hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12905 from geoffw0/webviewdoc

Browse Source 
Swift: Doc review for swift/unsafe-webview-fetch
This commit is contained in:
Geoffrey White
2023-04-27 11:23:53 +01:00
committed by GitHub
parent 9ded5b87a5 507bb61c3c
commit 5a77dfb5d5
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.qhelp
View File

@@ -3,7 +3,8 @@
"qhelp.dtd">
<qhelp>
<overview>
<p>Fetching data in a WebView without restricting the base URL may allow an attacker to access sensitive local data, for example using <code>file://</code>. Data can then be extracted from the software using the URL of a machine under the attackers control. More generally, an attacker may use a URL under their control as part of a cross-site scripting attack.</p>
<p>Fetching data in a web view without restricting the base URL may allow an attacker to access sensitive local data, for example using <code>file://</code>. Data can then be extracted from the software using the URL of a machine under the attacker's control. More generally, an attacker may use a URL under their control as part of a cross-site scripting attack.</p>
</overview>
<recommendation>
@@ -25,7 +26,7 @@
<references>
<li>
<a href="https://www.allysonomalley.com/2018/12/03/ios-bug-hunting-web-view-xss/">iOS Bug Hunting - Web View XSS</a>
<a href="https://www.allysonomalley.com/2018/12/03/ios-bug-hunting-web-view-xss/">iOS Bug Hunting - Web View XSS</a>.
</li>
</references>