CAPEC-500: WebView Injection

An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.

Not rated

Typical severity

Per MITRE

Not rated

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-500 (WebView Injection) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Determine target web application] An adversary first needs to determine what web application they wish to target.
- Target web applications that require users to enter sensitive information.
- Target web applications that an adversary wishes to operate on behalf of a logged in user.
Step 2
Experiment
[Create malicious application] An adversary creates an application, often mobile, that incorporates a WebView component to display the targeted web application. This malicious application needs to downloaded by a user, so adversaries will make this application useful in some way.
- Create a 3rd party application that adds useful functionality to the targeted web application. Victims will download the application as a means of using the targeted web application.
- Create a fun game that at some point directs a user to the targeted web application. For example, prompt the user to buy in game currency by directing them to PayPal.
Step 3
Experiment
[Get the victim to download and run the application] An adversary needs to get the victim to willingly download and run the application.
- Pay for App Store advertisements
- Promote the application on social media, either through accounts made by the adversary or by paying for other accounts to advertise.
Step 4
Exploit
[Inject malicious code] Once the victim runs the malicious application and views the targeted web page in the WebView component, the malicious application will inject malicious JavaScript code into the web application. This is done by using WebView's loadURL() API, which can inject arbitrary JavaScript code into pages loaded by the WebView component with the same privileges. This is often done by adding a script tag to the document body with a src destination to a remote location that serves malicious JavaScript code.
- Execute operations on the targeted web page on behalf of an authenticated user.
- Steal cookie information from the victim.
- Add in extra fields to the DOM in an attempt to get a user to divulge sensitive information.

CAPEC-500: WebView Injection

Overview

How the attack works

What the attacker needs

Prerequisites

How to mitigate it

Frequently asked questions

What is CAPEC-500?

How does a WebView Injection attack work?

How do you prevent CAPEC-500?

What weaknesses does CAPEC-500 target?

References

Defend against CAPEC-500

Overview

How the attack works

What the attacker needs

Prerequisites

How to mitigate it

Related weaknesses

Related attack patterns

Parent

Frequently asked questions

What is CAPEC-500?

How does a WebView Injection attack work?

How do you prevent CAPEC-500?

What weaknesses does CAPEC-500 target?

References

Defend against CAPEC-500