We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
The Hole in Sandbox: Escape Modern Web-Based App Sandbox From Site-Isolation Perspective
Learn how attackers exploit sandbox vulnerabilities in web-based apps through site isolation gaps, XSS, deep links & privilege abuse. Best practices & attack chains covered.
-
Modern web-based applications often use browser components like Chrome’s CEF and WebView, which can introduce security vulnerabilities despite sandboxing
-
Site Isolation is a critical security feature that assigns separate render processes to different origins, but many apps don’t fully implement it, especially on Android
-
Universal Cross-Site Scripting (XSS) vulnerabilities remain a persistent threat, allowing attackers to inject JavaScript code across domains even without server-side bugs
-
Key attack vectors include:
- Render process RCE (Remote Code Execution)
- Bypassing Same Origin Policy (SOP) checks
- Exploiting privileged application interfaces
- Using deep links to launch malicious activities
-
Common weaknesses in web-based apps:
- Reuse of render processes
- SOP checks implemented in render process instead of browser process
- Insufficient domain restrictions on privileged interfaces
- Lack of strict site isolation on mobile platforms
-
Security recommendations:
- Make site isolation configurable to protect privileged domains
- Implement immutable code for high-risk operations
- Restrict privileges on JavaScript interfaces
- Properly isolate web content between different activities
- Timely patch supply chain vulnerabilities
-
Attack chains often combine multiple techniques:
- Browser component vulnerabilities
- Universal XSS
- Deep link manipulation
- Silent app installation/execution
- Privileged interface abuse
-
Pre-installed vendor apps and app stores are particularly attractive targets due to their privileged status and complex functionality