CAPEC-503: WebView Exposure
An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.
Last updated
Overview
CAPEC-503 (WebView Exposure) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- This type of an attack requires the adversary to convince the user to load the malicious web page inside the target application. Once loaded, the malicious web page will have the same permissions as the target application and will have access to all registered interfaces. Both the permission and the interface must be in place for the functionality to be exposed.
How to mitigate it
Defenses that reduce the risk of CAPEC-503.
- To mitigate this type of an attack, an application should limit permissions to only those required and should verify the origin of all web content it loads.
Frequently asked questions
Common questions about CAPEC-503.
- What is CAPEC-503?
- An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.
- How do you prevent CAPEC-503?
- To mitigate this type of an attack, an application should limit permissions to only those required and should verify the origin of all web content it loads.
- What weaknesses does CAPEC-503 target?
- CAPEC-503 exploits 1 CWE weakness, including CWE-284 (Improper Access Control).
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-503
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.