1
00:00:00,160 --> 00:00:06,010
- Hello all and welcome to the new video
of Android Security an Exploitation by

2
00:00:06,010 --> 00:00:11,430
Pentester Academy. My name is Aditya and I
am your course instructor for this entire

3
00:00:11,430 --> 00:00:17,090
training series. So this course is being
run on http://PentesterAcademy.com and you

4
00:00:17,090 --> 00:00:24,580
can also checkout the certifications at
http://securitytube-training.com. So in

5
00:00:24,580 --> 00:00:28,900
this particular video, we are going to
have a look at Webview based

6
00:00:28,900 --> 00:00:34,690
vulnerabilities for Android. Now you might
be wondering what is a Webview for a

7
00:00:34,690 --> 00:00:41,910
mobile application. So Webview is simply a
browser content being rendered into a

8
00:00:41,910 --> 00:00:48,520
mobile application. So it could be a
webpage which is hosted remotely and then

9
00:00:48,520 --> 00:00:54,310
it is displayed inside the application as
a part of the application itself. But what

10
00:00:54,310 --> 00:01:01,050
actually happens is that the application
is kind of acting like an embedded browser

11
00:01:01,050 --> 00:01:07,620
which is displaying you the web content.
So, in any scenario or any of the web

12
00:01:07,620 --> 00:01:12,880
application or web component will have
several elements inside it. So, it could

13
00:01:12,880 --> 00:01:18,460
be a JavaScript, it could be a CSS or it
could be any other element. Now for

14
00:01:18,460 --> 00:01:25,500
example, if the web content has a
JavaScript element, will the JavaScript

15
00:01:25,500 --> 00:01:31,380
element be executed in the mobile
application context and the answer is yes.

16
00:01:31,380 --> 00:01:37,730
If the application defines a JavaScript
Bridge in order to execute JavaScript then

17
00:01:37,730 --> 00:01:43,570
the remote JavaScript from the web
component will get executed. Once the

18
00:01:43,570 --> 00:01:49,560
JavaScript component gets executed, it can
basically interact with any of the Java

19
00:01:49,560 --> 00:01:56,120
code inside the application. So, it can
call remote or in this case the

20
00:01:56,120 --> 00:02:03,450
application is Java Code Methods as well
as it can create maybe a new files or add

21
00:02:03,450 --> 00:02:08,240
new application and all these kind of
things. So anything that the application

22
00:02:08,240 --> 00:02:14,040
can do and is accessible by JavaScript
that is something which you can also do if

23
00:02:14,040 --> 00:02:19,150
you find a vulnerability of Webview. So,
when this vulnerability was first

24
00:02:19,150 --> 00:02:27,260
discovered or became first popular as in
September 2013, almost 70 % of the

25
00:02:27,260 --> 00:02:33,913
applications used to use Webview and this
is mostly because most of the application

26
00:02:33,913 --> 00:02:39,848
which are free apps use some kind of
advertisement components which display

27
00:02:39,848 --> 00:02:46,317
elements remotely from the website and
that at the end uses Webview. So you can

28
00:02:46,317 --> 00:02:51,260
checkout this particular URL for a
in-depth detail of the Webview based

29
00:02:51,260 --> 00:02:55,919
vulnerability and what you can do with
Webview based exploitation as well. But

30
00:02:55,919 --> 00:03:02,461
for now we will keep the things simple and
we'll see how to identify and exploit a

31
00:03:02,461 --> 00:03:09,326
very basic Webview vulnerability. So also
before moving further, at the time of

32
00:03:09,326 --> 00:03:14,047
discovery of the Webview vulnerability
almost eight out of ten popular ad

33
00:03:14,047 --> 00:03:20,851
libraries were vulnerable. Around 95 % of
the entire Android user community was also

34
00:03:20,851 --> 00:03:25,859
vulnerable to this attack. So as you can
see this is a pretty critical

35
00:03:25,859 --> 00:03:30,451
vulnerability which the developers often
miss out while writing the applications.

36
00:03:30,451 --> 00:03:40,188
So, I've written down a sample application
which is a GitHub clone of the VulnWebView

37
00:03:40,188 --> 00:03:48,114
repo written by Jay Dough. So this is how
the application looks like. The package

38
00:03:48,114 --> 00:03:56,381
name is vulnerable.attify.webviewapp and
it simply defines a Webview element and

39
00:03:56,381 --> 00:04:01,810
sets the JavaScript to True and then adds
a JavaScript interface element with

40
00:04:01,810 --> 00:04:12,170
Vulninterface. The URL it tries to load is
one of my local IPs URL and then it also

41
00:04:12,170 --> 00:04:17,140
has a bunch of other methods which can be
accessible with Webview or in this case

42
00:04:17,140 --> 00:04:26,657
JavaScript. My interface which is actually
this one has been defined over here.

43
00:04:28,786 --> 00:04:35,994
Let's try to go ahead and run this
application and see what happens. So let

44
00:04:35,994 --> 00:04:46,989
me just first startup Santoku and startup
a local python server over here. The IP is

45
00:04:46,989 --> 00:04:57,314
192.168.161.139. This will change over
here. Let's give it the quote as well.

46
00:04:58,993 --> 00:05:05,654
Here, we have a index.html file, which is
just saying Android Webview vulnerability

47
00:05:05,654 --> 00:05:16,922
and then has some body element. Let's go
ahead and start up a web server. We have

48
00:05:16,922 --> 00:05:26,123
got a Genymotion running over here, also
at the same time the proxy is also setup.

49
00:05:26,123 --> 00:05:34,991
I will just show you over here. The proxy
is setup to my local systems port. Let's

50
00:05:34,991 --> 00:05:48,591
drop this request and let's go ahead and
run this application. Now the application

51
00:05:48,591 --> 00:05:56,193
has started and simply says hack all the
phones. Let's turn the intercept to on and

52
00:05:56,193 --> 00:06:04,850
refresh this and we see that request going
on over here and if you forward this, you

53
00:06:04,850 --> 00:06:10,850
see that the response is coming back with
hack all the phone. Now let's try to add a

54
00:06:10,850 --> 00:06:17,714
particular JavaScript component over here.
I will simply do a script

55
00:06:17,714 --> 00:06:28,728
type="text/javascript"> and write a very
simple javascript which maybe just shows

56
00:06:28,728 --> 00:06:37,114
Webview vulnerability. Closing the script
task and forwarding this. Now if you go

57
00:06:37,114 --> 00:06:41,656
back to the application, you see that this
has the Webview vulnerability over here.

58
00:06:41,656 --> 00:06:48,984
So this is how you can simply inject a
very basic JavaScript. But what we are

59
00:06:48,984 --> 00:06:55,247
trying to do is seeing if we can interact
with the device and may be make some

60
00:06:55,247 --> 00:07:04,186
system or file system changes in the
device. Let's make the intercept to one

61
00:07:04,186 --> 00:07:15,515
and I have a sample JavaScript written
over here which simply goes ahead and

62
00:07:15,515 --> 00:07:25,059
deletes this file webviewCookiesChromium.
This is something which will happen, so I

63
00:07:25,059 --> 00:07:29,461
have declared the path and then written a
function execute which take the command as

64
00:07:29,461 --> 00:07:34,515
an argument and first of all, it writes a
Webview vulnerability and then it goes

65
00:07:34,515 --> 00:07:40,852
ahead and executes the command which says
system/bin/rm, and removes the file

66
00:07:40,852 --> 00:07:48,380
specified in the path. So let's first of
all check if the file is present over

67
00:07:48,380 --> 00:08:05,130
there. So go to Santoku, adb connect.
Disconnect and connect back again. If you

68
00:08:05,130 --> 00:08:12,447
go inside adb shell,
/data/data/vulnerable.attify.webviewapp.

69
00:08:13,060 --> 00:08:20,640
Go inside databases. So currently I have
this webviewCookiesChromium.db and this is

70
00:08:20,640 --> 00:08:26,030
the file which we will try to delete. So
deleting is just the very basic example of

71
00:08:26,030 --> 00:08:33,260
how you can interact with the file system
and make some modifications over there.

72
00:08:33,260 --> 00:08:40,000
And if you notice I have added this one
interface which is the name of my

73
00:08:40,000 --> 00:08:46,620
JavaScript interface. This particular
interface name. So let's try to go ahead

74
00:08:46,620 --> 00:08:53,350
and run the application again. It gets
intercepted in Burp. And

75
00:08:53,350 --> 00:09:06,370
we wait for the response. Failed to
connect. Refresh it. I think something

76
00:09:06,370 --> 00:09:13,590
might went wrong. Okay so we don't have
the web server running. So let's run it

77
00:09:13,590 --> 00:09:21,240
and then try again. So we get the request
and we have the response over here. So

78
00:09:21,240 --> 00:09:30,200
let's just add this JavaScript and see
what happens. We'll go to the body tag and

79
00:09:30,200 --> 00:09:39,730
write script type="text /javascript". Add
this JavaScript code and close the script

80
00:09:39,730 --> 00:09:47,920
tags. So everything looks good over here
so far, sweet. Got rendered and I have

81
00:09:47,920 --> 00:09:55,160
this particular JavaScript got executed
which was a document.write . And now if I

82
00:09:55,160 --> 00:10:04,060
check the databases, if you see that we
don't have webviewCookiesChromium.db,

83
00:10:04,060 --> 00:10:10,000
because we just now deleted it using the
Webview vulnerability. So this is a very

84
00:10:10,000 --> 00:10:15,550
basic exploitation of what you can do with
Webview based vulnerabilities. So in the

85
00:10:15,550 --> 00:10:20,280
next video, we'll have a more in-depth
look of Webview based vulnerabilities and

86
00:10:20,280 --> 00:10:24,920
seeing some alternative ways of
identifying and exploiting Webview

87
00:10:24,920 --> 00:10:31,530
vulnerabilities. Thanks for watching the
video and I hope you like it. If you have

88
00:10:31,530 --> 00:10:37,840
any further feedback or queries, feel free
to reach out to me at adi@attify.com or

89
00:10:37,840 --> 00:10:42,000
you can tweet out to me at adi1391.
Thank you.