Android Webview JavaScript Enabled
ID |
kotlin.android_webview_javascript_enabled |
Severity |
critical |
Resource |
Access Control |
Language |
Kotlin |
Tags |
CWE:79, NIST.SP.800-53, PCI-DSS:6.5.7, android |
Description
Enabling JavaScript in a WebView can introduce security vulnerabilities such as cross-site scripting (XSS), compromising user data and application integrity.
Rationale
Allowing JavaScript execution in Android’s WebView component poses several security risks. While necessary for certain web applications, it can introduce vulnerabilities like XSS, allowing attackers to inject malicious scripts. This can result in unauthorized data access or modification.
Developers should only enable JavaScript when absolutely necessary, and ensure proper input validation and content security measures are in place.
import android.os.Bundle
import android.webkit.WebView
import androidx.appcompat.app.AppCompatActivity
class WebViewActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
val webView = WebView(this)
// Insecure JavaScript setting
webView.settings.javaScriptEnabled = true
webView.loadUrl("https://example.com")
setContentView(webView)
}
}Remediation
To mitigate security risks, disable JavaScript unless it’s necessary for your application. If JavaScript is required, ensure that it is only enabled for trusted content and employ additional security measures like input validation and Content Security Policy (CSP).
import android.os.Bundle
import android.webkit.WebView
import androidx.appcompat.app.AppCompatActivity
class WebViewActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
val webView = WebView(this)
// Secure JavaScript setting
webView.settings.javaScriptEnabled = false
webView.loadUrl("https://example.com")
setContentView(webView)
}
}References
-
CWE-79 : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
-
EnablingJavaScript : Use JavaScript in WebView.