Sign in to confirm you’re not a bot
This helps protect our community. Learn more

HACKING ANDROID WebViews (Static analysis - Part 2)

Farah Hawa
57.1K subscribers
<__slot-el>
<__slot-el>
20K views 3 years ago MUMBAI
Hi! I'm a pentester and a bug bounty hunter who's learning everyday and sharing useful resources as I move along. Subscribe to my channel because I'll be sharing my knowledge in new videos regularly. SCAN AN ANDROID APP USING OVERSECURED'S SCANNER: https://oversecured.com/​ OVERSECURED BLOG: https://blog.oversecured.com/​ BUY ME A COFFEE: https://www.buymeacoffee.com/farahhawa​ SOCIAL MEDIA: Follow me on Twitter:   / farah_hawaa​   Follow me on Instagram:   / farah_hawaa​   Connect with me on LinkedIn:   / farah-hawa-a012b8162   TIME STAMPS: 00:00​ Introduction 00:29​ A message from Oversecured 00:46 Pre-requisites for the attack 01:37​ What is a WebView? 03:09​ How to look for a vulnerable WebView in the app's code? 5:03 Spotting the vulnerability 5:35​ Exploitation 7:50 setAllowUniversalAccessFromFileURLs enabled for a WebView 8:33 Exploitation: setAllowUniversalAccessFromFileURLs enabled for a WebView 12:38 JavaScript enabled for a We ...more
...more
HACKING ANDROID WebViews (Static analysis - Part 2)
691Likes
20,150Views
2021Mar 26
Hi! I'm a pentester and a bug bounty hunter who's learning everyday and sharing useful resources as I move along. Subscribe to my channel because I'll be sharing my knowledge in new videos regularly. SCAN AN ANDROID APP USING OVERSECURED'S SCANNER: https://oversecured.com/​ OVERSECURED BLOG: https://blog.oversecured.com/​ BUY ME A COFFEE: https://www.buymeacoffee.com/farahhawa​ SOCIAL MEDIA: Follow me on Twitter:   / farah_hawaa​   Follow me on Instagram:   / farah_hawaa​   Connect with me on LinkedIn:   / farah-hawa-a012b8162   TIME STAMPS: 00:00​ Introduction 00:29​ A message from Oversecured 00:46 Pre-requisites for the attack 01:37​ What is a WebView? 03:09​ How to look for a vulnerable WebView in the app's code? 5:03 Spotting the vulnerability 5:35​ Exploitation 7:50 setAllowUniversalAccessFromFileURLs enabled for a WebView 8:33 Exploitation: setAllowUniversalAccessFromFileURLs enabled for a WebView 12:38 JavaScript enabled for a WebView 13:16 Exploitation: JavaScript enabled for a WebView 16:33 Using Oversecured's vulnerability scanner DOWNLOAD ADB: https://developer.android.com/studio/... DOWNLOAD JADX: https://github.com/skylot/jadx DOWNLOAD ANDROID STUDIO: https://developer.android.com/studio GITHUB REPOSITORY FOR THE VULNERABLE APP: https://github.com/t4kemyh4nd/vulnweb... RESOURCES FOR ATTACKING VULNERABLE WebViews: https://labs.integrity.pt/articles/re... https://blog.mzfr.me/posts/2020-11-07... https://github.com/B3nac/Android-Repo... https://hackerone.com/reports/328486 https://hackerone.com/reports/499348

Follow along using the transcript.

Farah Hawa

57.1K subscribers