Home > CAPEC List > CAPEC-503: WebView Exposure (Version 2.11)  

CAPEC-503: WebView Exposure

WebView Exposure
Definition in a New Window Definition in a New Window
Attack Pattern ID: 503
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.

+ Attack Prerequisites
  • This type of an attack requires the adversary to convince the user to load the malicious web page inside the target application. Once loaded, the malicious web page will have the same permissions as the target application and will have access to all registered interfaces. Both the permission and the interface must be in place for the functionality to be exposed.

+ Solutions and Mitigations

To mitigate this type of an attack, an application should limit permissions to only those required and should verify the origin of all web content it loads.

+ References
[REF-52] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang and Heng Yin. "Attacks on WebView in the Android System". Annual Computer Security Applications Conference (ACSAC). 2011. <http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017