Cross-site Scripting Attacks on Android WebView
A B Bhavani
TL;DR
This paper discusses the vulnerabilities of Android WebView to cross-site scripting (XSS) attacks, highlighting how malicious code can bypass security policies to steal user credentials.
Contribution
It provides an analysis of XSS vulnerabilities specific to Android WebView and explains how attackers exploit HttpClient APIs to bypass access controls.
Findings
XSS attacks can be executed via Android WebView using HttpClient APIs
Attackers can steal credentials like cookies through XSS exploits
The same origin policy can be bypassed in WebView environments
Abstract
WebView is an essential component in Android and iOS. It enables applications to display content from on-line resources. It simplifies task of performing a network request, parsing the data and rendering it. WebView uses a number of APIs which can interact with the web contents inside WebView. In the current paper, Cross-site scripting attacks or XSS attacks specific to Android WebView are discussed. Cross site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to run malicious code into victim's WebView,through HttpClient APIs. Using this malicious code, the attackers can steal the victim's credentials, such as cookies. The access control policies (that is,the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Malware Detection Techniques · Web Application Security Vulnerabilities · Security and Verification in Computing