Lab - TokenBleed

This challenge is centered around a fictitious Crypto exchange app, highlighting a critical security flaw related to an insecure web view implementation which can lead to exfiltration of sensitive data and 1-click account takeover.

Outline
In this lab, you will abuse a misconfigured Web View to steal an authentication token by just sharing a link.

Objectives
Exfiltrate the JWT of another user remotely by leveraging a misconfigured Web View and JavaScript bridge.

Skills Required
  • Understanding of Android app development, especially WebView implementations.
  • Reverse engineering of Android apps
  • Understanding of JavaScript to native bridges to exploit the issue

Course Lessons