Port MASTG-TEST-0033: Native code Exposed Through WebViews #3494
Conversation
…text traffic and JavaScript bridges
…test failure conditions
…d enhance MASTG-BEST-0012 documentation
…d enhance MASTG-BEST-0012 documentation Base on discussion OWASP#2425
…improve HTML structure
… regarding WebView security risks
…dditional findings
| - pattern: $WEBVIEW.addJavascriptInterface($BRIDGE, $NAME) | ||
| - pattern: "@JavascriptInterface $RETURN_TYPE $FUNCTION (...){...}" No newline at end of file |
There was a problem hiding this comment.
I tried to match the whole Bridge class with a pattern like the following, but without much success
patterns:
- pattern: $_.addJavascriptInterface(new $BRIDGE (...), $_)
- pattern: class $BRIDGE { ... }
|
@cpholguera @sushi2k Can you please assign the review to me. |
| ## Steps | ||
|
|
||
| 1. Use a tool like @MASTG-TOOL-0110 to search for references to: | ||
| - `usesCleartextTraffic` option in the AndroidManifest.xml file |
There was a problem hiding this comment.
Shouldn't this be irrelevant for the specific purpose of this test?
There was a problem hiding this comment.
Reasoning is at L15
The weakness could become a vulnerability if the WebView allows unencrypted (non-TLS) traffic (i.e., HTTPS) in combination with an XSS attack.
We could narrow the scope to "focus only on the bridges" and point to MASTG-TEST-0235 for confidentiality
There was a problem hiding this comment.
That'd be better, I think. Data can be exfiltrated even through secure connections.
…nd clarify observation steps
|
@ScreaMy7 we will once it's ready for review. For now it's still in DRAFT. Thank you! |
3 participants
This PR closes #2977
Description
Migration to v2.
TODOS
@JavascriptInterfaceto add in the rule