Category Archives: Uncategorized

Understanding Fragment Injection

By | June 18, 2014

A colleague asked me about an Android vulnerability called fragment injection because of an article he read [1] and I think its worth diving into the details of the vulnerability. Fragment injection is a classic example of using reflection in an unsafe way (CWE-470) [2]. As in untrusted data from an Intent is used to… Read More »

Cordova InAppBrowser Remote Privilege Escalation

By | April 14, 2014

Earlier this year, I identified an interesting vulnerability (CVE-2014-0073) in one of Apache Cordova’s core plug-ins (InAppBrowser). Cordova, also sometimes referred to as PhoneGap, is a popular cross-platform mobile framework that allows developers to write mobile applications in JavaScript and HTML. The JavaScript and HTML code executes within the Cordova WebView and has access to… Read More »

Abusing WebView JavaScript Bridges

By | December 21, 2012

Android applications often use the WebView class to embed a browser component within an Activity in order to display online content.  For example, the following code will show the Google homepage within an Activity. WebView webView = new WebView (R.id.webView1); webView.getSettings().setJavaScriptEnabled(true); webView.loadUrl(“http://www.google.com”); An application can inject Java objects into a WebView via the addJavascriptInterface function. … Read More »

Content-Type Blues

By | February 29, 2012

Assuming an attacker can control the start of a CSV file served up by a web application, what damage could be done?  The example PHP code below serves up a basic CSV file, but allows the user to control the column names. Note that the Content-Type header is at least set properly. <?php header(‘Content-Type: text/csv’);… Read More »