Port MASTG-TEST-0076 (by @guardsquare) #3041
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,26 @@ | ||||||||||
| --- | ||||||||||
| platform: ios | ||||||||||
| title: Deprecated Usage of UIWebView | ||||||||||
| id: MASTG-TEST-0x76-1 | ||||||||||
| type: [static] | ||||||||||
| weakness: MASWE-0072 | ||||||||||
| --- | ||||||||||
|
|
||||||||||
| ## Overview | ||||||||||
|
|
||||||||||
| `UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`. | ||||||||||
|
|
||||||||||
| In this test we can check any references to `UIWebView` inside the binary. | ||||||||||
|
Comment on lines
+11
to
+13
There was a problem hiding this comment.
Suggested change
|
||||||||||
|
|
||||||||||
| ## Steps | ||||||||||
|
|
||||||||||
| 1. Extract the app as described in @MASTG-TECH-0058. | ||||||||||
| 2. Look for references to `UIWebView` in the app using @MASTG-TECH-0070 on all executables and libraries. | ||||||||||
|
|
||||||||||
| ## Observation | ||||||||||
|
|
||||||||||
| The output shows function names and methods for the binaries. | ||||||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||||||
|
|
||||||||||
| ## Evaluation | ||||||||||
|
|
||||||||||
| The test case fails if there are any references to `UIWebView`. | ||||||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| --- | ||
| platform: ios | ||
| title: JavaScript Enabled in WKWebView | ||
| id: MASTG-TEST-0x76-2 | ||
| type: [static] | ||
| weakness: MASWE-0070 | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| [`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer")offers the `javaScriptEnabled` and `allowsContentJavaScript` settings to disable all JavaScript execution. Disabling them avoids all [script injection flaws](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs"). | ||
|
|
||
| ## Steps | ||
|
|
||
| 1. Extract the app as described in @MASTG-TECH-0058. | ||
| 2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify references to `WkWebView`, calls to `WkPreferences.javaScriptEnabled` and | ||
| `WKWebPagePreferences.allowsContentJavaScript`. | ||
|
|
||
| ## Observation | ||
|
|
||
| The output could contain references to `WkWebView` or calls to `WkPreferences.javaScriptEnabled` and `WKWebPagePreferences.allowsContentJavaScript`. | ||
|
|
||
| ## Evaluation | ||
|
|
||
| The test case fails if there are references to `WkWebView` and one of the following is true: | ||
|
|
||
| - There are no references to `WkPreferences.javaScriptEnabled` or `defaultWebpagePreferences.allowsContentJavaScript`. | ||
| - `WkPreference.javaScriptEnabled` is set to `1`. | ||
| - `WKWebpagePreferences.allowsContentJavaScript` is set to `1`. | ||
|
|
||
| The preferences should be set to `NO` (0), so that JavaScript is not executed in the `WkWebView` to avoid possible script injections. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| --- | ||
| platform: ios | ||
| title: URI Manipulation in WebView | ||
| id: MASTG-TEST-0x76-3 | ||
| type: [static] | ||
| weakness: MASWE-0071 | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| The target URL of a [`WkWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") can be set dynamically, for example via the [load](https://developer.apple.com/documentation/webkit/wkwebview/1414954-load "Apple Developer") method. This will load the corresponding content into the view. | ||
|
|
||
| The `WkWebView` can be tricked into showing malicious content if this URL can be controlled by an attacker. The input must be properly sanitized to avoid this issue. | ||
|
|
||
| ## Steps | ||
|
|
||
| 1. Extract the app as described in @MASTG-TECH-0058. | ||
| 2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify data flows from attacker-controlled input to the load method of `WkWebView`. | ||
|
|
||
| ## Observation | ||
|
|
||
| The output could contain [load operations](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") where the URL in the [`URLRequest`](https://developer.apple.com/documentation/foundation/urlrequest?language=objc "Apple Developer") is not hard-coded. | ||
|
|
||
| ## Evaluation | ||
|
|
||
| The test case fails if an attacker-controlled input is passed into a load operation without being sanitized. | ||
|
|
||
| The URL should not depend on dynamic input. If this is not avoidable, the input must be sanitized. For example, the app must ensure that only URLs with a set of well-known domains are loaded. |
|
There was a problem hiding this comment. @pascalj I just added some old content that was missing from it.
Please double check this and include the new tests accordingly. Thanks a lot! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.