def show_wv_vulns(s_list,i,results):
"""
Shows all identified web view vulnerabilities
"""
#BUG - This sometimes prints twice, successively which shouldn't happen
#print "#"*100
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData("WebView: " +str(i[0]))
results.append(issue)
#logger.info("WebView: " +str(i[0]))
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData("File: " + str(i[1]) +"\n")
results.append(issue)
#logger.info("File: " + str(i[1]) +"\n")
if len(s_list)==0:
default_wv_config(i[0], i[1], int(common.minSdkVersion), results)
return
for f in s_list:
sl=re.sub(r'WebSettings\s*','',f)
sl=re.sub(r'\s*[;=].*$','',sl)
sl=re.sub(r'final\s','',sl)
#strip string whitespace out
sl=re.sub(r'^\W+','',sl)
sl=re.sub(r'\.\w+\(\w+\)$','',sl)
sl=sl.rstrip()
#Regex to look for javascript being enabled
#BUG I can reduce the number of files checked to only those that have the name / import WebViews
#Probably need to check for alternative true/false value representations
wv_js_check=sl +'.setJavaScriptEnabled(true)'
wv_js_check=re.escape(wv_js_check)
#check if webview JS in enabled
#BUG - THis can run twice, perhaps it is an artifact of an empty first element?
if wv_config(i[1],wv_js_check):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'JS_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_JS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(common.config.get('qarkhelper', 'TERMINAL_JS_WARNING') +" "+str(i[0]) +" "+common.config.get('qarkhelper', 'TERMINAL_JS_WARNING1') + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/JS_WARNING.html" + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/JS_WARNING.html\n")
results.append(issue)
else:
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'JS_OK') + " "+str(i[0]) + str(i[1]))
results.append(issue)
#BUG - this is actually set on WebView
#Check whether webview sets arbitrary BaseURL
wv_burl_check=re.escape(sl +'.loadDataWithBaseURL')
if wv_config(i[1],wv_burl_check):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'BURL_WARNING1'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_BASE_URL_DEFINED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(common.config.get('qarkhelper', 'TERMINAL_BURL_WARNING1') + " "+str(i[0]) +" "+common.config.get('qarkhelper', 'TERMINAL_BURL_WARNING2') + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/BURL_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/BURL_WARNING.html\n")
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'BURL_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_BASE_URL_DEFINED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'BURL_OK'))
results.append(issue)
#Checks whether file URI can access filesystem
#true by default, so the check is inverted
wv_file_check=re.escape(sl+'.setAllowFileAccess(false)')
if wv_config(i[1],wv_file_check):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'FILE_SYS_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_FILE_ACCESS_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'FILE_SYS_OK') + str(i[0]))
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'FILE_SYS_WARN1'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_FILE_ACCESS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(common.config.get('qarkhelper', 'TERMINAL_FILE_SYS_WARN1') + str(i[0]) +" "+ common.config.get('qarkhelper', 'TERMINAL_FILE_SYS_WARN2') + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/FILE_SYS_WARN.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/FILE_SYS_WARN.html\n")
results.append(issue)
#Regex to determine if WebViews have Content Provider access (default = true)
#Checks whether WebView can access Content Providers
#true by default, so the check is inverted
#BUG - This can run twice, perhaps due to an empty element
wv_cpa_check=re.escape(sl+'.setAllowContentAccess(false)')
if wv_config(i[1],wv_cpa_check):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'WV_CPA_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_CP_ACCESS_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'WV_CPA_OK') + str(i[0]))
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'WV_CPA_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_CP_ACCESS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(common.config.get('qarkhelper', 'TERMINAL_WV_CPA_WARNING') + str(i[0]) + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/WV_CPA_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/WV_CPA_WARNING.html\n")
results.append(issue)
#check for JS access from file URL can access content from any origin
#minSdk <= 15 default is true; minSdk > 16 default is false
#BUG - This check is wrong on the second if; If set to false and not found, it prints OK
if int(common.minSdkVersion) <16:
wv_univ_file_access=re.escape(sl+'.setAllowUniversalAccessFromFileURLs(false)')
if not wv_config(i[1],wv_univ_file_access):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'UNIV_FILE_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_FILE_ACCESS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(common.config.get('qarkhelper', 'TERMINAL_UNIV_FILE_WARNING') +str(i[0]) + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING.html\n")
results.append(issue)
skip_next=True
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'UNIV_FILE_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_FILE_ACCESS_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'UNIV_FILE_OK') + str(i[0]))
results.append(issue)
skip_next=False
#checking previous value above, as this is ignored if the above is true
#could I just put pass above?
if skip_next:
pass
else:
#minSdk <= 15 default is true; minSdk > 16 default is false
wv_allow_file_access_furls=re.escape(sl+'.setAllowFileAccessFromFileURLs(false)')
if wv_config(i[1],wv_allow_file_access_furls):
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData("This WebView does not have access to File URLs - setAllowFileAccessFromFileURLs(false)" + str(i[0]))
results.append(issue)
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails("This WebView does not have access to File URLs - setAllowFileAccessFromFileURLs(false)")
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_FILE_ACCESS_ENABLED, False)
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'UNIV_FILE_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setExtras(IS_FILE_ACCESS_ENABLED, True)
issue.setData(common.config.get('qarkhelper', 'TERMINAL_UNIV_FILE_WARNING') + str(i[0]) + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING2.html "+ "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING2.html\n")
results.append(issue)
else:
wv_univ_file_access=re.escape(sl+'.setAllowUniversalAccessFromFileURLs(true)')
if wv_config(i[1],wv_univ_file_access):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'UNIV_FILE_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(common.config.get('qarkhelper', 'TERMINAL_UNIV_FILE_WARNING') + '1 '+str(i[0]) + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING.html\n")
results.append(issue)
skip_next=True
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'UNIV_FILE_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'UNIV_FILE_OK') + str(i[0]))
results.append(issue)
skip_next=False
#checking previous value above, as this is ignored if the above is true
if skip_next:
pass
else:
#minSdk <= 15 default is true; minSdk > 16 default is false
wv_allow_file_access_furls=re.escape(sl+'.setAllowFileAccessFromFileURLs(true)')
if wv_config(i[1],wv_allow_file_access_furls):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'FURL_FILE_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(common.config.get('qarkhelper', 'TERMINAL_FURL_FILE_WARNING') + str(i[0]) + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/FURL_FILE_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/FURL_FILE_WARNING.html\n")
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'FURL_FILE_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'FURL_FILE_OK') + str(i[0]))
results.append(issue)
#Checking whether plugins are enabled for WebViews
#setPluginsEnabled deprecated in API 9, removed in API 18
#setPluginState added in API 8, deprecated in API 18
wv_plugsinenabled=re.escape(sl+'.setPluginsEnabled(true)')
wv_pluginstate=re.escape(sl+'.setPluginState(WebSettings.PluginState.ON*')
if wv_config(i[1],wv_plugsinenabled):
if int(common.minSdkVersion) < 18:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'DEPRECATED_SINCE_9') +str(i[0]) + "<br>FILE: " +str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'DEPRECATED_SINCE_9') +str(i[0]))
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'REMOVED_IN_18')+str(i[0]) + "<br>FILE: " +str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'REMOVED_IN_18')+str(i[0]))
results.append(issue)
logger.info(common.config.get('qarkhelper', 'REMOVED_IN_18')+str(i[0]))
if wv_config(i[1],wv_pluginstate):
if int(common.minSdkVersion) < 8:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'ADDED_IN_8')+str(i[0]) + "<br>FILE: " +str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'ADDED_IN_8')+str(i[0]))
results.append(issue)
logger.info(common.config.get('qarkhelper', 'ADDED_IN_8')+str(i[0]))
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'DEPRECATED_IN_18')+str(i[0])
+ "<br>FILE: " +str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'DEPRECATED_IN_18')+str(i[0]))
results.append(issue)
#Check if addJavascriptInterface is used in WebView
#BUG - this is actually on WebView, not settings
wv_ajs=re.escape(sl+'.addJavascriptInterface')
if wv_config(i[1],wv_ajs):
if int(common.minSdkVersion)<17:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'BAD_JS_INT'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(common.config.get('qarkhelper', 'TERMINAL_BAD_JS_INT') + " "+str(i[0]) + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/BAD_JS_INT.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/BAD_JS_INT.html" +"\n")
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'OK_JS_INT') + str(i[0])
+ "<br>FILE: " +str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'OK_JS_INT'))
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'NO_JS_INT')
+ "<br>FILE: " +str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'NO_JS_INT') + str(i[0]))
results.append(issue)
#Check if WebView has DOMStorage enabled
wv_setdom=re.escape(sl+'.setDomStorageEnabled(true)')
if wv_config(i[1],wv_setdom):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'DOM_STORAGE_EN') + str(i[0])
+ "<br>FILE: " +str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_DOM_STORAGE_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'DOM_STORAGE_EN'))
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'DOM_STORAGE_DIS')
+ "<br>FILE: " +str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_DOM_STORAGE_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'DOM_STORAGE_DIS') + str(i[0]))
results.append(issue)
return
def show_wv_vulns(s_list, i, results):
"""
Shows all identified web view vulnerabilities
"""
#BUG - This sometimes prints twice, successively which shouldn't happen
#print "#"*100
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData("WebView: " + str(i[0]))
results.append(issue)
#logger.info("WebView: " +str(i[0]))
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData("File: " + str(i[1]) + "\n")
results.append(issue)
#logger.info("File: " + str(i[1]) +"\n")
if len(s_list) == 0:
default_wv_config(i[0], i[1], int(common.minSdkVersion), results)
return
for f in s_list:
sl = re.sub(r'WebSettings\s*', '', f)
sl = re.sub(r'\s*[;=].*$', '', sl)
sl = re.sub(r'final\s', '', sl)
#strip string whitespace out
sl = re.sub(r'^\W+', '', sl)
sl = re.sub(r'\.\w+\(\w+\)$', '', sl)
sl = sl.rstrip()
#Regex to look for javascript being enabled
#BUG I can reduce the number of files checked to only those that have the name / import WebViews
#Probably need to check for alternative true/false value representations
wv_js_check = sl + '.setJavaScriptEnabled(true)'
wv_js_check = re.escape(wv_js_check)
#check if webview JS in enabled
#BUG - THis can run twice, perhaps it is an artifact of an empty first element?
if wv_config(i[1], wv_js_check):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'JS_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_JS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(
common.config.get('qarkhelper', 'TERMINAL_JS_WARNING') + " " +
str(i[0]) + " " +
common.config.get('qarkhelper', 'TERMINAL_JS_WARNING1') +
" To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/JS_WARNING.html"
+
"Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/JS_WARNING.html\n"
)
results.append(issue)
else:
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'JS_OK') + " " + str(i[0]) +
str(i[1]))
results.append(issue)
#BUG - this is actually set on WebView
#Check whether webview sets arbitrary BaseURL
wv_burl_check = re.escape(sl + '.loadDataWithBaseURL')
if wv_config(i[1], wv_burl_check):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'BURL_WARNING1'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_BASE_URL_DEFINED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(
common.config.get('qarkhelper', 'TERMINAL_BURL_WARNING1') +
" " + str(i[0]) + " " +
common.config.get('qarkhelper', 'TERMINAL_BURL_WARNING2') +
"To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/BURL_WARNING.html "
+
"Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/BURL_WARNING.html\n"
)
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'BURL_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_BASE_URL_DEFINED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'BURL_OK'))
results.append(issue)
#Checks whether file URI can access filesystem
#true by default, so the check is inverted
wv_file_check = re.escape(sl + '.setAllowFileAccess(false)')
if wv_config(i[1], wv_file_check):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'FILE_SYS_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_FILE_ACCESS_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'FILE_SYS_OK') + str(i[0]))
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'FILE_SYS_WARN1'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_FILE_ACCESS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(
common.config.get('qarkhelper', 'TERMINAL_FILE_SYS_WARN1') +
str(i[0]) + " " +
common.config.get('qarkhelper', 'TERMINAL_FILE_SYS_WARN2') +
" To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/FILE_SYS_WARN.html "
+
"Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/FILE_SYS_WARN.html\n"
)
results.append(issue)
#Regex to determine if WebViews have Content Provider access (default = true)
#Checks whether WebView can access Content Providers
#true by default, so the check is inverted
#BUG - This can run twice, perhaps due to an empty element
wv_cpa_check = re.escape(sl + '.setAllowContentAccess(false)')
if wv_config(i[1], wv_cpa_check):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'WV_CPA_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_CP_ACCESS_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'WV_CPA_OK') + str(i[0]))
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'WV_CPA_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_CP_ACCESS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(
common.config.get('qarkhelper', 'TERMINAL_WV_CPA_WARNING') +
str(i[0]) +
"To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/WV_CPA_WARNING.html "
+
"Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/WV_CPA_WARNING.html\n"
)
results.append(issue)
#check for JS access from file URL can access content from any origin
#minSdk <= 15 default is true; minSdk > 16 default is false
#BUG - This check is wrong on the second if; If set to false and not found, it prints OK
if int(common.minSdkVersion) < 16:
wv_univ_file_access = re.escape(
sl + '.setAllowUniversalAccessFromFileURLs(false)')
if not wv_config(i[1], wv_univ_file_access):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'UNIV_FILE_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_FILE_ACCESS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(
common.config.get('qarkhelper',
'TERMINAL_UNIV_FILE_WARNING') +
str(i[0]) +
" To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING.html "
+
"Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING.html\n"
)
results.append(issue)
skip_next = True
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'UNIV_FILE_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_FILE_ACCESS_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'UNIV_FILE_OK') +
str(i[0]))
results.append(issue)
skip_next = False
#checking previous value above, as this is ignored if the above is true
#could I just put pass above?
if skip_next:
pass
else:
#minSdk <= 15 default is true; minSdk > 16 default is false
wv_allow_file_access_furls = re.escape(
sl + '.setAllowFileAccessFromFileURLs(false)')
if wv_config(i[1], wv_allow_file_access_furls):
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
"This WebView does not have access to File URLs - setAllowFileAccessFromFileURLs(false)"
+ str(i[0]))
results.append(issue)
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
"This WebView does not have access to File URLs - setAllowFileAccessFromFileURLs(false)"
)
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_FILE_ACCESS_ENABLED, False)
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'UNIV_FILE_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setExtras(IS_FILE_ACCESS_ENABLED, True)
issue.setData(
common.config.get('qarkhelper',
'TERMINAL_UNIV_FILE_WARNING') +
str(i[0]) +
"To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING2.html "
+
"Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING2.html\n"
)
results.append(issue)
else:
wv_univ_file_access = re.escape(
sl + '.setAllowUniversalAccessFromFileURLs(true)')
if wv_config(i[1], wv_univ_file_access):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'UNIV_FILE_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(
common.config.get('qarkhelper',
'TERMINAL_UNIV_FILE_WARNING') + '1 ' +
str(i[0]) +
" To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING.html "
+
"Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING.html\n"
)
results.append(issue)
skip_next = True
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'UNIV_FILE_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'UNIV_FILE_OK') +
str(i[0]))
results.append(issue)
skip_next = False
#checking previous value above, as this is ignored if the above is true
if skip_next:
pass
else:
#minSdk <= 15 default is true; minSdk > 16 default is false
wv_allow_file_access_furls = re.escape(
sl + '.setAllowFileAccessFromFileURLs(true)')
if wv_config(i[1], wv_allow_file_access_furls):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper',
'FURL_FILE_WARNING'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(
common.config.get('qarkhelper',
'TERMINAL_FURL_FILE_WARNING') +
str(i[0]) +
"To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/FURL_FILE_WARNING.html "
+
"Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/FURL_FILE_WARNING.html\n"
)
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'FURL_FILE_OK'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED,
False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'FURL_FILE_OK') +
str(i[0]))
results.append(issue)
#Checking whether plugins are enabled for WebViews
#setPluginsEnabled deprecated in API 9, removed in API 18
#setPluginState added in API 8, deprecated in API 18
wv_plugsinenabled = re.escape(sl + '.setPluginsEnabled(true)')
wv_pluginstate = re.escape(
sl + '.setPluginState(WebSettings.PluginState.ON*')
if wv_config(i[1], wv_plugsinenabled):
if int(common.minSdkVersion) < 18:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'DEPRECATED_SINCE_9') +
str(i[0]) + "<br>FILE: " + str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'DEPRECATED_SINCE_9') +
str(i[0]))
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'REMOVED_IN_18') +
str(i[0]) + "<br>FILE: " + str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'REMOVED_IN_18') +
str(i[0]))
results.append(issue)
logger.info(
common.config.get('qarkhelper', 'REMOVED_IN_18') +
str(i[0]))
if wv_config(i[1], wv_pluginstate):
if int(common.minSdkVersion) < 8:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'ADDED_IN_8') + str(i[0]) +
"<br>FILE: " + str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'ADDED_IN_8') + str(i[0]))
results.append(issue)
logger.info(
common.config.get('qarkhelper', 'ADDED_IN_8') + str(i[0]))
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'DEPRECATED_IN_18') +
str(i[0]) + "<br>FILE: " + str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'DEPRECATED_IN_18') +
str(i[0]))
results.append(issue)
#Check if addJavascriptInterface is used in WebView
#BUG - this is actually on WebView, not settings
wv_ajs = re.escape(sl + '.addJavascriptInterface')
if wv_config(i[1], wv_ajs):
if int(common.minSdkVersion) < 17:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(common.config.get('qarkhelper', 'BAD_JS_INT'))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.WARNING)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.WARNING)
issue.setData(
common.config.get('qarkhelper', 'TERMINAL_BAD_JS_INT') +
" " + str(i[0]) +
" To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/BAD_JS_INT.html "
+
"Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/BAD_JS_INT.html"
+ "\n")
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'OK_JS_INT') + str(i[0]) +
"<br>FILE: " + str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'OK_JS_INT'))
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'NO_JS_INT') + "<br>FILE: " +
str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'NO_JS_INT') + str(i[0]))
results.append(issue)
#Check if WebView has DOMStorage enabled
wv_setdom = re.escape(sl + '.setDomStorageEnabled(true)')
if wv_config(i[1], wv_setdom):
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'DOM_STORAGE_EN') + str(i[0]) +
"<br>FILE: " + str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_DOM_STORAGE_ENABLED, True)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(common.config.get('qarkhelper', 'DOM_STORAGE_EN'))
results.append(issue)
else:
issue = ReportIssue()
issue.setCategory(ExploitType.WEBVIEW)
issue.setDetails(
common.config.get('qarkhelper', 'DOM_STORAGE_DIS') +
"<br>FILE: " + str(i[1]))
issue.setFile(str(i[1]))
issue.setSeverity(Severity.INFO)
issue.setExtras(IS_DOM_STORAGE_ENABLED, False)
results.append(issue)
issue = terminalPrint()
issue.setLevel(Severity.INFO)
issue.setData(
common.config.get('qarkhelper', 'DOM_STORAGE_DIS') + str(i[0]))
results.append(issue)
return
