Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port MASTG-TEST-0032: Testing WebView Protocol Handlers (android) #3177

Open
wants to merge 58 commits into
base: master
Choose a base branch
from
Open

Port MASTG-TEST-0032: Testing WebView Protocol Handlers (android) #3177

wants to merge 58 commits into from

Conversation

cpholguera
Copy link
Collaborator

@cpholguera cpholguera commented Feb 23, 2025
edited
Loading

This PR closes #2978.

Deprecates:

  • MASTG-TEST-0032

Adds:

  • MASTG-TEST-0250

  • MASTG-TEST-0251

  • MASTG-TEST-0252

  • MASTG-TEST-0253

  • MASTG-DEMO-0029

  • MASTG-DEMO-0030

  • MASTG-DEMO-0031

  • MASTG-DEMO-0032

@cpholguera
Enhance documentation on WebView local file access settings and secur…
619fdee 
…ity implications
@cpholguera
Mark MASTG-TEST-0032 as deprecated and reference new version in MASTG V2
13ca55f
@cpholguera
Add MASTG-TEST-0x33: References to Local File Access in WebViews
4020272
@cpholguera
Add draft for MASTG-TEST-0x32 References to Content Provider Access i…
6b3661b 
…n WebViews
@cpholguera
Refine MASTG-TEST-0x33 documentation on WebView local file access met…
554bbca 
…hods and security implications
@cpholguera
Update WebView file access API documentation with accurate default be…
b8ef311 
…havior for Android versions
@cpholguera
Update MASTG-TEST-0x33 documentation to clarify secure defaults and e…
ade3410 
…xplicit disablement for WebView methods
@cpholguera
Update Platform Overview documentation to summarize notable Android A…
d86fc4d 
…PI versions and link to the new best practice file.
@cpholguera
Enhance documentation on WebView JavaScript execution and content acc…
ca8ad35 
…ess, detailing security implications and configuration examples.
@cpholguera
Add best practices for securely loading file content and disabling co…
7572d40 
…ntent provider access in WebViews
@cpholguera
Update MASTG-TEST-0x32 and MASTG-TEST-0x33 tests to link to best prac…
1742be9 
…tices and improve the content
@cpholguera
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into 29…
b5004ff 
…78-mastg-v1-v2-mastg-test-0032-android
@cpholguera
Add best practice for disabling JavaScript in WebViews to enhance sec…
a79b23e 
…urity
@cpholguera cpholguera linked an issue Feb 23, 2025 that may be closed by this pull request
MASTG v1->v2 MASTG-TEST-0032: Testing WebView Protocol Handlers (android) #2978
Open
@cpholguera cpholguera marked this pull request as draft February 23, 2025 19:00
@cpholguera
fix md links
039c427
@cpholguera
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into 29…
94ca885 
…78-mastg-v1-v2-mastg-test-0032-android
@cpholguera
Clarify data access via content providers in Testing Platform Interac…
5fb8e15 
…tion documentation
@cpholguera
Refine WebView content provider access test documentation for clarity…
6b2b851 
… and accuracy
@cpholguera
Clarify WebView local file access settings documentation for improved…
d182ffc 
… understanding and security implications
@cpholguera
Clarify implications of enabling content access in WebView documentat…
1eed669 
…ion for better understanding of security risks
@cpholguera
Clarify the implications of setAllowUniversalAccessFromFileURLs in …
4a04527 
…and improve attack scenario
@cpholguera
Clarify WebView content provider access content and add notes
1249d8c
@cpholguera
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into 29…
8b36a1a 
…78-mastg-v1-v2-mastg-test-0032-android
@cpholguera
Enhance MASTG-TEST-0x32 to clarify the role of setAllowUniversalAcces…
4184f9b 
…sFromFileURLs
@cpholguera
Add pass/fail heading for MASTG-TEST-0x33
b56c267
@cpholguera
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into 29…
a9c7740 
…78-mastg-v1-v2-mastg-test-0032-android
cpholguera added 16 commits March 10, 2025 18:05
@cpholguera
Add semgrep rule, semgrep output, evaluation script and its output fo…
4e0f185 
…r MASTG-DEMO-0029
@cpholguera
Add output_server.txt to log server activity and received POST data f…
7009a23 
…or MASTG-DEMO-0030
@cpholguera
Remove reference to output.json in MASTG-DEMO-0029
e9f2c4b
@cpholguera
Update MASTG-DEMO-0030.md to add Frida script description and clarify…
8fe7aaf 
… WebView settings evaluation
@cpholguera
Add frida script, output, evaluation script and output
cac3ff4
@cpholguera
Add filepaths.xml to define internal file paths for MASTG-DEMO-0030
273e454
@cpholguera
Refactor evaluate.py to streamline settings processing and output res…
a93376a 
…ults to evaluation.txt
@cpholguera
Update titles in MastgTestWebView for MASTG-DEMO-0029 and MASTG-DEMO-…
cca6623 
…0030
@cpholguera
Update MASTG-DEMO-0030.md to improve clarity on WebView settings and …
77fb660 
…exfiltration example
@cpholguera
Update MASTG-TEST-0252.md to clarify WebView security settings and th…
c6dada9 
…eir implications
@cpholguera
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into 29…
2e79838 
…78-mastg-v1-v2-mastg-test-0032-android
@cpholguera
Add demos for detecting insecure file access WebView settings with se…
f036ad4 
…mgrep and frida
@cpholguera
Remove output redirection from evaluation script in demo run scripts
ea856c2
@cpholguera
Update API references for WebView content provider and local file acc…
4868232 
…ess tests
@cpholguera
Add new WebView security tests content for content provider and local…
fa7a229 
… file access settings
@cpholguera
Update covered_by references in MASTG-TEST-0032.md
cc445c0
@cpholguera cpholguera requested a review from TheDauntless March 11, 2025 09:45
@cpholguera cpholguera marked this pull request as ready for review March 11, 2025 09:45
javier-ruiz-b
javier-ruiz-b reviewed Mar 11, 2025
View reviewed changes
Copy link
Collaborator

@javier-ruiz-b javier-ruiz-b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this fixes the issue

cpholguera
cpholguera commented Mar 12, 2025
View reviewed changes
Document/0x05h-Testing-Platform-Interaction.md
</html>
```

##### `setAllowUniversalAccessFromFileURLs`
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding:

Setting `setAllowUniversalAccessFromFileURLs(true)` allows JavaScript inside a local `file://` to make cross-origin requests (XHR, Fetch, etc.). This bypasses the Same-Origin Policy (SOP) for network requests, but it does not grant access to cookies from remote websites.

Cookies are managed by the WebView’s CookieManager and cannot be accessed by a `file://` origin unless explicitly allowed via document.cookie (which most modern sites prevent using `HttpOnly` and `Secure` flags).

Cross-origin requests also do not include cookies unless explicitly allowed by the server via CORS headers such as `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true`.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@javier-ruiz-b javier-ruiz-b

@TheDauntless TheDauntless

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Android fundamentals MASVS-PLATFORM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0032: Testing WebView Protocol Handlers (android)
2 participants
@cpholguera @javier-ruiz-b