added blog post for targeting android framework (#169)

shivasurya · web-flow · commit 656e4060af55 · 2024-10-21T21:14:50.000Z
* added blog post for targeting android framework

* added content for blog post

* added content for blog post
diff --git a/docs/public/assets/webview.webp b/docs/public/assets/webview.webp
diff --git a/docs/src/content/docs/blog/finding-webview-misconfigurations-android.mdx b/docs/src/content/docs/blog/finding-webview-misconfigurations-android.mdx
@@ -0,0 +1,145 @@
+---
+title: Detecting WebView Misconfigurations in Android With Code-PathFinder
+description: "A short blog post about finding WebView misconfigurations in Android with Code-PathFinder"
+template: splash
+author: "@sshivasurya"
+pubDate: "2024-10-20"
+---
+
+import PostHogLayout from '../../../layouts/PostHogLayout.astro';
+import { Card } from '@astrojs/starlight/components';
+
+<PostHogLayout>
+</PostHogLayout>
+
+
+  <Card title="">
+    <div style=" margin: 2rem auto; padding: 0 1.5rem; max-width: 800px;">
+      ## Introduction
+
+      Android WebView is a component that allows you to display web content in your Android application. It's fairly complex to configure and easy to misconfigure. From browsers to
+      third-party applications, they use powerful APIs to interact with the web, such as sending cookies, setting local storage, setting headers, and more.
+      In this blog post, we will discuss how to detect WebView misconfigurations in Android with [Code-PathFinder](https://github.com/shivasurya/code-pathfinder).
+
+      ![Android WebView Illustration](/assets/webview.webp)
+
+      ### WebView Misconfigurations
+
+      - Cross-site scripting
+      - Enabling content access from WebView JavaScript
+      - Enabling file access from WebView JavaScript
+      - Enabling universal file access from WebView JavaScript
+      - JavaScript settings
+      - WebView JavaScript interface injection
+
+      #### Cross-site scripting
+
+      Cross-site scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious code into a web application. This can be used to steal sensitive information,
+      such as user credentials, or to take control of the victim's account. WebView poses a couple of methods to execute JavaScript in the context of the WebView, and it doesn't respect the
+      same-origin policy. Such methods are:
+
+      - `loadUrl`
+      - `loadData`
+      - `loadDataWithBaseURL`
+      - `evaluateJavascript`
+      - `evaluateJavaScriptAsync`
+
+      When using these methods, it's important to ensure that the data being passed in is properly sanitized and validated. Additionally, the application should be aware of the context in which
+      the JavaScript code is being used. Code-PathFinder helps you find the code path where the JavaScript is being executed and the data being passed in is not properly sanitized and validated.
+
+      ```sql
+      FROM MethodInvocation AS mi
+      WHERE
+        mi.GetName() = "loadUrl" || mi.GetName() = "loadData"
+        || mi.GetName() = "loadDataWithBaseURL"
+        || mi.GetName() = "evaluateJavascript"
+        || mi.GetName() = "evaluateJavaScriptAsync"
+      SELECT mi, mi.GetEnclosingMethod()
+      ```
+
+
+      #### Enabling Content URL access from WebView
+
+      The content protocol allows loading data from a URL. For instance, content:// is used to load data from a file on the device such as images, videos, etc. While this is a useful feature, it can also be
+      misused to access sensitive data from the application's file system. This can be done by using the `setAllowContentAccess` method of the WebView class. Using Code-PathFinder, you can find the code path where the
+      `setAllowContentAccess` method is being called.
+
+      ```sql
+      FROM MethodInvocation AS mi
+      WHERE
+        mi.GetName() = "setAllowContentAccess"
+      SELECT mi, mi.GetEnclosingMethod()
+      ```
+
+      ### Enabling File access from WebView JavaScript
+
+      The file protocol allows loading data from a file on the device. For instance, file:// is used to load data from a file on the device such as images, videos, etc. While this is a useful feature, it can also be
+      misused to access sensitive data from the application's file system. This can be done by using the `setAllowFileAccess` method of the WebView class. Using Code-PathFinder, you can find the code path where the
+      `setAllowFileAccess` and `setAllowFileAccessFromFileURLs` methods are being called.
+
+      ```sql
+      FROM MethodInvocation AS mi
+      WHERE
+       mi.GetName() = "setAllowFileAccess"
+       || mi.GetName() = "setAllowFileAccessFromFileURLs"
+      SELECT mi, mi.GetEnclosingMethod()
+      ```
+
+      ### Enabling Universal file access from WebView JavaScript
+
+      The `setAllowUniversalAccessFromFileURLs` method allows JavaScript to access the file protocol from any origin. This can be used to access sensitive data from the application's file system. If this WebView setting is enabled,
+      the web page can access the file system of the device. While this is a useful feature to flexibly access files and content, it seriously poses a security threat when arbitrary website JavaScript is loaded into the frame.
+      Using Code-PathFinder, you can find the code path where the `setAllowUniversalAccessFromFileURLs` method is being called.
+
+      ```sql
+      FROM MethodInvocation AS mi
+      WHERE
+        mi.GetName() = "setAllowUniversalAccessFromFileURLs"
+      SELECT mi, mi.GetEnclosingMethod()
+      ```
+
+      ### JavaScript settings
+
+      JavaScript settings can be used to control the behavior of the WebView. For instance, you can enable or disable JavaScript, enable or disable JavaScript interfaces, enable or disable JavaScript's ability to open windows,
+      and enable or disable JavaScript's ability to open popups. Using Code-PathFinder, you can find the code path where the `setJavaScriptEnabled` method is being called.
+
+      ```sql
+      FROM MethodInvocation AS mi
+      WHERE
+        (mi.GetName() = "setJavaScriptEnabled" && "true" in mi.getArgumentName())
+        || (mi.GetName() = "setJavaScriptCanOpenWindowsAutomatically" && "true" in mi.getArgumentName())
+      SELECT mi, mi.GetEnclosingMethod()
+      ```
+
+      ### JavaScript interfaces
+
+      Here comes the most important ⚠️ and exciting part of the WebView. JavaScript interfaces allow you to expose native methods to JavaScript. For instance, you can expose a native method to JavaScript to open a file picker
+      or execute Java methods. Historically, [JavaScript interfaces](https://labs.withsecure.com/publications/webview-addjavascriptinterface-remote-code-execution) were abused to execute arbitrary code on the device and
+      attain remote code execution. Using Code-PathFinder, you can find the code path where the `addJavascriptInterface` method is being called.
+
+      ```sql
+      predicate isJavaScriptEnabled(method_invocation mi) {
+        mi.getName() == "addJavascriptInterface"
+      }
+
+      FROM method_invocation AS mi
+      WHERE isJavaScriptEnabled(mi)
+      SELECT mi.getName(), "JavaScript interface exposed"
+      ```
+
+      The above vulnerability classification is based on the [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/) and [OWASP Mobile Security Testing Guide](https://owasp.org/www-project-mobile-security-testing-guide/).
+
+      ### Conclusion
+
+      While [Code-PathFinder, the open-source alternative to CodeQL](https://codepathfinder.dev), is a powerful tool for finding security vulnerabilities in Android applications, one can always tweak the queries to filter out false positives
+      more effectively compared to grep-based scanners like `Semgrep` or `ast-grep`. This is because the taint analysis and source-to-sink analysis are far more powerful than grep-based scanners. Give it a try and file an [issue](https://github.com/shivasurya/code-pathfinder/issues)
+      if you find any bugs or have any suggestions.
+
+
+      ### Contributing to Code-PathFinder OSS
+
+      If you are interested in contributing to Code-PathFinder, please check out the [Code-PathFinder](https://github.com/shivasurya/code-pathfinder) repository.
+      Give it a try and file an issue if you find any bugs or have any suggestions.
+      </div>
+  </Card>
+
diff --git a/docs/src/content/docs/blog/index.mdx b/docs/src/content/docs/blog/index.mdx
@@ -35,7 +35,7 @@ export const allPosts = await getCollection('docs', ({ id, data }) => {
       <ul style="list-style-type: none;">
       <li> <h3><a href={`/${post.slug}`} style="text-decoration:none">{post.data.title}</a></h3></li>
       {post.data.description}
-     <p style="font-size: 0.8rem;">written by <a href="https://shivasurya.me">Shivasurya</a></p>
+     <p style="font-size: 0.8rem;">Crafted by <a href="https://x.com/sshivasurya">@sshivasurya</a></p>
      <hr />
      </ul>
   ))}
