MobSF Stored Cross-Site Scripting Vulnerability in Android Manifest Analysis

A stored cross-site scripting vulnerability has been identified in MobSF versions prior to 4.4.5. This issue allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The vulnerability arises because the 'android:host' attribute from '<data android:scheme="android_secret_code">' elements is rendered in HTML reports without proper sanitization. This lack of sanitization can lead to session hijacking and account takeover.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user's browser session.

Reproduction

To reproduce this vulnerability, upload an APK containing a malicious 'AndroidManifest.xml' file with a 'data' element that includes an 'android:host' attribute with a JavaScript payload. Once the APK is analyzed by MobSF, the payload will be executed when the report is viewed in a browser.

Remediation

Users can update to MobSF version 4.4.5, which addresses this vulnerability by sanitizing the 'android:host' attribute before it is rendered in the HTML report.