Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Universal Cross Site Scripting at pywebview

See original GitHub issue

Specification

  • pywebview version: 3.4
  • operating system: all

Description

What is uxss? Read Here

Vulnerable Function

evaluate_js

Evaluate_js allow to send javascript code to any origin.That allow to attacker to inject javascript code into any website.

POC File :

uxss.zip

Extract zip and run uxss.py

Screen Shot 2021-07-20 at 11 39 31 AM

Suggest

I think pywebview need to block sending javascript code to window that open domain or origin.

Practicalities

  • YES/NO I am willing to work on this issue myself. No
  • YES/NO I am prepared to support this issue financially. No

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:11 (4 by maintainers)

github_iconTop GitHub Comments

3reactions
r0x0rcommented, Aug 2, 2021

In my opinion this is not an issue. Consider following pseudo-code

import webview
def custom_logic(window):
        remove_all_the_files_in_homedir()
        download_and_install_malware()

window = webview.create_window('UXSS POC',html = """<h1>UXSS POC</h1>""")
webview.start(custom_logic, window)
pass

The point here is that if the developer chooses to place malicious code in the distributed app, there is nothing that I could do. In the end it is the responsibility of the end-user to trust or not to trust other people’s code.

As long as the javascript code is injected by the developer, there is no point in introducing security limitations.

0reactions
github-actions[bot]commented, Sep 7, 2021

The message to post on the issue when closing it. If none provided, will not comment when closing an issue.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Android WebView Universal Cross-site Scripting · CVE-2020 ...
This vulnerability affects React Native apps which use a react-native-webview that allows navigation to arbitrary URLs, and when that app runs ...
Read more >
Universal XSS in react-native-webview package
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
Read more >
Cross-site Scripting (XSS) in web.py | Snyk
A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a...
Read more >
snoopythesecuritydog - Profile - Bountysource
snoopythesecuritydog commented on this issueUniversal Cross Site Scripting at pywebview. pywebview 1 year ago. snoopythesecuritydog commented on this ...
Read more >
Security - pywebview
pywebview generates a session-unique token that is exposed both to Python webview.token and DOM window.pywebview.token . See Flask app ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

How to Call JavaScript Objects, Functions or Global Variables From Python Side?

Next page

buggy execution of api methods from 'pywebviewready' listener