What is the final impact of this kill-chain?

The final step lands on Identify XSS sink in WebView content (MOB-WEBVIEW-XSS), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

WebView XSS → JS bridge → native code exec

WebView loads partially-attacker-controlled content (e.g. injected referral param) and exposes addJavascriptInterface — XSS in the page calls the bridge to run app-level code.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Execution

Reach native code execution

T1059 · Command and Scripting Interpreter

Impact

Craft XSS that calls bridge methods

W-XSS-DOM · DOM-Based XSS

Reconnaissance

Reverse APK, find JS bridge

MOB-APK-REVERSE · APK Reverse Engineering

Initial Access

Deliver via deeplink / referral param

MOB-DEEPLINK-ABUSE · Android Deeplink / Intent Abuse

Impact

Identify XSS sink in WebView content

MOB-WEBVIEW-XSS · Android WebView XSS / JS Bridge

§ Context

Assumed environment: target uses an Android WebView to render content with a parameter the attacker influences (deeplink, server response). addJavascriptInterface exposes a 'helper' object.

§ Steps

01
Reach native code executionExecution
T1059— Command and Scripting Interpreter
02
Craft XSS that calls bridge methodsImpact
W-XSS-DOM— DOM-Based XSS
03
Reverse APK, find JS bridgeReconnaissance
MOB-APK-REVERSE— APK Reverse Engineering
04
Deliver via deeplink / referral paramInitial Access
MOB-DEEPLINK-ABUSE— Android Deeplink / Intent Abuse
05
Identify XSS sink in WebView contentImpact
MOB-WEBVIEW-XSS— Android WebView XSS / JS Bridge

§ References

T1059Command and Scripting Interpreter

§ Frequently asked

What is the "WebView XSS → JS bridge → native code exec" attack path?: WebView loads partially-attacker-controlled content (e.g. injected referral param) and exposes addJavascriptInterface — XSS in the page calls the bridge to run app-level code. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Reach native code execution (T1059) — a execution primitive. Assumed environment: target uses an Android WebView to render content with a parameter the attacker influences (deeplink, server response).
What is the final impact of this kill-chain?: The final step lands on Identify XSS sink in WebView content (MOB-WEBVIEW-XSS), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

Shared techniques2
Deeplink abuse → in-app account takeover
Exported activity registers a custom URL scheme that triggers an OAuth-style 'confirm reset' action without validating the source — phishing URL clicks reset another user's password.

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Deeplink abuse → in-app account takeover