cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kerri Shotts (JIRA)" <>
Subject [jira] [Commented] (CB-12430) URL Redirection to Untrusted Site ('Open Redirect')
Date Fri, 10 Feb 2017 19:49:42 GMT


Kerri Shotts commented on CB-12430:

The report indicates a specific call containing a URL redirection. Please provide more information
as to where the flaw was found, what specific redirection is occurring, what version of Cordova
and associated Cordova platforms you are using, and what plugins (if any) you have in the

Do keep in mind that Cordova uses a web view, so at some point, {{loadUrl}} is going to be
invoked at some point. That in and of itself is not necessarily problematic -- it is the app
developer's responsibility to ensure that they don't instruct Cordova to load malicious resources.

> URL Redirection to Untrusted Site ('Open Redirect') 
> ----------------------------------------------------
>                 Key: CB-12430
>                 URL:
>             Project: Apache Cordova
>          Issue Type: Bug
>            Reporter: Sahil
> In VARACODE Scan of android Application following flaw was observed.
> Attack Vector: android.webkit.WebView.loadUrl
> Description: This call to android.webkit.WebView.loadUrl() contains a URL redirection
to untrusted site flaw. Writing unsanitized user-supplied input into a URL value could cause
the web application to redirect the request to the specified URL, leading to phishing attempts
to steal user credentials.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message