The main advantage of using WebView2 for attackers is the rich functionality it provides when phishing for credentials and sessions. In this post I discuss and show how attackers can create WebView2 applications and use them for several purposes. My code uses a modified version of Microsoft’s WebView2 Samples repository. The research was difficult and time consuming as I had to read a lot of documentation and do a lot of debugging to understand the internal workings of WebView2.
In the example below I use a custom-built WebView2 application that loads
WebView2 also provides built-in functionality to extract cookies. This allows an attacker to extract cookies after the user authenticates into the legitimate website. This technique removes the need of having to spin up Evilginx2 or Modlishka but the obvious trade-off is that the user must execute the binary and authenticate.
Exfiltrating Cookies Example
The image below shows how cookies are extracted in base64 format after the user traverses to
Stealing Chrome Cookies
WebView2 can be used to steal all available cookies for the current user. This was successfully tested on Chrome.
WebView2 allows you to launch with an existing User Data Folder (UDF) rather than creating a new one. The UDF contains all passwords, sessions, bookmarks etc. Chrome’s UDF is located at
C:\Users\<username>\AppData\Local\Google\Chrome\User Data. We can simply tell WebView2 to start the instance using this profile and upon launch extract all cookies and transfer them to the attacker’s server.
The only catch is that WebView2 looks for a folder called
EBWebView instead of
User Data (not sure why). Make a copy of the
User Data folder and rename it to
Extracting All Cookies
The image below shows how I was able to load my Chrome UDF and extract all cookies. This functionality is not implemented in the code uploaded to my GitHub repo but it is trivial to implement and the GitHub README explains what needs to be modified in order to get this functionality working.
I uploaded the code for an O365 WebView2 application which loads
www.office.com/login on execution and upon the user successfully authenticating, the base64 encoded cookies of
www.office.com are sent to the attacker via an HTTP GET request.
The code has been uploaded onto my Github. Feel free to use it in your future engagements or modify it as required. The README explains everything in case you’d like to modify it for a different use case.
You can extend the functionality to the existing WebView2 application to also gain remote access. But currently the binary only utilizes legitimate functionality provided by Microsoft. This will probably make it more difficult to be flagged by security solutions.