Fragile Data visibility & Performing actions with respect to the target

Fragile Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid mobile application utilizing a deep website website website link, containing a malicious JavaScript rule into the area parameter. The after screenshot shows the ultimate XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s server: (please be aware top of the part offers the XSS payload plus the base section is the identical payload encoded with URL encoding):

The screenshot that is following an HTTP GET demand containing the ultimate XSS payload (part parameter):

The host replicates the payload sent earlier into the day in the area parameter as well as the injected JavaScript code is performed when you look at the context of this WebView.

As previously mentioned before, the last XSS payload lots a script file through the attacker’s host. (more…)

Continue Reading Fragile Data visibility & Performing actions with respect to the target