Описание
MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field
Summary
A Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The android:host attribute from <data android:scheme="android_secret_code"> elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover.
Details
When MobSF analyzes an Android APK containing a <data> element with android:scheme="android_secret_code", it extracts the android:host attribute and inserts it directly into the analysis report without HTML escaping.
Vulnerable Code Path
1. Data Extraction - mobsf/StaticAnalyzer/views/android/manifest_analysis.py (line 776):
2. Template String Formatting - mobsf/StaticAnalyzer/views/android/manifest_analysis.py (line 806):
3. Template Definition - mobsf/StaticAnalyzer/views/android/kb/android_manifest_desc.py (line 200):
4. Unsafe Rendering - mobsf/templates/static_analysis/android_binary_analysis.html (line 1143):
The |safe Django template filter bypasses auto-escaping, allowing the unescaped android:host value to be rendered as raw HTML.
PoC
Step 1: Create Malicious APK
Create an APK with the following AndroidManifest.xml:
Step 2: Build the APK
Use apktool or Android build tools to create a valid APK with this manifest.
Step 3: Upload to MobSF
Upload the malicious APK to MobSF for static analysis.
Step 4: Trigger XSS
View the static analysis report in a browser. The JavaScript payload executes automatically.
Confirmed HTML Output
PoC APK Details
| Field | Value |
|---|---|
| Filename | POC_XSS_APK.apk |
| MD5 Hash | 647258656ed03a7e6a0f2acce4ec6a5b |
| Location | https://github.com/smaranchand/poc/raw/refs/heads/main/POC_XSS_APK.apk |
Impact
This is a Stored Cross-site Scripting (XSS) vulnerability affecting all MobSF users who analyze the results of the malicious APK file.
Attack Scenario
- Attacker crafts a malicious APK with XSS payload in the manifest
- Attacker submits APK to a shared MobSF instance or private mobsf instance.
- When any user views the analysis report, the XSS payload executes in their browser
Tested in MobSF Public Instance as well. https://mobsf.live/static_analyzer/647258656ed03a7e6a0f2acce4ec6a5b/
Ссылки
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj
- https://nvd.nist.gov/vuln/detail/CVE-2026-24490
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5
Пакеты
mobsf
< 4.4.5
4.4.5
Связанные уязвимости
MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme="android_secret_code">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue.