Swift Webview Xss Injection
Description
Identifies potential Cross-Site Scripting (XSS) vulnerabilities in Swift applications where untrusted content is executed using evaluateJavaScript in WKWebView. This could allow attackers to execute malicious JavaScript code in the context of the WebView, potentially leading to data theft or manipulation of web content.
Detection Strategy
• Check if the WebKit framework is imported in the source code
• Look for calls to evaluateJavaScript method on WKWebView instances
• Verify if the JavaScript code being evaluated comes from an unsafe/untrusted source (like user input or URL parameters)
• Report a vulnerability when evaluateJavaScript is called with content from unsafe sources
Vulnerable code example
import UIKit
import WebKit
func unsafeJavaScriptEval(inputField: UITextField) async throws {
let webView = WKWebView()
// VULNERABLE: Directly evaluating user-controlled content as JavaScript
_ = try await webView.evaluateJavaScript(String(contentsOf: URL(string: inputField.text ?? "")!))
}✅ Secure code example
import UIKit
import WebKit
func safeJavaScriptEval(inputField: UITextField) async throws {
let webView = WKWebView()
guard let urlString = inputField.text, !urlString.isEmpty else {
throw NSError(domain: "ValidationError", code: 1, userInfo: [NSLocalizedDescriptionKey: "Invalid URL"])...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.