Example - WebView File Access and Cross-Origin
This site is used with the Pentesting Exploits Noted In Smartphones training course.
If you reached this site via Axolotl, then you've successfully reached out to the external website.
Type your JavaScript into the text box below, and tap eval.
This will execute your input as JavaScript.
Note that alert() does not work in this WebView because this WebView does not use setWebChromeClient().
Analyze this activity and learn about WebView File Access and CORS rules to exfiltrate files.
If you see the image below, then the image _axolotl_phone_1.jpg was loaded via a file:// scheme (not Assets or Res folders).
If you see the image below, then the image _axolotl_phone_2.jpg was loaded via a content:// scheme.
