module

Android Open Source Platform (AOSP) Browser UXSS

Try Surface Command
Back to search
Disclosed
Oct 4, 2014
Created
May 30, 2018

Description

This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
all versions of Android's open source stock browser before 4.4, and Android apps running
on to scrape both cookie data and page contents from a vulnerable browser window.

Target URLs that use X-Frame-Options can not be exploited with this vulnerability.

Some sample UXSS scripts are provided in data/exploits/uxss.

Authors

Rafay Baloch
joev [email protected]

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use auxiliary/gather/android_object_tag_webview_uxss
    msf auxiliary(android_object_tag_webview_uxss) > show actions
        ...actions...
    msf auxiliary(android_object_tag_webview_uxss) > set ACTION < action-name >
    msf auxiliary(android_object_tag_webview_uxss) > show options
        ...show and set options...
    msf auxiliary(android_object_tag_webview_uxss) > run
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today