Remote WebView Debugging Enabled
Description
Remote WebView debugging is enabled, allowing an attacker with debugging access to interact with the webview and steal or corrupt data.
Examples
Insecure Code
java
$WB.setWebContentsDebuggingEnabled(true);Secure Code
java
WebView webView = new WebView(context);
WebView.setWebContentsDebuggingEnabled(false);
webView.getSettings().setAllowFileAccessFromFileURLs(false);Remediation
Disable remote debugging and restrict file access in the WebView by setting WebView.setWebContentsDebuggingEnabled(false) and webView.getSettings().setAllowFileAccessFromFileURLs(false).
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0624 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-489 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | WebView, debugging |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |