GET /.well-known/assetlinks.json

Android App Links manifest. Android verifies app links by checking SHA-256 fingerprints, package_name, and relation strings against a strict schema. These modes break each of those.

mode wrong-fingerprint-format (default; fingerprint without colon delimiters), package-mismatch (fictional package_name), unknown-relation (invented permission relation string), malformed-json (truncated JSON array).

build a request:

assetlinks flaw

expect: 200 OK with Content-Type: application/json. wrong-fingerprint-format omits the colon delimiters Android expects; package-mismatch uses a fictional package_name; unknown-relation invents a permission string; malformed-json truncates the response. X-Chaos-Assetlinks-Mode reflects the selection.

bash

curl -i 'https://bots.catastrophic.io/.well-known/assetlinks.json?mode=wrong-fingerprint-format'

import urllib.request
resp = urllib.request.urlopen("https://bots.catastrophic.io/.well-known/assetlinks.json?mode=wrong-fingerprint-format")
print(resp.status, resp.headers["X-Chaos-Assetlinks-Mode"])
print(resp.read().decode())

const res = await fetch("https://bots.catastrophic.io/.well-known/assetlinks.json?mode=wrong-fingerprint-format");
console.log(res.status, res.headers.get("x-chaos-assetlinks-mode"));
console.log(await res.text());

package main

import (
    "fmt"
    "io"
    "net/http"
)

func main() {
    resp, _ := http.Get("https://bots.catastrophic.io/.well-known/assetlinks.json?mode=wrong-fingerprint-format")
    defer resp.Body.Close()
    body, _ := io.ReadAll(resp.Body)
    fmt.Println(resp.StatusCode, resp.Header.Get("X-Chaos-Assetlinks-Mode"))
    fmt.Println(string(body))
}

fn main() -> Result<(), Box> {
    let resp = reqwest::blocking::get("https://bots.catastrophic.io/.well-known/assetlinks.json?mode=wrong-fingerprint-format")?;
    println!("{} {:?}", resp.status(), resp.headers().get("x-chaos-assetlinks-mode"));
    println!("{}", resp.text()?);
    Ok(())
}

import java.net.URI;
import java.net.http.*;

public class BotsAssetlinks {
    public static void main(String[] args) throws Exception {
        var client = HttpClient.newHttpClient();
        var req = HttpRequest.newBuilder(URI.create("https://bots.catastrophic.io/.well-known/assetlinks.json?mode=wrong-fingerprint-format")).build();
        var resp = client.send(req, HttpResponse.BodyHandlers.ofString());
        System.out.println(resp.statusCode() + " " +
            resp.headers().firstValue("X-Chaos-Assetlinks-Mode").orElse(""));
        System.out.println(resp.body());
    }
}

using var client = new HttpClient();
var resp = await client.GetAsync("https://bots.catastrophic.io/.well-known/assetlinks.json?mode=wrong-fingerprint-format");
resp.Headers.TryGetValues("X-Chaos-Assetlinks-Mode", out var mode);
Console.WriteLine($"{(int)resp.StatusCode} {mode?.FirstOrDefault()}");
Console.WriteLine(await resp.Content.ReadAsStringAsync());

require "net/http"
res = Net::HTTP.get_response(URI("https://bots.catastrophic.io/.well-known/assetlinks.json?mode=wrong-fingerprint-format"))
puts "#{res.code} #{res['X-Chaos-Assetlinks-Mode']}"
puts res.body

$r = Invoke-WebRequest -Uri 'https://bots.catastrophic.io/.well-known/assetlinks.json?mode=wrong-fingerprint-format'
$r.Headers['X-Chaos-Assetlinks-Mode']
$r.Content