From 496cf066c23334c44a6e7807a08776f15f3672ed Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Sat, 25 Jan 2025 09:47:13 +0100 Subject: [PATCH 1/3] Update MASTG-TEST-0076 (minor fixes) --- tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md index c144196ff1..bcfc7a7ff1 100644 --- a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md +++ b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md @@ -17,9 +17,9 @@ masvs_v1_levels: For the static analysis we will focus mostly on the following points having `UIWebView` and `WKWebView` under scope. - [Identifying WebView usage](#identifying-webview-usage) -- [Testing JavaScript configuration](#testing-javascript-configuration) +- [Testing if JavaScript is Enabled](#testing-if-javascript-is-enabled) - [Testing for Mixed Content](#testing-for-mixed-content) -- [Testing for WebView URI manipulation](#testing-for-webview-uri-manipulation) +- [Testing for WebView URI Manipulation](#testing-for-webview-uri-manipulation) ### Identifying WebView Usage @@ -65,9 +65,9 @@ $ xcrun swift-demangle __T0So9WKWebViewCABSC6CGRectV5frame_So0aB13ConfigurationC configuration: __C.WKWebViewConfiguration) -> __C.WKWebView ``` -### Testing JavaScript Configuration +### Testing if JavaScript is Enabled -First of all, remember that JavaScript cannot be disabled for `UIWebVIews`. +First of all, remember that JavaScript cannot be disabled for `UIWebView`s. For `WKWebView`s, as a best practice, JavaScript should be disabled unless it is explicitly required. To verify that JavaScript was properly disabled search the project for usages of `WKPreferences` and ensure that the [`javaScriptEnabled`](https://developer.apple.com/documentation/webkit/wkpreferences/1536203-javascriptenabled "WKPreferences javaScriptEnabled") property is set to `false`: @@ -84,7 +84,7 @@ $ rabin2 -zz ./WheresMyBrowser | grep -i "javascriptenabled" 392 0x0002f2d9 0x10002f2d9 21 22 (4.__TEXT.__objc_methname) ascii setJavaScriptEnabled: ``` -If user scripts were defined, they will continue running as the `javaScriptEnabled` property won't affect them. See [WKUserContentController](https://developer.apple.com/documentation/webkit/wkusercontentcontroller "WKUserContentController") and [WKUserScript](https://developer.apple.com/documentation/webkit/wkuserscript "WKUserScript") for more information on injecting user scripts to WKWebViews. +If user scripts were defined, they will continue running as the `javaScriptEnabled` property won't affect them. See [`WKUserContentController`](https://developer.apple.com/documentation/webkit/wkusercontentcontroller "WKUserContentController") and [WKUserScript](https://developer.apple.com/documentation/webkit/wkuserscript "WKUserScript") for more information on injecting user scripts to WKWebViews. ### Testing for Mixed Content @@ -110,9 +110,9 @@ Make sure that the WebView's URI cannot be manipulated by the user in order to l For the dynamic analysis we will address the same points from the static analysis. -- [Enumerating WebView instances](#enumerating-webview-instances) -- [Checking if JavaScript is enabled](#checking-if-javascript-is-enabled) -- [Testing for Mixed Content](#testing-for-mixed-content-1) +- [Enumerating WebView Instances](#enumerating-webview-instances) +- [Testing if JavaScript is Enabled](#testing-if-javascript-is-enabled_1) +- [Testing for Mixed Content](#testing-for-mixed-content_1) It is possible to identify WebViews and obtain all their properties on runtime by performing dynamic instrumentation. This is very useful when you don't have the original source code. From 670bda6fa00f2b265e3abd37be57b25eb420a513 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Sat, 25 Jan 2025 10:24:04 +0100 Subject: [PATCH 2/3] minor title and content fixes --- tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md index 5593661101..790f97d224 100644 --- a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md +++ b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md @@ -14,15 +14,15 @@ masvs_v1_levels: ## Static Analysis -- Testing how WebViews are loaded +- Testing How WebViews Load Content - Testing WebView file access - Checking telephone number detection -### Testing How WebViews are Loaded +### Testing How WebViews Load Content If a WebView is loading content from the app data directory, users should not be able to change the filename or path from which the file is loaded, and they shouldn't be able to edit the loaded file. -This presents an issue especially in `UIWebView`s loading untrusted content via the deprecated methods [`loadHTMLString:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617979-loadhtmlstring?language=objc "UIWebView loadHTMLString:baseURL:") or [`loadData:MIMEType:textEncodingName: baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617941-loaddata?language=objc "UIWebView loadData:MIMEType:textEncodingName:baseURL:") and setting the `baseURL` parameter to `nil` or to a `file:` or `applewebdata:` URL schemes. In this case, in order to prevent unauthorized access to local files, the best option is to set it instead to `about:blank`. However, the recommendation is to avoid the use of `UIWebView`s and switch to `WKWebView`s instead. +This presents an issue especially in `UIWebView`s loading untrusted content via the deprecated methods [`loadHTMLString:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617979-loadhtmlstring?language=objc "UIWebView loadHTMLString:baseURL:") or [`loadData:MIMEType:textEncodingName:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617941-loaddata?language=objc "UIWebView loadData:MIMEType:textEncodingName:baseURL:") and setting the `baseURL` parameter to `nil` or to a `file:` or `applewebdata:` URL schemes. In this case, in order to prevent unauthorized access to local files, the best option is to set it instead to `about:blank`. However, the recommendation is to avoid the use of `UIWebView`s and switch to `WKWebView`s instead. Here's an example of a vulnerable `UIWebView` from ["Where's My Browser?"](https://github.com/authenticationfailure/WheresMyBrowser.iOS/blob/master/WheresMyBrowser/UIWebViewController.swift#L219 "Where\'s My Browser? UIWebViewController.swift Line 219"): @@ -153,14 +153,14 @@ In a real-world scenario, JavaScript can only be injected through a permanent ba For what concerns this section we will learn about: -- Checking how WebViews are loaded +- Testing How WebViews Load Content - Determining WebView file access -### Checking How WebViews are Loaded +### Testing How WebViews Load Content -As we have seen above in "Testing How WebViews are Loaded", if "scenario 2" of the WKWebViews is loaded, the app will do so by calling [`URLForResource:withExtension:`](https://developer.apple.com/documentation/foundation/nsbundle/1411540-urlforresource?language=objc "NSBundle URLForResource:withExtension:") and `loadHTMLString:baseURL`. +If `WKWebView`'s "scenario 2" of the ["Where's My Browser?"](https://github.com/authenticationfailure/WheresMyBrowser.iOS/blob/master/WheresMyBrowser/WKWebViewController.swift#L196) app is loaded, the app will do so by calling [`URLForResource:withExtension:`](https://developer.apple.com/documentation/foundation/nsbundle/1411540-urlforresource?language=objc "NSBundle URLForResource:withExtension:") and `loadHTMLString:baseURL`. -To quickly inspect this, you can use frida-trace and trace all "loadHTMLString" and "URLForResource:withExtension:" methods. +To quickly inspect this, you can use frida-trace and trace all `loadHTMLString` and `URLForResource:withExtension:` methods. ```bash $ frida-trace -U "Where's My Browser?" From 3e11518de01ee057094cab57c0495948fd24d142 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Sat, 25 Jan 2025 10:31:01 +0100 Subject: [PATCH 3/3] rm links that weren't there anyway --- tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md index bcfc7a7ff1..05ae7fee42 100644 --- a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md +++ b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md @@ -16,10 +16,10 @@ masvs_v1_levels: For the static analysis we will focus mostly on the following points having `UIWebView` and `WKWebView` under scope. -- [Identifying WebView usage](#identifying-webview-usage) -- [Testing if JavaScript is Enabled](#testing-if-javascript-is-enabled) -- [Testing for Mixed Content](#testing-for-mixed-content) -- [Testing for WebView URI Manipulation](#testing-for-webview-uri-manipulation) +- Identifying WebView usage +- Testing if JavaScript is Enabled +- Testing for Mixed Content +- Testing for WebView URI Manipulation ### Identifying WebView Usage @@ -110,9 +110,9 @@ Make sure that the WebView's URI cannot be manipulated by the user in order to l For the dynamic analysis we will address the same points from the static analysis. -- [Enumerating WebView Instances](#enumerating-webview-instances) -- [Testing if JavaScript is Enabled](#testing-if-javascript-is-enabled_1) -- [Testing for Mixed Content](#testing-for-mixed-content_1) +- Enumerating WebView Instances +- Testing if JavaScript is Enabled +- Testing for Mixed Content It is possible to identify WebViews and obtain all their properties on runtime by performing dynamic instrumentation. This is very useful when you don't have the original source code.