Thanks to visit codestin.com
Credit goes to mas.owasp.org

Skip to content

MASTG-TEST-0253: Runtime Use of Local File Access APIs in WebViews

Overview

This test is the dynamic counterpart to References to Local File Access in WebViews.

Steps

  1. Run a dynamic analysis tool like Frida (Android) and either:
    • enumerate instances of WebView in the app and list their configuration values
    • or explicitly hook the setters of the WebView settings, including:
      • setJavaScriptEnabled
      • setAllowFileAccess
      • setAllowFileAccessFromFileURLs
      • setAllowUniversalAccessFromFileURLs

Observation

The output should contain a list of WebView instances and corresponding settings.

Evaluation

The test case fails if all of the following applies (based on the API behavior across different Android versions):

  • setJavaScriptEnabled is explicitly set to true.
  • setAllowFileAccess is explicitly set to true (or not used at all when minSdkVersion < 30, inheriting the default value, true).
  • Either setAllowFileAccessFromFileURLs or setAllowUniversalAccessFromFileURLs is explicitly set to true (or not used at all when minSdkVersion < 16, inheriting the default value, true).

Note

AllowFileAccess being true does not represent a security vulnerability by itself, but it can be used in combination with other vulnerabilities to escalate the impact of an attack.

Best Practices

MASTG-BEST-0010: Use Up-to-Date minSdkVersion MASTG-BEST-0011: Securely Load File Content in a WebView MASTG-BEST-0012: Disable JavaScript in WebViews

Demos

MASTG-DEMO-0031: Uses of WebViews Allowing Local File Access with Frida