cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kerri Shotts (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-12430) URL Redirection to Untrusted Site ('Open Redirect')
Date Fri, 10 Feb 2017 19:49:42 GMT

    [ https://issues.apache.org/jira/browse/CB-12430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15861759#comment-15861759
] 

Kerri Shotts commented on CB-12430:
-----------------------------------

The report indicates a specific call containing a URL redirection. Please provide more information
as to where the flaw was found, what specific redirection is occurring, what version of Cordova
and associated Cordova platforms you are using, and what plugins (if any) you have in the
project.

Do keep in mind that Cordova uses a web view, so at some point, {{loadUrl}} is going to be
invoked at some point. That in and of itself is not necessarily problematic -- it is the app
developer's responsibility to ensure that they don't instruct Cordova to load malicious resources.

> URL Redirection to Untrusted Site ('Open Redirect') 
> ----------------------------------------------------
>
>                 Key: CB-12430
>                 URL: https://issues.apache.org/jira/browse/CB-12430
>             Project: Apache Cordova
>          Issue Type: Bug
>            Reporter: Sahil
>
> In VARACODE Scan of android Application following flaw was observed.
> Attack Vector: android.webkit.WebView.loadUrl
> Description: This call to android.webkit.WebView.loadUrl() contains a URL redirection
to untrusted site flaw. Writing unsanitized user-supplied input into a URL value could cause
the web application to redirect the request to the specified URL, leading to phishing attempts
to steal user credentials.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message