uxss vulnerability of browser provided by android wechat and qq

Posted by tzul at 2020-03-19

Note: download link of original PDF Report

Author: [email protected]

Date: 2016-02-29

1、 Vulnerability description

The X5 kernel of QQ browser, which is used by wechat and QQ browser on Android platform, has logical defects in handling IP and domain name hostnames, thus bypassing the browser policy and leading to uxss vulnerability.

2、 POC code and simple analysis

The code for poc.htm is as follows:

<iframe src=‘'><iframe>

When Android mobile users use wechat or QQ to access poc.htm, the code of /. page is as follows:



document.domain ='';



That is to say, when the URL of the IP address + ". + root domain is encountered, the URL will be automatically divided according to the IP address structure and accessed, while the JavaScript code parsed by the browser will be processed according to the current document.url, and the current document.domain will be considered as the sub domain of the root domain.

3、 Vulnerability demonstration

Test poc.htm wechat, QQ scan or click to visit URL

Note: wechat version No. is 6.3.8, QQ version No. is v6.1.0.2635

4、 Ideas of vulnerability utilization

5、 Possible influence surface and repair suggestions

When I first found this vulnerability, testing Android QQ browser was affected (later testing failed), so this vulnerability may affect other product lines that call QQ browser kernel, so it is recommended to fix and deal with this vulnerability on the core of QQ browser X5. The specific repair can judge and handle the IP structure symbol ".

6、 Vulnerability timeline