From a2a7b7c246d20a05b719a164fa567107d813917a Mon Sep 17 00:00:00 2001 From: Jeroen Beckers Date: Thu, 7 Nov 2024 15:04:53 +0000 Subject: [PATCH 1/3] wip --- tests/android/MASVS-CODE/MASTG-TEST-0x27-1.md | 43 +++++++++++++++++ tests/android/MASVS-CODE/MASTG-TEST-0x27-2.md | 46 +++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 tests/android/MASVS-CODE/MASTG-TEST-0x27-1.md create mode 100644 tests/android/MASVS-CODE/MASTG-TEST-0x27-2.md diff --git a/tests/android/MASVS-CODE/MASTG-TEST-0x27-1.md b/tests/android/MASVS-CODE/MASTG-TEST-0x27-1.md new file mode 100644 index 0000000000..cb4ddca8dd --- /dev/null +++ b/tests/android/MASVS-CODE/MASTG-TEST-0x27-1.md @@ -0,0 +1,43 @@ +--- +Title: Testing for URL Loading in WebViews +ID: MASTG-TEST-0027 +Link: https://mas.owasp.org/MASTG/tests/android/MASVS-CODE/MASTG-TEST-0027/ +Platform: android +type: [static] +MASVS v1: ['MSTG-PLATFORM-2'] +MASVS v2: ['MASVS-CODE-4'] +--- + +## Overview + +By default, navigation events inside of a WebView will redirect to the default browser application. However, it is possible to stay within the WebView and handle all new page loads. This can be dangerous, as the new page may be malicous and interact with either the JavaScript bridge, or phish the user. The application should monitor navigation events inside the WebView to make sure that only legitimate pages are loaded, while others are redirected to the browser application. + +## Steps + +1. +To test if the app is overriding the default page navigation logic by configuring a `WebViewClient`, search for and inspect the following interception callback functions: + +- `shouldOverrideUrlLoading` allows your application to either abort loading pages with suspicious content by returning `true` or allow the WebView to load the URL by returning `false`. Considerations: + - This method is not called for POST requests. + - This method is not called for XmlHttpRequests, iFrames, "src" attributes included in HTML or `