From 7294235750c5ee2bd23208dc8b74bce2fc425436 Mon Sep 17 00:00:00 2001 From: Pascal Jungblut Date: Tue, 5 Nov 2024 16:34:55 +0000 Subject: [PATCH 1/4] Add MASTG-TEST-0076-1 --- .../ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md | 26 +++++++++++++++++++ tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md | 2 ++ 2 files changed, 28 insertions(+) create mode 100644 tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md new file mode 100644 index 00000000000..d012d164872 --- /dev/null +++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md @@ -0,0 +1,26 @@ +--- +platform: ios +title: Deprecated Usage of UIWebView +id: MASTG-TEST-0x76-1 +type: [static] +weakness: MASWE-0072 +--- + +## Overview + +`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction/#uiwebview "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`. + +In this test we can check any references to `UIWebView` inside the binary. + +## Steps + +1. Extract the app as described in @MASTG-TECH-0058. +2. Look for references to `UIWebView` in the app using @MASTG-TECH-0070 on all executables and libraries. + +## Observation + +The output shows function names and methods for the binaries. + +## Evaluation + +The test case fails if there are any references to `UIWebView`. diff --git a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md index 2074c28fbb8..cae90be22a1 100644 --- a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md +++ b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md @@ -8,6 +8,8 @@ title: Testing iOS WebViews masvs_v1_levels: - L1 - L2 +covered_by: [MASTG-TEST-0x76-1,MASTG-TEST-0x76-2,MASTG-TEST-0x76-3] +status: deprecated --- ## Overview From f82d26f6027d354038e9a5eb80f75e2eb9a2104c Mon Sep 17 00:00:00 2001 From: Pascal Jungblut Date: Wed, 6 Nov 2024 14:53:22 +0000 Subject: [PATCH 2/4] Add MASTG-TEST-0x76-2 --- .../ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md | 2 +- .../ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md | 31 +++++++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md index d012d164872..1732926672d 100644 --- a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md +++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md @@ -8,7 +8,7 @@ weakness: MASWE-0072 ## Overview -`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction/#uiwebview "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`. +`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`. In this test we can check any references to `UIWebView` inside the binary. diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md new file mode 100644 index 00000000000..4058805928d --- /dev/null +++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md @@ -0,0 +1,31 @@ +--- +platform: ios +title: JavaScript Enabled in WKWebView +id: MASTG-TEST-0x76-2 +type: [static] +weakness: MASWE-0070 +--- + +## Overview + +[`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer")offers the `javaScriptEnabled` and `allowsContentJavaScript` settings to disable all JavaScript execution. Disabling them avoids all [script injection flaws](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs"). + +## Steps + +1. Extract the app as described in @MASTG-TECH-0058. +2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify references to `WkWebView`, calls to `WkPreferences.javaScriptEnabled` and + `WKWebPagePreferences.allowsContentJavaScript`. + +## Observation + +The output could contain references to `WkWebView` or calls to `WkPreferences.javaScriptEnabled` and `WKWebPagePreferences.allowsContentJavaScript`. + +## Evaluation + +The test case fails if there are references to `WkWebView` and one of the following is true: + +- There are no references to `WkPreferences.javaScriptEnabled` or `defaultWebpagePreferences.allowsContentJavaScript`. +- `WkPreference.javaScriptEnabled` is set to `1`. +- `WKWebpagePreferences.allowsContentJavaScript` is set to `1`. + +The preferences should be set to `NO` (0), so that JavaScript is not executed in the `WkWebView` to avoid possible script injections. From 398a153f462fc1be395b4619e6899aceeaaeb1f6 Mon Sep 17 00:00:00 2001 From: Pascal Jungblut Date: Wed, 6 Nov 2024 14:53:59 +0000 Subject: [PATCH 3/4] Add MASTG-TEST-0x76-3 --- .../ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md new file mode 100644 index 00000000000..380fc0e0f81 --- /dev/null +++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md @@ -0,0 +1,28 @@ +--- +platform: ios +title: URI Manipulation in WebView +id: MASTG-TEST-0x76-3 +type: [static] +weakness: MASWE-0071 +--- + +## Overview + +The target URL of a [`WkWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") can be set dynamically, for example via the [load](https://developer.apple.com/documentation/webkit/wkwebview/1414954-load "Apple Developer") method. This will load the corresponding content into the view. + +The `WkWebView` can be tricked into showing malicious content if this URL can be controlled by an attacker. The input must be properly sanitized to avoid this issue. + +## Steps + +1. Extract the app as described in @MASTG-TECH-0058. +2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify data flows from attacker-controlled input to the load method of `WkWebView`. + +## Observation + +The output could contain [load operations](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") where the URL in the [`URLRequest`](https://developer.apple.com/documentation/foundation/urlrequest?language=objc "Apple Developer") is not hard-coded. + +## Evaluation + +The test case fails if an attacker-controlled input is passed into a load operation without being sanitized. + +The URL should not depend on dynamic input. If this is not avoidable, the input must be sanitized. For example, the app must ensure that only URLs with a set of well-known domains are loaded. From 4a0d53dcfea9fbd2c1d3057a52b9ffb496f0e2f9 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Mon, 15 Dec 2025 11:03:02 +0100 Subject: [PATCH 4/4] Apply suggestions from code review --- tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md index 1732926672d..e95fdab14c3 100644 --- a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md +++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md @@ -3,14 +3,13 @@ platform: ios title: Deprecated Usage of UIWebView id: MASTG-TEST-0x76-1 type: [static] +available_since: 8.0 weakness: MASWE-0072 --- ## Overview -`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`. - -In this test we can check any references to `UIWebView` inside the binary. +In this test, we look for references to [`UIWebView`](../../../Document/0x06h-Testing-Platform-Interaction.md/#uiwebview), a deprecated component since iOS 12.0, in favor of `WKWebView`. `UIWebView` presents security and performance risks: it does not allow JavaScript to be fully disabled, lacks process isolation (which `WKWebView` provides), and doesn’t support modern web security features like Content Security Policy (CSP). ## Steps @@ -19,8 +18,10 @@ In this test we can check any references to `UIWebView` inside the binary. ## Observation -The output shows function names and methods for the binaries. +The output should contain a list of locations where `UIWebViews` are used. ## Evaluation The test case fails if there are any references to `UIWebView`. + +For iOS apps on iOS 8.0 and above, using [`WKWebView`](../../../Document/0x06h-Testing-Platform-Interaction.md/#wkwebview) is essential. `WKWebView` provides enhanced security and control over web view behavior, including the ability to disable JavaScript by setting `javaScriptEnabled` to `false`, reducing the risk of script-based attacks. Additionally, `WKWebView` supports `hasOnlySecureContent`, which ensures that only secure (HTTPS) resources are loaded, further strengthening the app’s protection against insecure content and mixed content vulnerabilities.