WebView File System Access Enabled
Description
WebView File System Access is enabled. An attacker able to inject script into a WebView, could exploit the opportunity to unauthorized access to sensitive user data or system files.
Examples
Insecure Code
java
$WB.setAllowFileAccess(true);Secure Code
java
webView.getSettings().setAllowFileAccess(false);Remediation
Disable file access in the WebView or restrict it to specific directories.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0626 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-73 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | WebView, File Access |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |