Skip to content

Commit

Permalink
Add MASTG-TEST-0x76-3
Browse files Browse the repository at this point in the history
  • Loading branch information
pascalj committed Nov 6, 2024
1 parent 6ca8dc2 commit c1fae5a
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
platform: ios
title: URI Manipulation in WebView
id: MASTG-TEST-0x76-3
type: [static]
weakness: MASWE-0071
---

## Overview

The target URL of a [`WkWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") can be set dynamically, for example via the [load](https://developer.apple.com/documentation/webkit/wkwebview/1414954-load "Apple Developer") method. This will load the corresponding content into the view.

The `WkWebView` can be tricked into showing malicious content if this URL can be controlled by an attacker. The input must be properly sanitized to avoid this issue.

## Steps

1. Extract the app as described in @MASTG-TECH-0058.
2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify data flows from attacker-controlled input to the load method of `WkWebView`.

## Observation

The output could contain [load operations](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") where the URL in the [`URLRequest`](https://developer.apple.com/documentation/foundation/urlrequest?language=objc "Apple Developer") is not hard-coded.

## Evaluation

The test case fails if an attacker-controlled input is passed into a load operation without being sanitized.

The URL should not depend on dynamic input. If this is not avoidable, the input must be sanitized. For example, the app must ensure that only URLs with a set of well-known domains are loaded.

0 comments on commit c1fae5a

Please sign in to comment.