WEBVTT 00:00.670 --> 00:08.020 The Web UCLASS is an extension of Android's View class that allows you to display Web pages as part 00:08.020 --> 00:09.600 of your activity layout. 00:10.330 --> 00:17.740 So when developing an Android app, we can load a remote you or display HTML pages stored in our application 00:17.740 --> 00:18.910 within an activity. 00:18.910 --> 00:21.850 Using whatever you write sounds very useful. 00:23.140 --> 00:29.770 So in this election, we're going to see the insecure implementation of Webbs you so this application 00:29.770 --> 00:36.760 insecure bank allows the user to view statements after they have transferred funds from one account 00:36.760 --> 00:37.330 to another. 00:38.480 --> 00:39.540 So let's get started. 00:41.320 --> 00:46.630 Now, as always, we'll make sure that the Android emulator and the application server are running. 00:48.680 --> 00:52.820 And we can look at the view statements, activity in the source code. 00:54.770 --> 01:03.010 And we can see that the activity is using a Web view to load and HTML files stored in external storage, 01:03.410 --> 01:07.580 the name of which begins with statements underscore. 01:09.380 --> 01:16.700 Now, we can also see that the developers enabled JavaScript in Westview with set JavaScript enabled 01:16.790 --> 01:17.330 true. 01:17.780 --> 01:19.280 Which is a method. 01:20.900 --> 01:28.820 Now we can use Pinkard to identify the name of the file and its storage location due to the code system, 01:28.820 --> 01:35.570 dot out, dot print, so it prints the files location into a standard output. 01:36.320 --> 01:39.170 So run Pinkert and the package name of the app. 01:42.690 --> 01:44.520 And here will log into the app. 01:48.950 --> 01:51.260 And let's open the view statements activity. 01:53.380 --> 01:56.830 And as you can see, this is the location of the file. 01:58.590 --> 02:04.950 Now, since the file is loaded from external storage, the file is readable and readable by. 02:05.910 --> 02:09.510 Everyone, do you say that with me? 02:10.670 --> 02:15.030 So we can replace this fire with a new one which contains some JavaScript. 02:15.710 --> 02:19.670 So this JavaScript will then be executed when the HTML pages are loaded. 02:21.510 --> 02:23.850 And we'll exit with control, see? 02:25.620 --> 02:28.470 Now create a new HTML file with the same name. 02:32.110 --> 02:37.660 And we'll write a very basic JavaScript code just to see an alert. 02:39.030 --> 02:40.710 So we'll save it and exit. 02:42.400 --> 02:45.820 So now let's try and replace this new fire with the old one. 02:47.110 --> 02:50.950 Run, ADB push and the HTML file. 02:52.180 --> 02:54.310 And the location of the file to the end. 02:56.540 --> 03:02.840 OK, so that loads the file, let's log into the app and see the changes. 03:07.270 --> 03:09.610 So click on The View statements. 03:10.890 --> 03:16.900 And look at that, we've uploaded the new HTML file and executed my JavaScript code. 03:17.310 --> 03:18.960 How's that for a vulnerability? 03:19.880 --> 03:25.550 The attackers can run malicious JavaScript code using this vulnerability right here in Web you.