diff --git a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md index c144196ff1..05ae7fee42 100644 --- a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md +++ b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md @@ -16,10 +16,10 @@ masvs_v1_levels: For the static analysis we will focus mostly on the following points having `UIWebView` and `WKWebView` under scope. -- [Identifying WebView usage](#identifying-webview-usage) -- [Testing JavaScript configuration](#testing-javascript-configuration) -- [Testing for Mixed Content](#testing-for-mixed-content) -- [Testing for WebView URI manipulation](#testing-for-webview-uri-manipulation) +- Identifying WebView usage +- Testing if JavaScript is Enabled +- Testing for Mixed Content +- Testing for WebView URI Manipulation ### Identifying WebView Usage @@ -65,9 +65,9 @@ $ xcrun swift-demangle __T0So9WKWebViewCABSC6CGRectV5frame_So0aB13ConfigurationC configuration: __C.WKWebViewConfiguration) -> __C.WKWebView ``` -### Testing JavaScript Configuration +### Testing if JavaScript is Enabled -First of all, remember that JavaScript cannot be disabled for `UIWebVIews`. +First of all, remember that JavaScript cannot be disabled for `UIWebView`s. For `WKWebView`s, as a best practice, JavaScript should be disabled unless it is explicitly required. To verify that JavaScript was properly disabled search the project for usages of `WKPreferences` and ensure that the [`javaScriptEnabled`](https://developer.apple.com/documentation/webkit/wkpreferences/1536203-javascriptenabled "WKPreferences javaScriptEnabled") property is set to `false`: @@ -84,7 +84,7 @@ $ rabin2 -zz ./WheresMyBrowser | grep -i "javascriptenabled" 392 0x0002f2d9 0x10002f2d9 21 22 (4.__TEXT.__objc_methname) ascii setJavaScriptEnabled: ``` -If user scripts were defined, they will continue running as the `javaScriptEnabled` property won't affect them. See [WKUserContentController](https://developer.apple.com/documentation/webkit/wkusercontentcontroller "WKUserContentController") and [WKUserScript](https://developer.apple.com/documentation/webkit/wkuserscript "WKUserScript") for more information on injecting user scripts to WKWebViews. +If user scripts were defined, they will continue running as the `javaScriptEnabled` property won't affect them. See [`WKUserContentController`](https://developer.apple.com/documentation/webkit/wkusercontentcontroller "WKUserContentController") and [WKUserScript](https://developer.apple.com/documentation/webkit/wkuserscript "WKUserScript") for more information on injecting user scripts to WKWebViews. ### Testing for Mixed Content @@ -110,9 +110,9 @@ Make sure that the WebView's URI cannot be manipulated by the user in order to l For the dynamic analysis we will address the same points from the static analysis. -- [Enumerating WebView instances](#enumerating-webview-instances) -- [Checking if JavaScript is enabled](#checking-if-javascript-is-enabled) -- [Testing for Mixed Content](#testing-for-mixed-content-1) +- Enumerating WebView Instances +- Testing if JavaScript is Enabled +- Testing for Mixed Content It is possible to identify WebViews and obtain all their properties on runtime by performing dynamic instrumentation. This is very useful when you don't have the original source code. diff --git a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md index 5593661101..790f97d224 100644 --- a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md +++ b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md @@ -14,15 +14,15 @@ masvs_v1_levels: ## Static Analysis -- Testing how WebViews are loaded +- Testing How WebViews Load Content - Testing WebView file access - Checking telephone number detection -### Testing How WebViews are Loaded +### Testing How WebViews Load Content If a WebView is loading content from the app data directory, users should not be able to change the filename or path from which the file is loaded, and they shouldn't be able to edit the loaded file. -This presents an issue especially in `UIWebView`s loading untrusted content via the deprecated methods [`loadHTMLString:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617979-loadhtmlstring?language=objc "UIWebView loadHTMLString:baseURL:") or [`loadData:MIMEType:textEncodingName: baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617941-loaddata?language=objc "UIWebView loadData:MIMEType:textEncodingName:baseURL:") and setting the `baseURL` parameter to `nil` or to a `file:` or `applewebdata:` URL schemes. In this case, in order to prevent unauthorized access to local files, the best option is to set it instead to `about:blank`. However, the recommendation is to avoid the use of `UIWebView`s and switch to `WKWebView`s instead. +This presents an issue especially in `UIWebView`s loading untrusted content via the deprecated methods [`loadHTMLString:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617979-loadhtmlstring?language=objc "UIWebView loadHTMLString:baseURL:") or [`loadData:MIMEType:textEncodingName:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617941-loaddata?language=objc "UIWebView loadData:MIMEType:textEncodingName:baseURL:") and setting the `baseURL` parameter to `nil` or to a `file:` or `applewebdata:` URL schemes. In this case, in order to prevent unauthorized access to local files, the best option is to set it instead to `about:blank`. However, the recommendation is to avoid the use of `UIWebView`s and switch to `WKWebView`s instead. Here's an example of a vulnerable `UIWebView` from ["Where's My Browser?"](https://github.com/authenticationfailure/WheresMyBrowser.iOS/blob/master/WheresMyBrowser/UIWebViewController.swift#L219 "Where\'s My Browser? UIWebViewController.swift Line 219"): @@ -153,14 +153,14 @@ In a real-world scenario, JavaScript can only be injected through a permanent ba For what concerns this section we will learn about: -- Checking how WebViews are loaded +- Testing How WebViews Load Content - Determining WebView file access -### Checking How WebViews are Loaded +### Testing How WebViews Load Content -As we have seen above in "Testing How WebViews are Loaded", if "scenario 2" of the WKWebViews is loaded, the app will do so by calling [`URLForResource:withExtension:`](https://developer.apple.com/documentation/foundation/nsbundle/1411540-urlforresource?language=objc "NSBundle URLForResource:withExtension:") and `loadHTMLString:baseURL`. +If `WKWebView`'s "scenario 2" of the ["Where's My Browser?"](https://github.com/authenticationfailure/WheresMyBrowser.iOS/blob/master/WheresMyBrowser/WKWebViewController.swift#L196) app is loaded, the app will do so by calling [`URLForResource:withExtension:`](https://developer.apple.com/documentation/foundation/nsbundle/1411540-urlforresource?language=objc "NSBundle URLForResource:withExtension:") and `loadHTMLString:baseURL`. -To quickly inspect this, you can use frida-trace and trace all "loadHTMLString" and "URLForResource:withExtension:" methods. +To quickly inspect this, you can use frida-trace and trace all `loadHTMLString` and `URLForResource:withExtension:` methods. ```bash $ frida-trace -U "Where's My Browser?"