HP fortify scan

148 views
Skip to first unread message

Mohamad Najia

unread,
May 30, 2017, 4:32:10 PM5/30/17
to phonegap
Hello,

We have scanned my application using HP fortify ,approximately 90% of the high and critical issues are related to the Cordova framework.
One of the samples provided by HP fortify:
Dynamic Code Evaluation: Code Injection Critical
Package: org.apache.cordova.engine
CordovaLib/src/org/apache/cordova/engine/SystemWebViewEngine 2.java, line  (Dynamic Code Evaluation: Code Injection)
Critical
Issue Details
Kingdom: Input Validation and Representation Scan Engine: SCA (Structural)
Sink Details
Sink: FunctionCall: addJavascriptInterface Enclosing Method: exposeJsInterface() File: CordovaLib/src/org/apache/cordova/engine/SystemWebViewEngine 2.java: Taint Flags: 
  return;   } 
  SystemExposedJsApi exposedJsApi = new SystemExposedJsApi(bridge); 
  webView.addJavascriptInterface(exposedJsApi, "_cordovaNative"); 
  } 

Any ideas?

Thx,

jcesarmobile

unread,
May 31, 2017, 9:16:09 AM5/31/17
to phonegap
addJavascriptInterface is considered insecure by a lot of "Security scan" apps

Here there is an issue that somebody opened after using another "security scan" app

Reply all
Reply to author
Forward
0 new messages