def show_wv_vulns(s_list,i,results): """ Shows all identified web view vulnerabilities """ #BUG - This sometimes prints twice, successively which shouldn't happen #print "#"*100 issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData("WebView: " +str(i[0])) results.append(issue) #logger.info("WebView: " +str(i[0])) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData("File: " + str(i[1]) +"\n") results.append(issue) #logger.info("File: " + str(i[1]) +"\n") if len(s_list)==0: default_wv_config(i[0], i[1], int(common.minSdkVersion), results) return for f in s_list: sl=re.sub(r'WebSettings\s*','',f) sl=re.sub(r'\s*[;=].*$','',sl) sl=re.sub(r'final\s','',sl) #strip string whitespace out sl=re.sub(r'^\W+','',sl) sl=re.sub(r'\.\w+\(\w+\)$','',sl) sl=sl.rstrip() #Regex to look for javascript being enabled #BUG I can reduce the number of files checked to only those that have the name / import WebViews #Probably need to check for alternative true/false value representations wv_js_check=sl +'.setJavaScriptEnabled(true)' wv_js_check=re.escape(wv_js_check) #check if webview JS in enabled #BUG - THis can run twice, perhaps it is an artifact of an empty first element? if wv_config(i[1],wv_js_check): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'JS_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_JS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData(common.config.get('qarkhelper', 'TERMINAL_JS_WARNING') +" "+str(i[0]) +" "+common.config.get('qarkhelper', 'TERMINAL_JS_WARNING1') + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/JS_WARNING.html" + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/JS_WARNING.html\n") results.append(issue) else: issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'JS_OK') + " "+str(i[0]) + str(i[1])) results.append(issue) #BUG - this is actually set on WebView #Check whether webview sets arbitrary BaseURL wv_burl_check=re.escape(sl +'.loadDataWithBaseURL') if wv_config(i[1],wv_burl_check): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'BURL_WARNING1')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_BASE_URL_DEFINED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData(common.config.get('qarkhelper', 'TERMINAL_BURL_WARNING1') + " "+str(i[0]) +" "+common.config.get('qarkhelper', 'TERMINAL_BURL_WARNING2') + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/BURL_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/BURL_WARNING.html\n") results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'BURL_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_BASE_URL_DEFINED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'BURL_OK')) results.append(issue) #Checks whether file URI can access filesystem #true by default, so the check is inverted wv_file_check=re.escape(sl+'.setAllowFileAccess(false)') if wv_config(i[1],wv_file_check): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'FILE_SYS_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_FILE_ACCESS_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'FILE_SYS_OK') + str(i[0])) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'FILE_SYS_WARN1')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_FILE_ACCESS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData(common.config.get('qarkhelper', 'TERMINAL_FILE_SYS_WARN1') + str(i[0]) +" "+ common.config.get('qarkhelper', 'TERMINAL_FILE_SYS_WARN2') + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/FILE_SYS_WARN.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/FILE_SYS_WARN.html\n") results.append(issue) #Regex to determine if WebViews have Content Provider access (default = true) #Checks whether WebView can access Content Providers #true by default, so the check is inverted #BUG - This can run twice, perhaps due to an empty element wv_cpa_check=re.escape(sl+'.setAllowContentAccess(false)') if wv_config(i[1],wv_cpa_check): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'WV_CPA_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_CP_ACCESS_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'WV_CPA_OK') + str(i[0])) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'WV_CPA_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_CP_ACCESS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData(common.config.get('qarkhelper', 'TERMINAL_WV_CPA_WARNING') + str(i[0]) + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/WV_CPA_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/WV_CPA_WARNING.html\n") results.append(issue) #check for JS access from file URL can access content from any origin #minSdk <= 15 default is true; minSdk > 16 default is false #BUG - This check is wrong on the second if; If set to false and not found, it prints OK if int(common.minSdkVersion) <16: wv_univ_file_access=re.escape(sl+'.setAllowUniversalAccessFromFileURLs(false)') if not wv_config(i[1],wv_univ_file_access): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'UNIV_FILE_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_FILE_ACCESS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData(common.config.get('qarkhelper', 'TERMINAL_UNIV_FILE_WARNING') +str(i[0]) + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING.html\n") results.append(issue) skip_next=True else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'UNIV_FILE_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_FILE_ACCESS_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'UNIV_FILE_OK') + str(i[0])) results.append(issue) skip_next=False #checking previous value above, as this is ignored if the above is true #could I just put pass above? if skip_next: pass else: #minSdk <= 15 default is true; minSdk > 16 default is false wv_allow_file_access_furls=re.escape(sl+'.setAllowFileAccessFromFileURLs(false)') if wv_config(i[1],wv_allow_file_access_furls): issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData("This WebView does not have access to File URLs - setAllowFileAccessFromFileURLs(false)" + str(i[0])) results.append(issue) issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails("This WebView does not have access to File URLs - setAllowFileAccessFromFileURLs(false)") issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_FILE_ACCESS_ENABLED, False) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'UNIV_FILE_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setExtras(IS_FILE_ACCESS_ENABLED, True) issue.setData(common.config.get('qarkhelper', 'TERMINAL_UNIV_FILE_WARNING') + str(i[0]) + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING2.html "+ "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING2.html\n") results.append(issue) else: wv_univ_file_access=re.escape(sl+'.setAllowUniversalAccessFromFileURLs(true)') if wv_config(i[1],wv_univ_file_access): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'UNIV_FILE_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData(common.config.get('qarkhelper', 'TERMINAL_UNIV_FILE_WARNING') + '1 '+str(i[0]) + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING.html\n") results.append(issue) skip_next=True else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'UNIV_FILE_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'UNIV_FILE_OK') + str(i[0])) results.append(issue) skip_next=False #checking previous value above, as this is ignored if the above is true if skip_next: pass else: #minSdk <= 15 default is true; minSdk > 16 default is false wv_allow_file_access_furls=re.escape(sl+'.setAllowFileAccessFromFileURLs(true)') if wv_config(i[1],wv_allow_file_access_furls): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'FURL_FILE_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData(common.config.get('qarkhelper', 'TERMINAL_FURL_FILE_WARNING') + str(i[0]) + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/FURL_FILE_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/FURL_FILE_WARNING.html\n") results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'FURL_FILE_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'FURL_FILE_OK') + str(i[0])) results.append(issue) #Checking whether plugins are enabled for WebViews #setPluginsEnabled deprecated in API 9, removed in API 18 #setPluginState added in API 8, deprecated in API 18 wv_plugsinenabled=re.escape(sl+'.setPluginsEnabled(true)') wv_pluginstate=re.escape(sl+'.setPluginState(WebSettings.PluginState.ON*') if wv_config(i[1],wv_plugsinenabled): if int(common.minSdkVersion) < 18: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'DEPRECATED_SINCE_9') +str(i[0]) + "<br>FILE: " +str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'DEPRECATED_SINCE_9') +str(i[0])) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'REMOVED_IN_18')+str(i[0]) + "<br>FILE: " +str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'REMOVED_IN_18')+str(i[0])) results.append(issue) logger.info(common.config.get('qarkhelper', 'REMOVED_IN_18')+str(i[0])) if wv_config(i[1],wv_pluginstate): if int(common.minSdkVersion) < 8: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'ADDED_IN_8')+str(i[0]) + "<br>FILE: " +str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'ADDED_IN_8')+str(i[0])) results.append(issue) logger.info(common.config.get('qarkhelper', 'ADDED_IN_8')+str(i[0])) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'DEPRECATED_IN_18')+str(i[0]) + "<br>FILE: " +str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'DEPRECATED_IN_18')+str(i[0])) results.append(issue) #Check if addJavascriptInterface is used in WebView #BUG - this is actually on WebView, not settings wv_ajs=re.escape(sl+'.addJavascriptInterface') if wv_config(i[1],wv_ajs): if int(common.minSdkVersion)<17: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'BAD_JS_INT')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData(common.config.get('qarkhelper', 'TERMINAL_BAD_JS_INT') + " "+str(i[0]) + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/BAD_JS_INT.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/BAD_JS_INT.html" +"\n") results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'OK_JS_INT') + str(i[0]) + "<br>FILE: " +str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'OK_JS_INT')) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'NO_JS_INT') + "<br>FILE: " +str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'NO_JS_INT') + str(i[0])) results.append(issue) #Check if WebView has DOMStorage enabled wv_setdom=re.escape(sl+'.setDomStorageEnabled(true)') if wv_config(i[1],wv_setdom): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'DOM_STORAGE_EN') + str(i[0]) + "<br>FILE: " +str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_DOM_STORAGE_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'DOM_STORAGE_EN')) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'DOM_STORAGE_DIS') + "<br>FILE: " +str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_DOM_STORAGE_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'DOM_STORAGE_DIS') + str(i[0])) results.append(issue) return
def show_wv_vulns(s_list, i, results): """ Shows all identified web view vulnerabilities """ #BUG - This sometimes prints twice, successively which shouldn't happen #print "#"*100 issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData("WebView: " + str(i[0])) results.append(issue) #logger.info("WebView: " +str(i[0])) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData("File: " + str(i[1]) + "\n") results.append(issue) #logger.info("File: " + str(i[1]) +"\n") if len(s_list) == 0: default_wv_config(i[0], i[1], int(common.minSdkVersion), results) return for f in s_list: sl = re.sub(r'WebSettings\s*', '', f) sl = re.sub(r'\s*[;=].*$', '', sl) sl = re.sub(r'final\s', '', sl) #strip string whitespace out sl = re.sub(r'^\W+', '', sl) sl = re.sub(r'\.\w+\(\w+\)$', '', sl) sl = sl.rstrip() #Regex to look for javascript being enabled #BUG I can reduce the number of files checked to only those that have the name / import WebViews #Probably need to check for alternative true/false value representations wv_js_check = sl + '.setJavaScriptEnabled(true)' wv_js_check = re.escape(wv_js_check) #check if webview JS in enabled #BUG - THis can run twice, perhaps it is an artifact of an empty first element? if wv_config(i[1], wv_js_check): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'JS_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_JS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData( common.config.get('qarkhelper', 'TERMINAL_JS_WARNING') + " " + str(i[0]) + " " + common.config.get('qarkhelper', 'TERMINAL_JS_WARNING1') + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/JS_WARNING.html" + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/JS_WARNING.html\n" ) results.append(issue) else: issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'JS_OK') + " " + str(i[0]) + str(i[1])) results.append(issue) #BUG - this is actually set on WebView #Check whether webview sets arbitrary BaseURL wv_burl_check = re.escape(sl + '.loadDataWithBaseURL') if wv_config(i[1], wv_burl_check): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'BURL_WARNING1')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_BASE_URL_DEFINED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData( common.config.get('qarkhelper', 'TERMINAL_BURL_WARNING1') + " " + str(i[0]) + " " + common.config.get('qarkhelper', 'TERMINAL_BURL_WARNING2') + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/BURL_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/BURL_WARNING.html\n" ) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'BURL_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_BASE_URL_DEFINED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'BURL_OK')) results.append(issue) #Checks whether file URI can access filesystem #true by default, so the check is inverted wv_file_check = re.escape(sl + '.setAllowFileAccess(false)') if wv_config(i[1], wv_file_check): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'FILE_SYS_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_FILE_ACCESS_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'FILE_SYS_OK') + str(i[0])) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'FILE_SYS_WARN1')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_FILE_ACCESS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData( common.config.get('qarkhelper', 'TERMINAL_FILE_SYS_WARN1') + str(i[0]) + " " + common.config.get('qarkhelper', 'TERMINAL_FILE_SYS_WARN2') + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/FILE_SYS_WARN.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/FILE_SYS_WARN.html\n" ) results.append(issue) #Regex to determine if WebViews have Content Provider access (default = true) #Checks whether WebView can access Content Providers #true by default, so the check is inverted #BUG - This can run twice, perhaps due to an empty element wv_cpa_check = re.escape(sl + '.setAllowContentAccess(false)') if wv_config(i[1], wv_cpa_check): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'WV_CPA_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_CP_ACCESS_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'WV_CPA_OK') + str(i[0])) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'WV_CPA_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_CP_ACCESS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData( common.config.get('qarkhelper', 'TERMINAL_WV_CPA_WARNING') + str(i[0]) + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/WV_CPA_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/WV_CPA_WARNING.html\n" ) results.append(issue) #check for JS access from file URL can access content from any origin #minSdk <= 15 default is true; minSdk > 16 default is false #BUG - This check is wrong on the second if; If set to false and not found, it prints OK if int(common.minSdkVersion) < 16: wv_univ_file_access = re.escape( sl + '.setAllowUniversalAccessFromFileURLs(false)') if not wv_config(i[1], wv_univ_file_access): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'UNIV_FILE_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_FILE_ACCESS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData( common.config.get('qarkhelper', 'TERMINAL_UNIV_FILE_WARNING') + str(i[0]) + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING.html\n" ) results.append(issue) skip_next = True else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'UNIV_FILE_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_FILE_ACCESS_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'UNIV_FILE_OK') + str(i[0])) results.append(issue) skip_next = False #checking previous value above, as this is ignored if the above is true #could I just put pass above? if skip_next: pass else: #minSdk <= 15 default is true; minSdk > 16 default is false wv_allow_file_access_furls = re.escape( sl + '.setAllowFileAccessFromFileURLs(false)') if wv_config(i[1], wv_allow_file_access_furls): issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( "This WebView does not have access to File URLs - setAllowFileAccessFromFileURLs(false)" + str(i[0])) results.append(issue) issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( "This WebView does not have access to File URLs - setAllowFileAccessFromFileURLs(false)" ) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_FILE_ACCESS_ENABLED, False) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'UNIV_FILE_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setExtras(IS_FILE_ACCESS_ENABLED, True) issue.setData( common.config.get('qarkhelper', 'TERMINAL_UNIV_FILE_WARNING') + str(i[0]) + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING2.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING2.html\n" ) results.append(issue) else: wv_univ_file_access = re.escape( sl + '.setAllowUniversalAccessFromFileURLs(true)') if wv_config(i[1], wv_univ_file_access): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'UNIV_FILE_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData( common.config.get('qarkhelper', 'TERMINAL_UNIV_FILE_WARNING') + '1 ' + str(i[0]) + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/UNIV_FILE_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/UNIV_FILE_WARNING.html\n" ) results.append(issue) skip_next = True else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'UNIV_FILE_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'UNIV_FILE_OK') + str(i[0])) results.append(issue) skip_next = False #checking previous value above, as this is ignored if the above is true if skip_next: pass else: #minSdk <= 15 default is true; minSdk > 16 default is false wv_allow_file_access_furls = re.escape( sl + '.setAllowFileAccessFromFileURLs(true)') if wv_config(i[1], wv_allow_file_access_furls): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'FURL_FILE_WARNING')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData( common.config.get('qarkhelper', 'TERMINAL_FURL_FILE_WARNING') + str(i[0]) + "To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/FURL_FILE_WARNING.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/FURL_FILE_WARNING.html\n" ) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'FURL_FILE_OK')) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_UNIVERSAL_FILE_ACCESS_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'FURL_FILE_OK') + str(i[0])) results.append(issue) #Checking whether plugins are enabled for WebViews #setPluginsEnabled deprecated in API 9, removed in API 18 #setPluginState added in API 8, deprecated in API 18 wv_plugsinenabled = re.escape(sl + '.setPluginsEnabled(true)') wv_pluginstate = re.escape( sl + '.setPluginState(WebSettings.PluginState.ON*') if wv_config(i[1], wv_plugsinenabled): if int(common.minSdkVersion) < 18: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'DEPRECATED_SINCE_9') + str(i[0]) + "<br>FILE: " + str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'DEPRECATED_SINCE_9') + str(i[0])) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'REMOVED_IN_18') + str(i[0]) + "<br>FILE: " + str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'REMOVED_IN_18') + str(i[0])) results.append(issue) logger.info( common.config.get('qarkhelper', 'REMOVED_IN_18') + str(i[0])) if wv_config(i[1], wv_pluginstate): if int(common.minSdkVersion) < 8: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'ADDED_IN_8') + str(i[0]) + "<br>FILE: " + str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'ADDED_IN_8') + str(i[0])) results.append(issue) logger.info( common.config.get('qarkhelper', 'ADDED_IN_8') + str(i[0])) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'DEPRECATED_IN_18') + str(i[0]) + "<br>FILE: " + str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'DEPRECATED_IN_18') + str(i[0])) results.append(issue) #Check if addJavascriptInterface is used in WebView #BUG - this is actually on WebView, not settings wv_ajs = re.escape(sl + '.addJavascriptInterface') if wv_config(i[1], wv_ajs): if int(common.minSdkVersion) < 17: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails(common.config.get('qarkhelper', 'BAD_JS_INT')) issue.setFile(str(i[1])) issue.setSeverity(Severity.WARNING) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.WARNING) issue.setData( common.config.get('qarkhelper', 'TERMINAL_BAD_JS_INT') + " " + str(i[0]) + " To validate this vulnerability, load the following url in this WebView: http://www.secbro.com/poc/html/BAD_JS_INT.html " + "Note: A local copy of this html file can also be found at <install_dir>/quark/poc/html/BAD_JS_INT.html" + "\n") results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'OK_JS_INT') + str(i[0]) + "<br>FILE: " + str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'OK_JS_INT')) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'NO_JS_INT') + "<br>FILE: " + str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'NO_JS_INT') + str(i[0])) results.append(issue) #Check if WebView has DOMStorage enabled wv_setdom = re.escape(sl + '.setDomStorageEnabled(true)') if wv_config(i[1], wv_setdom): issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'DOM_STORAGE_EN') + str(i[0]) + "<br>FILE: " + str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_DOM_STORAGE_ENABLED, True) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData(common.config.get('qarkhelper', 'DOM_STORAGE_EN')) results.append(issue) else: issue = ReportIssue() issue.setCategory(ExploitType.WEBVIEW) issue.setDetails( common.config.get('qarkhelper', 'DOM_STORAGE_DIS') + "<br>FILE: " + str(i[1])) issue.setFile(str(i[1])) issue.setSeverity(Severity.INFO) issue.setExtras(IS_DOM_STORAGE_ENABLED, False) results.append(issue) issue = terminalPrint() issue.setLevel(Severity.INFO) issue.setData( common.config.get('qarkhelper', 'DOM_STORAGE_DIS') + str(i[0])) results.append(issue) return