy tool
want to capture the application traffic then some application thrown SSL error
and Web View will not load web content
if errors are detected during the SSL/TLS negotiation.
An attacker can extract information from ssl error and bypass mechanism to SSL
errors is implemented, This means that the application is vulnerable to MiTM
attacks as it could allow an attacker to read or modify content that is
displayed to the user since any certificate would be accepted by the
application.
3.No sanitization of special characters when loading
data in Web View
When application
Load data in Web view is not sanitized or no any escaping performed that leads to html injection or cross site scripting . Cross site
scripting possible when JavaScript is enabled
An attacker can
extract locally stored information in application and also can send phishing
page to user for further attack.
For example:
4.Improper Uri Validation
Nowadays almost
developers implement app links or deep links in application that are basically
URLs which navigate users directly to the specific content in applications.
In this
implementation developer create a mistake he forgot to verify proper uri path .
That leads to application vulnerable to open
redirection , cross site scripting . As saying above cross site
scripting is possible if JavaScript Is enabled.
EXPLOITATION:
Check out my video:
REMEDIATION:
- The use of HTTP protocol should be replaced by HTTPS. Using SSL/TLS requires a properly signed certificate installed on the web server but it is a completely worth implementation
- If Application load data that is inputed by user that data should be sanitized before processing.
- Uri path should be properly checkedWebView Activity should be exported =false
For Practical Please go to my github repo- https://github.com/ninza-hacker/webview-Exploitation and download the code and import into android studio
References:
Comments