cordova-plugin-ionic-webview icon indicating copy to clipboard operation
cordova-plugin-ionic-webview copied to clipboard

Published 20 hours ago verified publisher icon ionic-team

Webview vulnerability

Open rpragesh opened this issue 4 years ago • 2 comments

Where I found it? Webview located at bolts/WebViewAppLinkResolver.java we can view them by decompiling the apk file as the mentioned file is only created after the apk build in ionic app

webview_file

here you can see that: webView.getSettings().setJavaScriptEnabled(true);

The WebView Object has been activated to parse javascript inside it. However by default when we create a WebView object JavaScript is disabled by default until and unless it is explicitly declared by the developer. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE.

Mitigation: If you turn off the setJavaScriptEnabled as follows, adversaries will not be able to run any JavaScript in order to perform XSS webView.getSettings().setJavaScriptEnabled(false);

SEVERITY: High It is not just limited to XSS because of javascript! In fact, using this, an attacker can even use JavaScript to invoke certain methods on the phone, such as sending an SMS to another number, making a call, or even getting a remote shell using tools such as Drozer. I highly recommend an article on Github for the mitigation and understanding of the attack

https://github.com/vjex/WriteUp/blob/master/WebviewVuln.md

More References: [](http://www.cvedetails.com/cve/CVE-2013-4710/ https://hackerone.com/reports/87835 https://hackerone.com/reports/499348 https://hackerone.com/reports/906433)

rpragesh avatar Nov 25 '20 09:11 rpragesh

I think this should have been reported to https://github.com/BoltsFramework/Bolts-Android ? The code you are referring to is not in this repository.

oddcb avatar Nov 30 '20 08:11 oddcb

@oddcb the repo you mentioned is archived by its owner so I can't report this issue there...& the reason I posted this issue here is I am using the webView plugin in my ionic app and the file I mentioned is automatically generated inside the app after I created the build, I got this file after decompiling my app.

can you suggest where I can get the help?

rpragesh avatar Dec 01 '20 12:12 rpragesh