Skip to content

Port MASTG-TEST-0077 WebView file access testing to v2 (iOS)#3591

Open
Copilot wants to merge 22 commits intomasterfrom
copilot/add-ios-webview-protocol-tests
Open

Port MASTG-TEST-0077 WebView file access testing to v2 (iOS)#3591
Copilot wants to merge 22 commits intomasterfrom
copilot/add-ios-webview-protocol-tests

Conversation

Copy link
Contributor

Copilot AI commented Dec 15, 2025
edited by cpholguera
Loading

This PR closes #3185

Description

Ports the WebView file access portion of MASTG-TEST-0077 to v2 atomic tests, mirroring the Android implementation in MASTG-TEST-0252/0253.

New Tests:

  • MASTG-TEST-0x01 (static): References to file access APIs in iOS WebViews - checks for allowFileAccessFromFileURLs, allowUniversalAccessFromFileURLs (undocumented KVC-only properties), UIWebView usage, and loadFileURL:allowingReadAccessToURL: configurations
  • MASTG-TEST-0x02 (dynamic): Runtime enumeration of WebView instances using Frida - inspects actual configuration values at runtime

Best Practice:

  • MASTG-BEST-0x01: iOS counterpart to MASTG-BEST-0011 - covers secure WKWebView usage, avoiding undocumented file access properties, and proper baseURL handling

Knowledge Updates:

  • Added a WebView file access section to MASTG-KNOW-0076 covering UIWebView vs WKWebView behavior, undocumented properties, and file loading methods

Demos:

  • MASTG-DEMO-0x01 (static): Demonstrates static analysis using radare2 to detect file access configuration in WKWebView - includes Swift sample code and rabin2 analysis script
  • MASTG-DEMO-0x02 (dynamic): Demonstrates runtime monitoring using Frida to enumerate WKWebView instances and inspect their file access settings - includes Frida script and sample output

Deprecation:

  • Marked MASTG-TEST-0077 as deprecated with covered_by references to new tests

All tests reference MASWE-0069 and link to platform-specific knowledge (MASTG-KNOW-0076) and best practices. The demos focus on WKWebView only (UIWebView excluded as deprecated).

[x] I have read the contributing guidelines.

Original prompt

This section details on the original issue you should resolve

<issue_title>MASTG v1->v2 MASTG-TEST-0077: Testing WebView Protocol Handlers (ios)</issue_title>
<issue_description>
Create a new MASTG v2 test covering for":

Follow the guidelines
</issue_description>

<agent_instructions>Port this test but only focus on the area of "Testing WebView file access" from the v1 test. Create the new tests and demos in alignment with their Android counterparts:
https://mas.owasp.org/MASTG/tests/android/MASVS-PLATFORM/MASTG-TEST-0252/
https://mas.owasp.org/MASTG/tests/android/MASVS-PLATFORM/MASTG-TEST-0253/

Also create the corresponding best practice, counterpart of MASTG-BEST-0011 for iOS.

Link the best practice and tests to MASTG-KNOW-0076 in their metadata and add any missing sections to MASTG-KNOW-0076.md about WebView file access
</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@cpholguera @barbieri-mobisec please check https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076/ again, I've restored some content that was missing. Maybe this will help clarify your questions.

Also, keep in mind that we're porting these v1 tests to v2 because they may be "old/outdated", have overlaps, etc. We recognized this and created a whole new concept for MASTG tests called "atomic tests" where we reduce tests to their minimum.

In this case:

  • MASTG-TEST-0076 can be split into:

    • Testing if JavaScript is Enabled
    • Testing for Mixed Content
    • Testing for WebView URI manipulation

  • MASTG-TEST-0077 can be split into:

    • Testing How WebViews Load Content
    • Testing WebView file access
    • Checking telephone number detection

We use this just as a starting point, as we take the chance to review the content and see

  • if we really still need everything that's currently there
  • if we need to further split the topics
  • if we need to add any missing topics

For WKWebView (since UIWebView is deprecated), I can use a Frida script to understand how content is loaded in the WebView.
However, it’s unclear what specific risks or issues this aims to uncover. Manipulating the URI seems more relevant to MASTG-TEST-0076, which explicitly addresses WebView URI manipulation.

There are 2 different concerns here:

  • WebViews loading URI which may be controlled by an attacker
  • WebViews loading untrusted content which may also be controlled by an attacker

In MASTG-TEST-0077 > Dynamic Analysis > "Testing How WebViews Load Content", the test explains why baseURL being set to nil is safe for WKWebView and it's not safe for UIWebView because the effective origin is not set to "null", instead it's set to "applewebdata://". But it also says that you should not use UIWebView anyway and that's why the PR adds an additional test for "Deprecated Usage of UIWebView".

I encourage you to keep an eye on the new PRs for these tests and provide feedback and questions in them, and please remember that once the PRs are complete, both MASTG-TEST-0076 and MASTG-TEST-0077 will be deprecated. They will not receive any updates and should not be used for testing as we will provide a new and improved version of this content that is up to date.</comment_new>

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@cpholguera cpholguera changed the title [WIP] Add MASTG v2 test for WebView protocol handlers [WIP] Port MASTG-TEST-0077: Testing WebView Protocol Handlers (ios) #2967 Dec 15, 2025
@cpholguera cpholguera changed the title [WIP] Port MASTG-TEST-0077: Testing WebView Protocol Handlers (ios) #2967 [WIP] Port MASTG-TEST-0077: Testing WebView Protocol Handlers (ios) Dec 15, 2025
Copilot AI and others added 2 commits December 15, 2025 10:39
@cpholguera
Create iOS WebView file access tests and best practice
f989e3b 
Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
@cpholguera
Remove package files and update .gitignore
662e2ab 
Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
cpholguera
cpholguera reviewed Dec 15, 2025
View reviewed changes
tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md Outdated
profiles: [L1, L2]
status: deprecated
covered_by: [MASTG-TEST-0318, MASTG-TEST-0319]
deprecation_note: "This test has been split into multiple atomic v2 tests. For WebView file access testing, use MASTG-TEST-0318 (static) and MASTG-TEST-0319 (dynamic)."
Copy link
Collaborator

@cpholguera cpholguera Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
deprecation_note: "This test has been split into multiple atomic v2 tests. For WebView file access testing, use MASTG-TEST-0318 (static) and MASTG-TEST-0319 (dynamic)."
deprecation_note: New version available in MASTG V2

Copy link
Contributor Author

Copilot AI Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in bc6ed86

Copilot AI changed the title [WIP] Port MASTG-TEST-0077: Testing WebView Protocol Handlers (ios) Port MASTG-TEST-0077 WebView file access testing to v2 (iOS) Dec 15, 2025
Copilot AI requested a review from cpholguera December 15, 2025 10:44
@cpholguera
Copy link
Collaborator

cpholguera commented Dec 15, 2025

@copilot add one demo per new test but ignore the UIWebView case

@cpholguera
Update deprecation note and add iOS WebView demos
bc6ed86 
Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 15, 2025

@copilot add one demo per new test but ignore the UIWebView case

Created two demos in bc6ed86:

  • MASTG-DEMO-0081: Static analysis with radare2 for MASTG-TEST-0318
  • MASTG-DEMO-0082: Dynamic analysis with Frida for MASTG-TEST-0319

Both demos focus on WKWebView file access configuration (ignoring UIWebView as requested).

@cpholguera cpholguera requested a review from Copilot March 14, 2026 20:18
Copilot AI reviewed Mar 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Ports the iOS “WebView file access” portion of v1 @MASTG-TEST-0077 into new v2 atomic tests, and adds supporting Knowledge/Demo/Best-Practice content around WKWebView local file loading and relaxed file-origin policies.

Changes:

  • Deprecates v1 MASTG-TEST-0077 and points it to the new v2 coverage.
  • Adds two new v2 iOS tests (static + dynamic) for detecting/observing relaxed WKWebView file-origin policies.
  • Adds an iOS Knowledge section and two iOS demos (r2 + Frida), plus a new iOS best practice draft.

Reviewed changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 21 comments.

Show a summary per file
File Description
tests/ios/MASVS-PLATFORM/MASTG-TEST-0077.md Deprecates the v1 test and adds covered_by metadata
tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x01.md New static v2 test for identifying relaxed file-origin policy configuration
tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x02.md New dynamic v2 test for runtime observation of relaxed file-origin policy configuration
knowledge/ios/MASVS-PLATFORM/MASTG-KNOW-0076.md Adds a WebView file access section (UIWebView vs WKWebView + relevant APIs)
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x01/MASTG-DEMO-0x01.md New static demo write-up for r2-based detection
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x01/MastgTest.swift Swift sample used by the static demo
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x01/MASTestApp iOS demo app binary used for static analysis
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x01/output.txt Static demo observation output
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x01/run.sh Static demo runner (r2 invocation)
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x01/webview_file_access.r2 r2 script used by the static demo
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x02/MASTG-DEMO-0x02.md New dynamic demo write-up for Frida monitoring
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x02/output.txt Dynamic demo observation output
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x02/run.sh Dynamic demo runner (Frida invocation)
demos/ios/MASVS-PLATFORM/MASTG-DEMO-0x02/script.js Frida script for hooking WebKit APIs and logging values
best-practices/MASTG-BEST-0x01.md New iOS best practice draft for securely loading local content in WKWebView

cpholguera
cpholguera reviewed Mar 14, 2026
View reviewed changes
cpholguera
cpholguera reviewed Mar 14, 2026
View reviewed changes
cpholguera
cpholguera reviewed Mar 14, 2026
View reviewed changes
tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x01.md

Remember that JavaScript is enables by default unless the app explicitly calls `setJavaScriptEnabled` to set it to `false`.

This test is related to, but distinct from, @MASTG-TEST-xxxx, which evaluates the use of `loadFileURL(_:allowingReadAccessTo:)`. That test focuses on the **native file system read scope** granted to the WebView through the `readAccessURL` parameter. By contrast, this test focuses on **JavaScript origin restrictions** for content loaded from `file://` URLs. Even if the file read scope is correctly restricted, enabling `allowFileAccessFromFileURLs` or `allowUniversalAccessFromFileURLs` can allow JavaScript running in a local page to access additional resources or communicate with remote origins.
Copy link
Collaborator

@cpholguera cpholguera Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO, get correct ID from #3608

cpholguera and others added 5 commits March 14, 2026 21:36
@cpholguera
Apply suggestions from code review
b4a2027 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@cpholguera
fix best
aca3715
@cpholguera
update tech
6ded387
@cpholguera
update best
5192afc
@cpholguera
update know
5946b6e
@cpholguera cpholguera requested a review from serek8 March 16, 2026 17:32
@cpholguera cpholguera marked this pull request as ready for review March 16, 2026 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpholguera cpholguera cpholguera left review comments

Copilot code review Copilot Copilot left review comments

@serek8 serek8 Awaiting requested review from serek8

At least 1 approving review is required to merge this pull request.

Assignees

@cpholguera cpholguera

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0077: Testing WebView Protocol Handlers (ios)

3 participants

@cpholguera