logo

Database

Dart Xss From Webview Injection

Description

Detects potential Cross-Site Scripting (XSS) vulnerabilities in Flutter applications using WebView components. These vulnerabilities occur when untrusted web content is loaded into WebViews without proper security controls, allowing malicious JavaScript execution that could compromise the application.

Weakness:

008 - Reflected cross-site scripting (XSS)

Category: Unexpected Injection

Detection Strategy

    Checks if the application imports the 'webview_flutter' package

    Scans for WebView instantiations and configurations in the code

    Reports a vulnerability when WebView implementations are found with unsafe JavaScript configurations or unvalidated content loading

Vulnerable code example

import 'package:webview_flutter/webview_flutter.dart';

void executeJsFromQueryParam(String urlWithParams, WebViewController controller) {
  final uri = Uri.parse(urlWithParams);
  final userInput = uri.queryParameters['msg'];  // Unsafe: Untrusted input from URL query
  controller.runJavascript(userInput);  // Vulnerable: Executes unvalidated JavaScript
}

✅ Secure code example

import 'dart:convert';
import 'package:webview_flutter/webview_flutter.dart';

void executeJsFromQueryParam(String urlWithParams, WebViewController controller) {
  final uri = Uri.parse(urlWithParams);
  final userInput = uri.queryParameters['msg'];
  
  if (userInput != null) {...