Insecure whitelist configuration

Insecure whitelist configuration

Risk: hardening

Description

The application's whitelist allows unrestricted access to all resources*.

Recommendation

Cordova offers a powerful security model to provide developers with the tools to prevent unauthorized access and Cross-Site Scripting vulnerabilities.

Cordova whitelist manages network security access and must authorize explicitly accessible resources only.

To enable Cordova whitelisting, follow the steps:

1. Install the Cordova Whitelist Plugin: If you haven't already, you'll need to install the Cordova Whitelist Plugin. You can do this by running the following command in your project directory:

cordova plugin add cordova-plugin-whitelist

1. Configure the Whitelist: Once the plugin is installed, you can configure the whitelist in your config.xml file. You can specify which external resources your application is allowed to access by adding <allow-navigation> and <allow-intent> tags.

XML

<!-- Allow access to a specific domain -->
<allow-navigation href="http://example.com/*" />

<!-- Allow access to all URLs -->
<allow-navigation href="*" />

<!-- Allow opening specific URLs in the system browser -->
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />

Links

• Cordova Security Whitelist and Content Security Policy Guide
• Apache Cordova CVE-2015-5256
• Apache Cordova CVE-2015-1835

Standards

• OWASP_MASVS_L1:
  • MSTG_PLATFORM_1
• OWASP_MASVS_L2:
  • MSTG_PLATFORM_1
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_7_3
  • REQ_11_3
• OWASP_MASVS_v2_1:
  • MASVS_STORAGE_1
  • MASVS_RESILIENCE_2
  • MASVS_RESILIENCE_3
  • MASVS_CODE_4
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5