Port MASTG-TEST-0027: Testing for URL Loading in WebViews (android) #3061
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@TheDauntless please check the spell checker errors and remember to deprecate the old test and add also the covered_by field example: status: deprecated
covered_by: [MASTG-TEST-0203, MASTG-TEST-0x03] |
|
Good catch. Please review again :) |
titze
reviewed
Feb 19, 2025
|
|
||
| ## Overview | ||
|
|
||
| By default, navigation events inside of a WebView will redirect to the default browser application. However, it is possible to stay within the WebView and handle all new page loads. This can be dangerous, as the new page may be malicious and interact with either the JavaScript bridge, or phish the user. The application should monitor navigation events inside the WebView to make sure that only legitimate pages are loaded, while others are redirected to the browser application. |
There was a problem hiding this comment.
Suggested change
| By default, navigation events inside of a WebView will redirect to the default browser application. However, it is possible to stay within the WebView and handle all new page loads. This can be dangerous, as the new page may be malicious and interact with either the JavaScript bridge, or phish the user. The application should monitor navigation events inside the WebView to make sure that only legitimate pages are loaded, while others are redirected to the browser application. | |
| By default, navigation events inside of a WebView will redirect to the default browser application. However, it is possible to stay within the WebView and handle all new page loads. This can be dangerous, as the new page may be malicious and interact with either the JavaScript bridge (see @MASWE-0068), or phish the user. The application should monitor navigation events inside the WebView to make sure that only legitimate pages are loaded, while others are redirected to the browser application. |
| ## Steps | ||
|
|
||
| 1. Examine the application's code (see @MASTG-TECH-0023) | ||
| 2. Look for occurrences of WebViews being used and examine if they are configured with a custom `WebViewClient`. |
There was a problem hiding this comment.
Suggested change
| 2. Look for occurrences of WebViews being used and examine if they are configured with a custom `WebViewClient`. | |
| 2. Look for occurrences of WebViews being used and examine if they are configured with a custom `WebViewClient`. This can be done e.g., by calling `webview.setWebViewClient(new MyWebViewClient());`. Alternatively, you can look for any class extending `WebViewClient`. |
|
|
||
| 1. Examine the application's code (see @MASTG-TECH-0023) | ||
| 2. Look for occurrences of WebViews being used and examine if they are configured with a custom `WebViewClient`. | ||
| 3. Search for and inspect the following interception callback functions for the `WebViewClient`: |
There was a problem hiding this comment.
Suggested change
| 3. Search for and inspect the following interception callback functions for the `WebViewClient`: | |
| 3. Search for and inspect the following interception callback functions for the custom `WebViewClient`: |
| 2. Look for occurrences of WebViews being used and examine if they are configured with a custom `WebViewClient`. | ||
| 3. Search for and inspect the following interception callback functions for the `WebViewClient`: | ||
|
|
||
| - `shouldOverrideUrlLoading` allows your application to either abort loading pages with suspicious content by returning `true` or allow the WebView to load the URL by returning `false`. Considerations: |
There was a problem hiding this comment.
Suggested change
| - `shouldOverrideUrlLoading` allows your application to either abort loading pages with suspicious content by returning `true` or allow the WebView to load the URL by returning `false`. Considerations: | |
| - [`shouldOverrideUrlLoading`](https://developer.android.com/reference/android/webkit/WebViewClient#shouldOverrideUrlLoading(android.webkit.WebView,%20android.webkit.WebResourceRequest)) allows your application to either abort loading pages with suspicious content by returning `true` or allow the WebView to load the URL by returning `false`. Considerations: |
| - `shouldOverrideUrlLoading` allows your application to either abort loading pages with suspicious content by returning `true` or allow the WebView to load the URL by returning `false`. Considerations: | ||
| - This method is not called for POST requests. | ||
| - This method is not called for XmlHttpRequests, iFrames, "src" attributes included in HTML or `<script>` tags. Instead, `shouldInterceptRequest` should take care of this. | ||
| - `shouldInterceptRequest` allows the application to return the data from resource requests. If the return value is null, the WebView will continue to load the resource as usual. Otherwise, the data returned by the `shouldInterceptRequest` method is used. Considerations: |
There was a problem hiding this comment.
Suggested change
| - `shouldInterceptRequest` allows the application to return the data from resource requests. If the return value is null, the WebView will continue to load the resource as usual. Otherwise, the data returned by the `shouldInterceptRequest` method is used. Considerations: | |
| - [`shouldInterceptRequest`](https://developer.android.com/reference/android/webkit/WebViewClient#shouldInterceptRequest(android.webkit.WebView,%20android.webkit.WebResourceRequest)) allows the application to return the data from resource requests. If the return value is null, the WebView will continue to load the resource as usual. Otherwise, the data returned by the `shouldInterceptRequest` method is used. Considerations: |
| - The `WebViewClient` is missing the `shouldOverrideUrlLoading` or `shouldInterceptRequest` handlers | ||
| - The `shouldOverrideUrlLoading` or `shouldInterceptRequest` handlers do not correctly prevent untrusted data from being loaded in the `WebView` | ||
|
|
||
| If the `WebView` does not have a custom `WebViewClient`, then any navigation event will automatically trigger the default browser. |
There was a problem hiding this comment.
Not sure the last sentence is needed, since the test case is only for webviews with custom clients?
|
|
||
| ## Overview | ||
|
|
||
| By default, navigation events inside of a WebView will redirect to the default browser application. However, it is possible to stay within the WebView and handle all new page loads. This can be dangerous, as the new page may be malicious and interact with either the JavaScript bridge, or phish the user. The application should monitor navigation events inside the WebView to make sure that only legitimate pages are loaded, while others are redirected to the browser application. |
There was a problem hiding this comment.
Suggested change
| By default, navigation events inside of a WebView will redirect to the default browser application. However, it is possible to stay within the WebView and handle all new page loads. This can be dangerous, as the new page may be malicious and interact with either the JavaScript bridge, or phish the user. The application should monitor navigation events inside the WebView to make sure that only legitimate pages are loaded, while others are redirected to the browser application. | |
| By default, navigation events inside of a WebView will redirect to the default browser application. However, it is possible to stay within the WebView and handle all new page loads. This can be dangerous, as the new page may be malicious and interact with either the JavaScript bridge (see @MASWE-0068), or phish the user. The application should monitor navigation events inside the WebView to make sure that only legitimate pages are loaded, while others are redirected to the browser application. |
| 1. WebViewClient.shouldOverrideUrlLoading | ||
| 2. WebViewClient.shouldInterceptRequest | ||
| 3. WebSettings.setSafeBrowsingEnabled | ||
| 3. Use any WebView inside the app and trigger navigation events |
There was a problem hiding this comment.
Suggested change
| 3. Use any WebView inside the app and trigger navigation events | |
| 3. Use every WebView inside the app and trigger navigation events, using a variety of trusted and non-trusted URLs |
There was a problem hiding this comment.
Not sure if it is obvious what a non-trusted URL is in this context? But I think a tester needs to try various URLs, otherwise, potentially only the happy path for the Custom Webview will be triggered.
Comment on lines
+19
to
+21
| 1. WebViewClient.shouldOverrideUrlLoading | ||
| 2. WebViewClient.shouldInterceptRequest | ||
| 3. WebSettings.setSafeBrowsingEnabled |
There was a problem hiding this comment.
Suggested change
| 1. WebViewClient.shouldOverrideUrlLoading | |
| 2. WebViewClient.shouldInterceptRequest | |
| 3. WebSettings.setSafeBrowsingEnabled | |
| 1. `WebViewClient.shouldOverrideUrlLoading` | |
| 2. `WebViewClient.shouldInterceptRequest` | |
| 3. `WebSettings.setSafeBrowsingEnabled` |
| @@ -0,0 +1,44 @@ | |||
| --- | |||
| Title: Testing for URL Loading in WebViews | |||
There was a problem hiding this comment.
Suggested change
| Title: Testing for URL Loading in WebViews | |
| Title: Testing for custom URL Loading in WebViews |
cpholguera
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If your PR is related to an issue. Please end your PR test with the following line:
This PR closes #2993