Home > CAPEC List > CAPEC-500: WebView Injection (Version 2.11)  

CAPEC-500: WebView Injection

WebView Injection
Definition in a New Window Definition in a New Window
Attack Pattern ID: 500
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.

+ Attack Prerequisites
  • An adversary must be able install a purpose built malicious application onto the device and convince the user to execute it. The malicious application is designed to target a specific web application and is used to load the target web pages via the WebView component. For example, an adversary may develop an application that interacts with Facebook via WebView and adds a new feature that a user desires. The user would install this 3rd party app instead of the Facebook app.

+ Solutions and Mitigations

The only known mitigation to this type of attack is to keep the malicious application off the system. There is nothing that can be done to the target application to protect itself from a malicious application that has been installed and executed.

+ References
[REF-52] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang and Heng Yin. "Attacks on WebView in the Android System". Annual Computer Security Applications Conference (ACSAC). 2011. <http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017