Skip to content

Port MASTG-TEST-0076: Testing iOS WebViews (ios) (by @guardsquare) #3041

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
pascalj wants to merge 5 commits into from
Closed

Port MASTG-TEST-0076: Testing iOS WebViews (ios) (by @guardsquare) #3041

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7294235
Add MASTG-TEST-0076-1
pascalj Nov 5, 2024
f82d26f
Add MASTG-TEST-0x76-2
pascalj Nov 6, 2024
398a153
Add MASTG-TEST-0x76-3
pascalj Nov 6, 2024
7459333
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jan 24, 2025
4a0d53d
Apply suggestions from code review
cpholguera Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
platform: ios
title: Deprecated Usage of UIWebView
id: MASTG-TEST-0x76-1
type: [static]
available_since: 8.0
weakness: MASWE-0072
---

## Overview

In this test, we look for references to [`UIWebView`](../../../Document/0x06h-Testing-Platform-Interaction.md/#uiwebview), a deprecated component since iOS 12.0, in favor of `WKWebView`. `UIWebView` presents security and performance risks: it does not allow JavaScript to be fully disabled, lacks process isolation (which `WKWebView` provides), and doesn’t support modern web security features like Content Security Policy (CSP).

## Steps

1. Extract the app as described in @MASTG-TECH-0058.
2. Look for references to `UIWebView` in the app using @MASTG-TECH-0070 on all executables and libraries.

## Observation

The output should contain a list of locations where `UIWebViews` are used.

## Evaluation

The test case fails if there are any references to `UIWebView`.

For iOS apps on iOS 8.0 and above, using [`WKWebView`](../../../Document/0x06h-Testing-Platform-Interaction.md/#wkwebview) is essential. `WKWebView` provides enhanced security and control over web view behavior, including the ability to disable JavaScript by setting `javaScriptEnabled` to `false`, reducing the risk of script-based attacks. Additionally, `WKWebView` supports `hasOnlySecureContent`, which ensures that only secure (HTTPS) resources are loaded, further strengthening the app’s protection against insecure content and mixed content vulnerabilities.
31 changes: 31 additions & 0 deletions tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md
View file
Open in desktop
Copy link
Collaborator

@cpholguera cpholguera Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We won't be testing for this:

Having JavaScript enabled is not considered a vulnerability by itself, but it can lead to security issues in combination with other weaknesses, such as local file access in WebViews, which are covered by other tests in the MASTG v2. This test is therefore not considered a standalone test anymore.

https://mas.owasp.org/MASTG/tests/android/MASVS-PLATFORM/MASTG-TEST-0031/

Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
---
platform: ios
title: JavaScript Enabled in WKWebView
id: MASTG-TEST-0x76-2
type: [static]
weakness: MASWE-0070
---

## Overview

[`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer")offers the `javaScriptEnabled` and `allowsContentJavaScript` settings to disable all JavaScript execution. Disabling them avoids all [script injection flaws](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs").

## Steps

1. Extract the app as described in @MASTG-TECH-0058.
2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify references to `WkWebView`, calls to `WkPreferences.javaScriptEnabled` and
`WKWebPagePreferences.allowsContentJavaScript`.

## Observation

The output could contain references to `WkWebView` or calls to `WkPreferences.javaScriptEnabled` and `WKWebPagePreferences.allowsContentJavaScript`.

## Evaluation

The test case fails if there are references to `WkWebView` and one of the following is true:

- There are no references to `WkPreferences.javaScriptEnabled` or `defaultWebpagePreferences.allowsContentJavaScript`.
- `WkPreference.javaScriptEnabled` is set to `1`.
- `WKWebpagePreferences.allowsContentJavaScript` is set to `1`.

The preferences should be set to `NO` (0), so that JavaScript is not executed in the `WkWebView` to avoid possible script injections.
28 changes: 28 additions & 0 deletions tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
platform: ios
title: URI Manipulation in WebView
id: MASTG-TEST-0x76-3
type: [static]
weakness: MASWE-0071
---

## Overview

The target URL of a [`WkWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") can be set dynamically, for example via the [load](https://developer.apple.com/documentation/webkit/wkwebview/1414954-load "Apple Developer") method. This will load the corresponding content into the view.

The `WkWebView` can be tricked into showing malicious content if this URL can be controlled by an attacker. The input must be properly sanitized to avoid this issue.

## Steps

1. Extract the app as described in @MASTG-TECH-0058.
2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify data flows from attacker-controlled input to the load method of `WkWebView`.

## Observation

The output could contain [load operations](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") where the URL in the [`URLRequest`](https://developer.apple.com/documentation/foundation/urlrequest?language=objc "Apple Developer") is not hard-coded.

## Evaluation

The test case fails if an attacker-controlled input is passed into a load operation without being sanitized.

The URL should not depend on dynamic input. If this is not avoidable, the input must be sanitized. For example, the app must ensure that only URLs with a set of well-known domains are loaded.
2 changes: 2 additions & 0 deletions tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md
View file
Open in desktop
Copy link
Collaborator

@cpholguera cpholguera Jan 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pascalj I just added some old content that was missing from it.

Static Analysis:

  • Testing JavaScript configuration
  • Testing for Mixed Content
  • Testing for WebView URI manipulation

Dynamic Analysis:

  • Enumerating WebView instances
  • Checking if JavaScript is enabled
  • Testing for Mixed Content

Please double check this and include the new tests accordingly. Thanks a lot!

Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ title: Testing iOS WebViews
masvs_v1_levels:
- L1
- L2
covered_by: [MASTG-TEST-0x76-1,MASTG-TEST-0x76-2,MASTG-TEST-0x76-3]
status: deprecated
---

## Overview
Expand Down