🔍 WebView Security Probe

iOS / Android WebView Misconfiguration Tester
Origin:
Protocol:
UA:
WebKit MH:
Use webhook.site, interactsh, or Burp Collaborator. Leave blank for local-only results.
Add handler names found by iosassess or manual reversing.
Default targets are pre-loaded. Add app-specific paths.
CRITICAL allowUniversalAccessFromFileURLs
Tests if XHR/fetch can read file:// URIs from the current origin. Exploitable when WebView loads local content. From HTTPS origin, this is expected to fail.
Waiting...
HIGH allowFileAccessFromFileURLs
Tests if an iframe with file:// src can be created and read. Also tests via XMLHttpRequest to local paths.
Waiting...
HIGH WKScriptMessageHandler (JS Bridge)
Probes window.webkit.messageHandlers for registered native bridge handlers. Tests both common names and your custom-specified handlers.
Waiting...
HIGH Android addJavascriptInterface
Probes for Android JS interface objects on window. Checks common names like Android, app, JSBridge.
Waiting...
HIGH Scheme & Navigation Tests
Tests if the WebView allows navigation to dangerous schemes: file://, javascript:, data:, custom app schemes.
Waiting...
Event Log
[*] Ready. Configure callback URL and run tests.

How to Interpret Results

  1. VULNERABLE — The test succeeded, confirming the misconfiguration is exploitable from this context.
  2. NOT EXPLOITABLE — The flag may be set, but the browser engine blocked exploitation from this origin.
  3. INCONCLUSIVE — Network error or timeout; re-test or try a different approach.
  4. DETECTED — The handler/interface exists and is callable, even if the response is unknown.

Key nuance: allowUniversalAccessFromFileURLs and allowFileAccessFromFileURLs are primarily exploitable when the WebView loads content via file:// scheme. If you're testing from an https:// page (like this one hosted on GitHub Pages), these tests will likely show NOT EXPLOITABLE due to browser-engine-level SOP enforcement — this doesn't mean the flags aren't set, just that the attack vector requires local file loading context.