CAPEC-503
Alert dla konkretnego CAPEC
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CAPEC.
Opisy CAPEC
An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.
Informacje CAPEC
Wymagania wstępne
This type of an attack requires the adversary to convince the user to load the malicious web page inside the target application. Once loaded, the malicious web page will have the same permissions as the target application and will have access to all registered interfaces. Both the permission and the interface must be in place for the functionality to be exposed.Łagodzenie
To mitigate this type of an attack, an application should limit permissions to only those required and should verify the origin of all web content it loads.Powiązane słabości
| Nazwa słabości | |
|---|---|
CWE-284 |
Improper Access Control The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Odniesienia
REF-430
Attacks on WebView in the Android SystemTongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, Heng Yin.
http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf
Zgłoszenie
| Nazwa | Organizacja | Data | Data wydania |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modyfikacje
| Nazwa | Organizacja | Data | Komentarz |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns |
