Java Universal Access From File Urls
Description
Detects when Android WebViews are configured to allow universal access from file URLs, which permits arbitrary file URLs to access content from any origin. This dangerous configuration bypasses Same-Origin Policy restrictions and can lead to malicious file-based cross-site scripting attacks.
Detection Strategy
• Identifies calls to WebView security configuration methods 'setAllowUniversalAccessFromFileURLs' or 'setAllowFileAccessFromFileURLs'
• Checks if these methods are called with 'true' as the argument parameter
• Reports a vulnerability when either of these methods is enabled by setting them to true, as this allows potentially malicious local files to access content from any origin
Vulnerable code example
import android.webkit.WebView;
import android.webkit.WebSettings;
public class InsecureWebView {
public void setupWebView(WebView webView) {
WebSettings settings = webView.getSettings();
settings.setJavaScriptEnabled(true);
settings.setAllowUniversalAccessFromFileURLs(true); // Vulnerable: Allows any file:// URL to access any origin...✅ Secure code example
import android.webkit.WebView;
import android.webkit.WebSettings;
public class SecureWebView {
public void setupWebView(WebView webView) {
WebSettings settings = webView.getSettings();
settings.setJavaScriptEnabled(true); // Enable JS only if strictly required
settings.setAllowUniversalAccessFromFileURLs(false); // Prevent file:// URL CORS attacks...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.