New to CAPEC? Start Here
Home > CAPEC List > CAPEC-500: WebView Injection (Version 3.9)  

CAPEC-500: WebView Injection

Attack Pattern ID: 500
Abstraction: Detailed
View customized information:
+ Description
An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.
+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.253Remote Code Inclusion
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Determine target web application: An adversary first needs to determine what web application they wish to target.

    Target web applications that require users to enter sensitive information.
    Target web applications that an adversary wishes to operate on behalf of a logged in user.
  1. Create malicious application: An adversary creates an application, often mobile, that incorporates a WebView component to display the targeted web application. This malicious application needs to downloaded by a user, so adversaries will make this application useful in some way.

    Create a 3rd party application that adds useful functionality to the targeted web application. Victims will download the application as a means of using the targeted web application.
    Create a fun game that at some point directs a user to the targeted web application. For example, prompt the user to buy in game currency by directing them to PayPal.
  2. Get the victim to download and run the application: An adversary needs to get the victim to willingly download and run the application.

    Pay for App Store advertisements
    Promote the application on social media, either through accounts made by the adversary or by paying for other accounts to advertise.
  1. Inject malicious code: Once the victim runs the malicious application and views the targeted web page in the WebView component, the malicious application will inject malicious JavaScript code into the web application. This is done by using WebView's loadURL() API, which can inject arbitrary JavaScript code into pages loaded by the WebView component with the same privileges. This is often done by adding a script tag to the document body with a src destination to a remote location that serves malicious JavaScript code.

    Execute operations on the targeted web page on behalf of an authenticated user.
    Steal cookie information from the victim.
    Add in extra fields to the DOM in an attempt to get a user to divulge sensitive information.
+ Prerequisites
An adversary must be able install a purpose built malicious application onto the device and convince the user to execute it. The malicious application is designed to target a specific web application and is used to load the target web pages via the WebView component. For example, an adversary may develop an application that interacts with Facebook via WebView and adds a new feature that a user desires. The user would install this 3rd party app instead of the Facebook app.
+ Mitigations
The only known mitigation to this type of attack is to keep the malicious application off the system. There is nothing that can be done to the target application to protect itself from a malicious application that has been installed and executed.
+ References
[REF-430] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang and Heng Yin. "Attacks on WebView in the Android System". Annual Computer Security Applications Conference (ACSAC). 2011. <>.
+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow
(Version 3.9)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018