I fixed the vulnerability with the implementation of the WebViewClient.onReceivedSslError handler in my Android project but I would like to know how can I test it.
Previously my code was:
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
Log.d("message","message");
handler.proceed(); // Ignore SSL certificate errors
}
and after my fix is:
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
Log.d("a message","a message");
final AlertDialog.Builder builder = new AlertDialog.Builder(view.getContext());
builder.setTitle("Error");
builder.setMessage("Certificate is invalid");
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
For example can I modify the host in android emulator in order to point to a page that can throw ssl exception?
You can generate an error by following steps: