Update descriptions to mention Webview bugginess.

jvennix-r7 · jvennix-r7 · commit 6dc13f90cdbe · 2014-10-30T10:55:56.000-05:00
diff --git a/modules/auxiliary/gather/android_object_tag_webview_uxss.rb b/modules/auxiliary/gather/android_object_tag_webview_uxss.rb
@@ -16,11 +16,13 @@ def initialize(info = {})
       'Name'           => 'Android Open Source Platform (AOSP) Browser UXSS',
       'Description'    => %q{
         This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
-        all versions of Android's open source stock browser before Android 4.4. If successful,
-        an attacker can leverage this bug to scrape both cookie data and page contents from a
-        vulnerable browser window.
+        all versions of Android's open source stock browser before 4.4, and Android apps running
+        on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
+        to scrape both cookie data and page contents from a vulnerable browser window.
 
         Target URLs that use X-Frame-Options can not be exploited with this vulnerability.
+
+        Some sample UXSS scripts are provided in data/exploits/uxss.
       },
       'Author'         => [
         'Rafay Baloch', # Original discovery, disclosure
diff --git a/modules/auxiliary/gather/android_stock_browser_uxss.rb b/modules/auxiliary/gather/android_stock_browser_uxss.rb
@@ -15,9 +15,9 @@ def initialize(info = {})
       'Name'           => 'Android Open Source Platform (AOSP) Browser UXSS',
       'Description'    => %q{
         This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
-        all versions of Android's open source stock browser before Android 4.4. If successful,
-        an attacker can leverage this bug to scrape both cookie data and page contents from a
-        vulnerable browser window.
+        all versions of Android's open source stock browser before 4.4, and Android apps running
+        on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
+        to scrape both cookie data and page contents from a vulnerable browser window.
 
         If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option,
         which will cause a popup window to be used. This requires a click from the user
