Skip to content

Commit

Permalink
Add MASTG-TEST-0x76-2
Browse files Browse the repository at this point in the history
  • Loading branch information
@pascalj
pascalj committed Nov 6, 2024
1 parent 14c4fb6 commit 3cfe597
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 1 deletion.
2 changes: 1 addition & 1 deletion tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ weakness: MASWE-0072

## Overview

`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction/#uiwebview "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`.
`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`.

In this test we can check any references to `UIWebView` inside the binary.

Expand Down
31 changes: 31 additions & 0 deletions tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
---
platform: ios
title: JavaScript Enabled in WKWebView
id: MASTG-TEST-0x76-2
type: [static]
weakness: MASWE-0070
---

## Overview

[`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer")offers the `javaScriptEnabled` and `allowsContentJavaScript` settings to disable all JavaScript execution. Disabling them avoids all [script injection flaws](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs").

## Steps

1. Extract the app as described in @MASTG-TECH-0058.
2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify references to `WkWebView`, calls to `WkPreferences.javaScriptEnabled` and
`WKWebPagePreferences.allowsContentJavaScript`.

## Observation

The output could contain references to `WkWebView` or calls to `WkPreferences.javaScriptEnabled` and `WKWebPagePreferences.allowsContentJavaScript`.

## Evaluation

The test case fails if there are references to `WkWebView` and one of the following is true:

- There are no references to `WkPreferences.javaScriptEnabled` or `defaultWebpagePreferences.allowsContentJavaScript`.
- `WkPreference.javaScriptEnabled` is set to `1`.
- `WKWebpagePreferences.allowsContentJavaScript` is set to `1`.

The preferences should be set to `NO` (0), so that JavaScript is not executed in the `WkWebView` to avoid possible script injections.

0 comments on commit 3cfe597

Please sign in to comment.