CVE-2021–21136: Insufficient policy enforcement in WebView

The tale of identifying a vulnerability in the Android Webview component and obtaining CVE-2021–21136

Sometime back, while analyzing a security issue I thought of learning the behavior of few Webview APIs. During the research, I discovered that in a specific scenario Android webviews may leak sensitive data such as user’s auth tokens, API secrets, etc. to the third-party. The medium blog captures the technical details around the identified security issue.

Would start this story by brushing up on some fundamentals so that people new to the Android world could understand the issue. Folks familiar with Android Webviews can skip the next section.

Android Webviews


The behaviour of retaining Auth headers by OkHttp during redirection

Are you an Android developer who is inclined towards security or an application security guy who’s keen to connect multiple dots to identify a cool security bug? Were you oblivious that OkHttp, the Friend of Android developers retains auth headers during redirection? If yes, then this story would be interesting for you. It talks about the behaviour of OkHttp to retain auth headers during redirection to third-party domains.

To better understand this, let us first brush up some fundamental things around the issue. …


The Secrets of Avoiding Hardcoded Secrets

I remember the early days of my application security journey where we used to identify hardcoded secrets in the backend code, in almost every source code review engagement and at that time I used to struggle a lot to come up with the best remediation considering the cost and overall architecture.

Based on a little experience of learning and unlearning things around this very common issue of hardcoded secrets I thought of writing something on this. In this story, I would be discussing the issue related to hardcoded secrets and the ways in which we can effectively resolve the issue.


A Simple Python Utility To Perform Passive Enumeration On Android Binaries

Reconnaissance is indeed the most critical and time-consuming phase of a penetration test. In this phase, we collect as much information as possible about the target. The more information we have, the more are the chances of successful exploitation.

Over the past few years, I have had multiple experiences where the mobile front of applications are missing the fundamental security practices whereas corresponding web applications are far more robust. This is definitely an area of opportunity for red teamers, penetration tester and bug bounty hunters wherein they could identify some cool security issues.

With all that in mind and COVID-19…


Utilities That Might Help You Earn/Save Few Hundred Thousand Dollars! 🤑

AWS is indeed a leading cloud platform and is widely used for various types of cloud services by tech giants such as Netflix, Airbnb, Lyft, Deliveroo, etc. In this story, I would be talking about the automated detection of AWS NS Takeover, a security issue related to the misconfiguration in AWS Route 53 service. The tool can be used by Infrastructure Security Engineers, DevSecOps Engineers, Penetration Testers and Bug Bounty Hunters(🤑) for automated detection of NS Takeover.

If you are unaware of AWS NS Takeover, I strongly recommend you to first go through the following story to better understand the…


Ever wondered the deep links that you have in your application is one of the doors for an attacker to crack your application?

In the current era of hybrid mobile architecture, the Webviews and Deep Links are extensively used hand in hand. The former one is used to deliver dynamic web content while the latter one is used to make the applications more interactive.

In this story, we would be discussing the common security misconfiguration pertaining to the mingling of Webview and Deep Link. We would majorly be discussing the amazing security research performed by Bagipro on Insufficient URL Validation and later we would be ending it with some recommendations to mitigate this issue.

The story is also meant for the security evangelists…


For the people who say we are on the cloud and it is implicitly secure :P

From 101 to Detection and Exploitation!

I hope you would have heard of a conventional subdomain takeover because of a dangling CNAME entry. Recently while going through these amazing blogs( Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean and Subdomain Takeover: Going beyond CNAME) I got to know about this cool, non-conventional domain takeover which allows an adversary to have complete control over a vulnerable domain.

Prerequisite

Before we go ahead and get our hands dirty you need to have a fair understanding of the following concepts:

  1. DNS(Domain Name Service)
  2. Fundamentals of AWS(especially Route53 service)

The Misconfiguration


Are you still unsure regarding the security of your user’s device?

Friend of Security Engineers and Architects!

Android Leading Market Share

Android is leading the current era of mobility with more than 75% of the market share. Nowadays, mobile applications are not only used leisure purposes but are also used for the business critical operations wherein there is a huge flow of sensitive data.

Although, Android supports the beautiful concept of sandboxing which disallows an application to access the data of any other application in the normal scenario. It is still suggested that the applications dealing with sensitive data should consider the edge cases to securely handle sensitive data.

Android Keystore released in API level 18 came out to be as…

Shiv Sahni

Security Engineer |Security Consultant |Infosec Trainer | Author | Lecturer | Open Source Contributor | Learner https://www.linkedin.com/in/shivsahni/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store