The UDF contains all passwords, sessions, bookmarks etc. WebView2 allows you to launch with an existing User Data Folder (UDF) rather than creating a new one.
WebView2 can be used to steal all available cookies for the current user. Upon decoding the base64 blob, the cookies are revealed. The image below shows how cookies are extracted in base64 format after the user traverses to. This technique removes the need of having to spin up Evilginx2 or Modlishka but the obvious trade-off is that the user must execute the binary and authenticate. This allows an attacker to extract cookies after the user authenticates into the legitimate website. WebView2 also provides built-in functionality to extract cookies. The image below shows the keylogger successfully fetching the keystrokes. In the example below I use a custom-built WebView2 application that loads with an injected JavaScript keylogger. This means you can load up a target website and inject malicious JavaScript (e.g. Using a built-in WebView2 function, JavaScript can be easily injected into any website. The research was difficult and time consuming as I had to read a lot of documentation and do a lot of debugging to understand the internal workings of WebView2. My code uses a modified version of Microsoft’s WebView2 Samples repository. In this post I discuss and show how attackers can create WebView2 applications and use them for several purposes.
The main advantage of using WebView2 for attackers is the rich functionality it provides when phishing for credentials and sessions. The image below is an example of WebView2 being used in a legitimate Microsoft Office application. This is meant to improve desktop applications and provide them with additional capabilities for interaction with web applications. Essentially, WebView2 technology can be used to create an executable that can communicate with web applications similarly to a browser. IntroductionĪccording to Microsoft, “Microsoft Edge WebView2 control allows you to embed web technologies (HTML, CSS, and JavaScript) in your native apps”. Exploring WebView2 applications and how they can be used for credential and cookie theft.
0 kommentar(er)
