WebView loaded without restricting base URL
ID |
swift.unrestricted_webview_load |
Severity |
high |
Resource |
Injection |
Language |
Swift |
Tags |
CWE:79, MASWE:0040, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1 |
Description
Fetching data in a web view without restricting the base URL may allow an attacker to access sensitive local data, for example using file://.
Data can then be extracted from the software using the URL of a machine under the attacker’s control. It is also possible for an attacker to use a URL under their control as part of a cross-site scripting attack.
Rationale
The following is an example of a vulnerable code:
import WebKit
let webview = WKWebView(...)
webview.loadHTMLString(htmlData, baseURL: nil) // FLAWThe call to loadHTMLString(_:baseURL:) without an explicit baseURL may allow an attacker to access local files, for example using file://, or to load content from a URL under his control.
Please note that the similar UIWebView class in the UIKit framework is deprecated. Use WKWebView from the WebKit framework instead.
|
Remediation
When loading HTML into a web view, always set the baseURL to an URL that you control, or to about:blank. Do not use nil, as this does not restrict URLs that can be resolved. Also don’t use a baseURL that could itself be controlled by an attacker.
import WebKit
let webview = WKWebView(...)
webview.loadHTMLString(html, baseURL: URL(string: "about:blank"))References
-
CWE-79 : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
-
OWASP Top 10 2021 - A03 : Injection.
-
MASWE-0040: Insecure Authentication in WebViews.