Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port MASTG-TEST-0076 (by @guardsquare) #3041

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Port MASTG-TEST-0076 (by @guardsquare) #3041

wants to merge 4 commits into from

Conversation

pascalj
Copy link
Collaborator

@pascalj pascalj commented Nov 5, 2024
edited
Loading

  • Your contribution is written in the 2nd person (e.g. you)
  • Your contribution is written in an active present form for as much as possible.
  • You have made sure that the reference section is up to date (e.g. please add sources you have used, make sure that the references to MITRE/MASVS/etc. are up to date)
  • Your contribution has proper formatted markdown and/or code
  • Any references to website have been formatted as [TEXT](URL “NAME”)
  • You verified/tested the effectiveness of your contribution (e.g.: is the code really an effective remediation? Please verify it works!)

This PR closes #2962.

@pascalj pascalj force-pushed the mastg-0076 branch 4 times, most recently from c1fae5a to 7b8b02e Compare November 6, 2024 15:11
@pascalj pascalj marked this pull request as ready for review November 6, 2024 15:14
cpholguera
cpholguera reviewed Jan 17, 2025
View reviewed changes
tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
platform: ios
title: Deprecated Usage of UIWebView
id: MASTG-TEST-0x76-1
type: [static]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
type: [static]
type: [static]
available_since: 8.0

tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md

## Observation

The output shows function names and methods for the binaries.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The output shows function names and methods for the binaries.
The output should contain a list of locations where `UIWebViews` are used.

tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md

## Evaluation

The test case fails if there are any references to `UIWebView`.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The test case fails if there are any references to `UIWebView`.
The test case fails if there are any references to `UIWebView`.
For iOS apps on iOS 8.0 and above, using [`WKWebView`](../../../Document/0x06h-Testing-Platform-Interaction.md/#wkwebview) is essential. `WKWebView` provides enhanced security and control over web view behavior, including the ability to disable JavaScript by setting `javaScriptEnabled` to `false`, reducing the risk of script-based attacks. Additionally, `WKWebView` supports `hasOnlySecureContent`, which ensures that only secure (HTTPS) resources are loaded, further strengthening the app’s protection against insecure content and mixed content vulnerabilities.

tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
Comment on lines +11 to +13
`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`.

In this test we can check any references to `UIWebView` inside the binary.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`.
In this test we can check any references to `UIWebView` inside the binary.
In this test, we look for references to [`UIWebView`](../../../Document/0x06h-Testing-Platform-Interaction.md/#uiwebview), a deprecated component since iOS 12.0, in favor of `WKWebView`. `UIWebView` presents security and performance risks: it does not allow JavaScript to be fully disabled, lacks process isolation (which `WKWebView` provides), and doesn’t support modern web security features like Content Security Policy (CSP).

cpholguera
cpholguera reviewed Jan 24, 2025
View reviewed changes
tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pascalj I just added some old content that was missing from it.

Static Analysis:

  • Testing JavaScript configuration
  • Testing for Mixed Content
  • Testing for WebView URI manipulation

Dynamic Analysis:

  • Enumerating WebView instances
  • Checking if JavaScript is enabled
  • Testing for Mixed Content

Please double check this and include the new tests accordingly. Thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpholguera cpholguera cpholguera left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0076: Testing iOS WebViews (ios)
2 participants
@pascalj @cpholguera