Jump to content
YOUR-AD-HERE
HOSTING
TOOLS

Locked WebView2 Cookie Stealer: Attacking With WebView2 Applications

itsMe

By MASTERitsMe
in Pentesting

 Share

Recommended Posts

itsMe Master Hacker

MASTERitsMe

Posted
Posted

Launch Example

This is the hidden content, please

Usage Example

This is the hidden content, please

The main advantage of using WebView2 for attackers is the rich functionality it provides when phishing for credentials and sessions.

Stealing Chrome Cookies

WebView2 allows you to launch with an existing User Data Folder (UDF) rather than creating a new one. The UDF contains all passwords, sessions, bookmarks, etc. Chrome’s UDF is located atC:\Users\<username>\AppData\Local\Google\Chrome\User Data. We can simply tell WebView2 to start the instance using this profile and upon launch extract all cookies and transfer them to the attacker’s server.

The only catch is that WebView2 looks for a folder called EBWebView instead of User Data (not sure why). Copy the User Data folder and rename it to EBWebView.

Important Functions

If you’d like to make modifications to the binary you’ll find information about the important functions below.

    AppStartPage.cpp – GetUri() function has the URL that is loaded upon binary execution.
    ScenarioCookieManagement.cpp – SendCookies() function contains the IP address and port where the cookies are sent.
    AppWindow.cpp – CallCookieFunction() function waits until the URL starts with https://www.office.com/?auth= and calls ScenarioCookieManagement::GetCookiesHelper(L”https://login.microsoftonline.com”)
    WebView2APISample.rc – Cosmetic changes
        Remove the menu bar by setting all POPUP values to “”.
        Change IDS_APP_TITLE and IDC_WEBVIEW2APISAMPLE. This is the name of the application in the title bar.
        Change  IDI_WEBVIEW2APISAMPLE and IDI_WEBVIEW2APISAMPLE_INPRIVATE and IDI_SMALL. These point to a .ico file which is the icon for this application.
    Toolbar.cpp – itemHeight must be set to 0 to remove the top menu. This is already taken care of in this code.
    AppWindow.cpp – LoadImage() should be commented out. This hides the blue splash image. This is already taken care of in this code.
    App.cpp – new AppWindow(creationModeId, WebViewCreateOption(), initialUri, userDataFolder, false); change the last param value to true. This hides the toolbar. This is already taken care of in this code.

This is the hidden content, please

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.