Dark Mode

Settings

Capec-503 Detail

WebView Exposure

Standard Software

Parents: 122

Threats: T72 T280 T293 T386 T399

Description

An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.

Not present

External ID Source Link Description
CAPEC-503 capec https://capec.mitre.org/data/definitions/503.html
CWE-284 cwe http://cwe.mitre.org/data/definitions/284.html
REF-430 reference_from_CAPEC http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, Heng Yin, Attacks on WebView in the Android System, 2011, Annual Computer Security Applications Conference (ACSAC)

Not present

  1. This type of an attack requires the adversary to convince the user to load the malicious web page inside the target application. Once loaded, the malicious web page will have the same permissions as the target application and will have access to all registered interfaces. Both the permission and the interface must be in place for the functionality to be exposed.

Not present

Not present

Not present

Not present

We use cookies to ensure you get the best experience on our website.