mobsf.mobsfscan.webview_file_access.webview_set_allow_file_access

MobSF

Author

505

Download Count*

License

WebView File System Access is enabled. An attacker able to inject script into a WebView, could exploit the opportunity to access local resources.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: webview_set_allow_file_access
    patterns:
      - pattern-either:
          - pattern: |
              $WB.setAllowFileAccess(true);
    message: WebView File System Access is enabled. An attacker able to inject
      script into a WebView, could exploit the opportunity to access local
      resources.
    languages:
      - java
    severity: WARNING
    metadata:
      cwe: cwe-73
      owasp-mobile: m7
      masvs: platform-6
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md/#testing-webview-protocol-handlers-mstg-platform-6
      license: LGPL-3.0-or-later

Short Link: https://sg.run/1GRk