AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure Web View Settings

The malicious website can access local storage area, execute random Javascript in the context of the application

Severity

High

Fix Cost

Medium

Trust Level

Medium

Android supports WebView component for an embedded browser capability to load external web sites inside the Activity interface. Some of the settings of WebView may leave the application vulnerable to authorization and injection problems such as loading local application files, cross site scripting etc.

The code below enables the execution of Javascript through the content loaded in WebView. If the provided URL is not trusted, malicious Javascript code can be executed. Coupled with accessing local file resources using file: scheme and with enough permissions, this vulnerability can lead to sensitive data theft.

            
WebSettings settings = webView.getSettings();
settings.setJavaScriptEnabled(true);

String extURL = getIntent().getStringExtra("URL");
webView.loadUrl(extURL);
                    
              

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!