You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: tests-beta/android/MASVS-PLATFORM/MASTG-TEST-02te.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ profiles: [L1, L2]
10
10
11
11
## Overview
12
12
13
-
Android apps that have WebViews may also have WebView – Native bridges. These bridges can be added via the `addJavascriptInterface` method in the `WebView` class. They enable two-way communication: native code can pass data to the WebView, and JavaScript in the WebView can call into native code. Any website loaded inside the WebView, including those outside the organization's control, can access these bridges (if configured) whenever JavaScript is enabled with `setJavaScriptEnabled(true)`.
13
+
Android apps that use WebViews may also include WebView–Native bridges. These bridges can be added via the `addJavascriptInterface` method in the `WebView` class. They enable two-way communication: native code can pass data to the WebView, and JavaScript in the WebView can call into native code. Any website loaded inside the WebView, including those outside the organization's control, can access these bridges (if configured) whenever JavaScript is enabled with `setJavaScriptEnabled(true)`.
14
14
15
15
The weakness could become a vulnerability if the WebView allows unencrypted (non-TLS) traffic (i.e., HTTPS) in combination with an XSS attack. Please refer to @MASTG-TEST-0235 to evaluate cleartext traffic.
16
16
@@ -27,25 +27,25 @@ The weakness could become a vulnerability if the WebView allows unencrypted (non
27
27
28
28
1. Use a tool like @MASTG-TOOL-0110 to search for references to:
29
29
30
-
- the `setJavaScriptEnabled` method
31
-
- the `addJavascriptInterface` method
32
-
- the `@JavascriptInterface` annotation
30
+
- the `setJavaScriptEnabled` method
31
+
- the `addJavascriptInterface` method
32
+
- the `@JavascriptInterface` annotation
33
33
34
34
## Observation
35
35
36
36
The output should contain a list of WebView instances, including the following methods and their arguments:
37
37
38
-
- `setJavaScriptEnabled`
39
-
- `addJavascriptInterface` and their associated classes
40
-
- `@JavascriptInterface` and their associated methods
38
+
-`setJavaScriptEnabled`
39
+
-`addJavascriptInterface` and their associated classes
40
+
-`@JavascriptInterface` and their associated methods
41
41
42
42
## Evaluation
43
43
44
44
**Fail:**
45
45
46
46
The test fails automatically if all the following are true:
47
47
48
-
-the application is targeting API level 16 or lower.
48
+
-The application is targeting API level 16 or lower.
49
49
-`addJavascriptInterface` is used at least once.
50
50
51
51
The test also fails automatically if all the following are true:
0 commit comments