# LAB - XSS in Android In this lab environment, you will get access to a Debian machine, which has all the required tools installed on it for this lab, along with an Android emulator. To start the Android emulator, run the "startemulator.sh" script present at "/root/Desktop." **Objective:** Find and exploit the XSS vulnerability in the vulnerable APK. The following Android application can be useful: * allsafe.apk: Intentionally vulnerable Android application. (Pre-installed on the emulator). ### Tools * **adb:** Android Debug Bridge is a versatile command-line tool that allows developers and users to interact with Android devices and emulators. It's part of the Android SDK Platform-Tools package and provides a range of functionalities for debugging, testing, and managing Android devices. * **Jadx:** Jadx is a popular open-source tool used for decompiling and analyzing Android application packages (APKs). It allows developers and security researchers to reverse-engineer APK files to understand their inner workings, extract resources such as source code, images, and other assets, and analyze the app's behavior. *** Frist ejecute the android emulator with `./startemulator.sh`

## Get APK Now, while the emulator run, we extract the "Allsafe" app from the emulator to perform our analysis ```bash ## Extract APK files adb shell pm list packages -f ```

> We have a list of all the packages let's narrow down this list to find the package for the "Allsafe" app --> ```bash ## List concret "allsafe" apk app adb shell pm list packages -f "allsafe" ```

Now, let's pull this package, to obtain APK file --> ``` adb pull /data/app/~~oZ0lNhDdkIp2NaWMhGczgw==/infosecadventures.allsafe-ttByxQb49HI7GiOb62XhPQ==/base.apk /root/Desktop/ ```

## Jadx Tool Inspect Wich the APK file obtain, we can use jadx-gui to decompile and read ``` jadx-gui base.apk ``` ### XXS Identificate Now examinate code use click on the search icon and search for the text "`setJavaScriptEnabled`", and select the node and click on "Open".

Here we can notice the code seems to be vulnerable to XSS, as: * JavaScript is enabled via: `settings.setJavaScriptEnabled(true);` * User input is loaded directly into WebView with: `webView.loadData(payload.getText().toString(), "text/html", "UTF-8");` * There is no input sanitization or validation for malicious scripts in payload.

### XSS Ejecute Knowing this, we can ejecute the app and try to make a basic HTML Injection & Basic XSS ->

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/ine-emapt/owasp-mobile-top-10-vulnerabilities/lab-xss-in-android.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.