跨应用脚本
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
OWASP 类别:MASVS-CODE:代码质量
概览
WebView 是 Android 应用中的一种嵌入式浏览器组件,
便于在应用中显示 Web 内容。它可以呈现 HTML、CSS 和
应用界面中的 JavaScript
跨应用脚本攻击与在受害应用环境中执行恶意代码密切相关。在本文档中,我们将仅讨论将恶意 JavaScript 代码注入易受攻击的 WebView 的情况。
如果应用在没有进行充分验证或净化的情况下将恶意 JavaScript 接受到 WebView 中,则该应用容易受到跨应用脚本攻击。
影响
如果攻击者控制的 JavaScript 内容未经验证或清理就传递给易受攻击的应用的 WebView,攻击者便可以利用跨应用脚本漏洞。因此,攻击者提供的 JavaScript 代码会在受害应用的 WebView 上下文中执行。然后,恶意 JavaScript 代码可以使用与受害应用相同的权限,这可能会导致敏感用户数据被盗和账号被盗用。
缓解措施
停用 JavaScript
如果您的应用不需要 JavaScript,请停用它,以确保它不会成为威胁:
Kotlin
// Get the WebView Object
val webView = findViewById<WebView>(R.id.webView)
val webSettings = webView.settings
// Disable JavaScript
webSettings.javaScriptEnabled = false
Java
// Get the WebView Object
WebView webView = (WebView) findViewById(R.id.webView);
WebSettings webSettings = webView.getSettings();
// Disable JavaScript for the WebView
webSettings.setJavaScriptEnabled(false);
如果您的应用确实需要 JavaScript,请确保您拥有或控制传递给 WebView 的所有 JavaScript。避免允许 WebView 任意执行
JavaScript,请参阅下一部分中的指南。
确保仅将预期内容加载到 WebView
使用 shouldOverrideUrlLoading()
、loadUrl()
或 evaluateJavascript()
,
等方法时,请确保对传递给它们的所有网址进行检查。如前所述,传递给 WebView 的任何 JavaScript 都应
来自预期的域,因此请务必验证正在加载的内容。
如需获取实用建议和示例,请参阅 OWASP 的输入验证文档以及适用于 WebView 的此 Android 安全核对清单。
为 WebView 设置安全文件访问权限设置
确保文件无法访问可以阻止任意 JavaScript:
以下 WebSettings
应
在保障文件访问安全时考虑以下因素:
- 停用文件访问权限。默认情况下,系统会将
setAllowFileAccess
设为 True
API 级别 29 及更低级别(将允许访问本地文件)。在 API 级别 30 及更高级别中,默认值为 False
。为确保不允许访问文件,请将 setAllowFileAccess
明确设置为 False
停用内容访问权限。setAllowContentAccess
的默认设置为 True
。通过内容网址访问权限,WebView 可以从内容加载内容
提供程序。如果您的应用不需要内容访问权限,
将 setAllowContentAccess
设为 False
以防发生潜在的滥用行为,
跨应用脚本攻击
kotlin
kotlin
webView.settings.javaScriptEnabled = false
webView.settings.domStorageEnabled = true
webView.settings.allowFileAccess = false
webView.settings.allowContentAccess = false
Java
java
webView.getSettings().setJavaScriptEnabled(false);
webView.getSettings().setDomStorageEnabled(true);
webView.getSettings().setAllowFileAccess(false);
webView.getSettings().setAllowContentAccess(false);
启用安全浏览功能
在 AndroidManifest.xml
中启用安全浏览功能,以扫描传递给
钓鱼式攻击或恶意网域的 WebView:
<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />
资源
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-26。
[null,null,["最后更新时间 (UTC):2025-07-26。"],[],[],null,["# Cross-app scripting\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-CODE: Code Quality](https://mas.owasp.org/MASVS/10-MASVS-CODE)\n\nOverview\n--------\n\nA WebView is an embedded browser component in Android applications that\nfacilitates the display of web content within an app. It renders HTML, CSS, and\nJavaScript within the app's user interface.\n\nCross-App Scripting is broadly associated with the execution of malicious code\nin the context of a victim application. For the purposes of this documentation,\nthe subject will be constrained specifically to the injection of malicious\nJavaScript code into a vulnerable WebView.\n\nWhen an app accepts malicious JavaScript into a WebView without sufficient\nvalidation or sanitization, the application is vulnerable to cross-app\nScripting.\n\nImpact\n------\n\nCross-app scripting vulnerabilities can be exploited when attacker-controlled\nJavaScript content is passed to the vulnerable app's WebView without being\nvalidated or sanitized. As a result, the JavaScript code provided by the\nattacker is executed in the context of the victim application's WebView. The\nmalicious JavaScript code can then use the same permissions as the victim app's,\nwhich may lead to theft of sensitive user data, and account hijacking.\n\nMitigations\n-----------\n\n### Disable JavaScript\n\nIf your application does not require JavaScript, disabling it will ensure it\ndoes not become a threat: \n\n### Kotlin\n\n // Get the WebView Object\n val webView = findViewById\u003cWebView\u003e(R.id.webView)\n val webSettings = webView.settings\n\n // Disable JavaScript\n webSettings.javaScriptEnabled = false\n\n### Java\n\n // Get the WebView Object\n WebView webView = (WebView) findViewById(R.id.webView);\n WebSettings webSettings = webView.getSettings();\n\n // Disable JavaScript for the WebView\n webSettings.setJavaScriptEnabled(false);\n\nIf your application does require JavaScript, ensure that you own or control any\nJavaScript passed to WebView. Avoid allowing WebView to execute arbitrary\nJavaScript, see the guidance in the next section.\n\n### Ensure only expected content is loaded into WebView\n\nWhen using methods like [`shouldOverrideUrlLoading()`](/reference/android/webkit/WebViewClient#shouldOverrideUrlLoading(android.webkit.WebView,%20android.webkit.WebResourceRequest)), [`loadUrl()`](/reference/android/webkit/WebView#loadUrl(java.lang.String)), or\n[`evaluateJavascript()`](/reference/android/webkit/WebView#evaluateJavascript(java.lang.String,%20android.webkit.ValueCallback%3Cjava.lang.String%3E))`,` make sure that any URLs passed to them are\nchecked. As stated earlier, any JavaScript passed to the WebView should only\ncome from expected domains, so it is important to verify what is being loaded.\n\nCheck OWASP's input validation [documentation](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) and this Android\nsecurity [checklist](https://blog.oversecured.com/Android-security-checklist-webview/) for WebViews for good advice and examples.\n\n### Set secure file access settings for WebView\n\nEnsuring that files are not accessible can prevent arbitrary JavaScript from\nbeing executed within WebViews.The following [`WebSettings`](/reference/android/webkit/WebSettings) should be\nconsidered when securing file access:\n\n- Disable file access. By default, [`setAllowFileAccess`](/reference/android/webkit/WebSettings#setAllowFileAccess(boolean)) is set to `True` in API level 29 and lower which will permit access to local files. In API level 30 and higher the default is `False`. To ensure file access is not permitted, explicitly set `setAllowFileAccess` to `False`\n- Disable content access. The default setting of [`setAllowContentAccess`](/reference/android/webkit/WebSettings#setAllowContentAccess(boolean)) is\n `True`. Content URL access allows WebView to load content from a content\n provider installed in the system. If your app does not require content access,\n set `setAllowContentAccess` to `False` to prevent potential misuse in case of a\n cross-app scripting attack.\n\n- kotlin\n `kotlin\n webView.settings.javaScriptEnabled = false\n webView.settings.domStorageEnabled = true\n webView.settings.allowFileAccess = false\n webView.settings.allowContentAccess = false`\n\n- java\n `java\n webView.getSettings().setJavaScriptEnabled(false);\n webView.getSettings().setDomStorageEnabled(true);\n webView.getSettings().setAllowFileAccess(false);\n webView.getSettings().setAllowContentAccess(false);`\n\n### Enable Safe Browsing\n\nEnable Safe Browsing in [`AndroidManifest.xml`](/guide/topics/manifest/manifest-intro) to scan URLs passed to\nWebView for phishing or malicious domains.: \n\n \u003cmeta-data android:name=\"android.webkit.WebView.EnableSafeBrowsing\"\n android:value=\"true\" /\u003e\n\nResources\n---------\n\n- [Safe Browsing documentation](/privacy-and-security/safetynet/safebrowsing)\n- [WebView developer reference](/reference/android/webkit/WebView)\n- [WebSettings for WebView developer reference](/reference/android/webkit/WebSettings)\n- [setAllowFileAccess developer documentation](/reference/android/webkit/WebSettings#setAllowFileAccess(boolean))\n- [setAllowContentAccess developer reference](/reference/android/webkit/WebSettings#setAllowContentAccess(boolean))"]]