Cross-site Scripting Attacks on Android WebView
This identifies a security vulnerability in Android WebView that could compromise user credentials, but it is incremental as it focuses on a specific platform within a known attack type.
The paper addresses cross-site scripting (XSS) attacks specific to Android WebView, showing how attackers can exploit vulnerabilities to run malicious code and steal credentials like cookies by bypassing access control policies.
WebView is an essential component in Android and iOS. It enables applications to display content from on-line resources. It simplifies task of performing a network request, parsing the data and rendering it. WebView uses a number of APIs which can interact with the web contents inside WebView. In the current paper, Cross-site scripting attacks or XSS attacks specific to Android WebView are discussed. Cross site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to run malicious code into victim's WebView,through HttpClient APIs. Using this malicious code, the attackers can steal the victim's credentials, such as cookies. The access control policies (that is,the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability.