Java: SQLInjection example for addJavaScriptInterface query

2025-12-20 10:46:30 +01:00 · 2022-11-30 13:32:28 -05:00
parent d35321f40e
commit 04829fc38e
1 changed files with 16 additions and 4 deletions
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java
@@ -1,11 +1,23 @@
-class ExposedObject {
+import android.webkit.JavascriptInterface;
+import android.database.sqlite.SQLiteOpenHelper;
+
+class ExposedObject extends SQLiteOpenHelper {
    @JavascriptInterface
-    public String example() {
-        return "String from Java";
+    public String studentEmail(String studentName) {
+        // SQL injection
+        String query = "SELECT email FROM students WHERE studentname = '" + studentName + "'";
+
+        Cursor cursor = db.rawQuery(query, null);
+        cursor.moveToFirst();
+        String email = cursor.getString(0);
+
+        return email;
    }
 }

 webview.getSettings().setJavaScriptEnabled(true);
 webview.addJavaScriptInterface(new ExposedObject(), "exposedObject");
 webview.loadData("", "text/html", null);
-webview.loadUrl("javascript:alert(exposedObject.example())");
+
+String name = "Robert'; DROP TABLE students; --";
+webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))");