From 7294235750c5ee2bd23208dc8b74bce2fc425436 Mon Sep 17 00:00:00 2001
From: Pascal Jungblut <mail@pascalj.de>
Date: Tue, 5 Nov 2024 16:34:55 +0000
Subject: [PATCH 1/3] Add MASTG-TEST-0076-1

---
 .../ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md   | 26 +++++++++++++++++++
 tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md   |  2 ++
 2 files changed, 28 insertions(+)
 create mode 100644 tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md

diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
new file mode 100644
index 0000000000..d012d16487
--- /dev/null
+++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
@@ -0,0 +1,26 @@
+---
+platform: ios
+title: Deprecated Usage of UIWebView
+id: MASTG-TEST-0x76-1
+type: [static]
+weakness: MASWE-0072
+---
+
+## Overview
+
+`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction/#uiwebview "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`.
+
+In this test we can check any references to `UIWebView` inside the binary.
+
+## Steps
+
+1. Extract the app as described in @MASTG-TECH-0058.
+2. Look for references to `UIWebView` in the app using @MASTG-TECH-0070 on all executables and libraries.
+
+## Observation
+
+The output shows function names and methods for the binaries.
+
+## Evaluation
+
+The test case fails if there are any references to `UIWebView`.
diff --git a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md
index 2074c28fbb..cae90be22a 100644
--- a/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md
+++ b/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md
@@ -8,6 +8,8 @@ title: Testing iOS WebViews
 masvs_v1_levels:
 - L1
 - L2
+covered_by: [MASTG-TEST-0x76-1,MASTG-TEST-0x76-2,MASTG-TEST-0x76-3]
+status: deprecated
 ---
 
 ## Overview

From f82d26f6027d354038e9a5eb80f75e2eb9a2104c Mon Sep 17 00:00:00 2001
From: Pascal Jungblut <mail@pascalj.de>
Date: Wed, 6 Nov 2024 14:53:22 +0000
Subject: [PATCH 2/3] Add MASTG-TEST-0x76-2

---
 .../ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md   |  2 +-
 .../ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md   | 31 +++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md

diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
index d012d16487..1732926672 100644
--- a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
+++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md
@@ -8,7 +8,7 @@ weakness: MASWE-0072
 
 ## Overview
 
-`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction/#uiwebview "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`.
+`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`.
 
 In this test we can check any references to `UIWebView` inside the binary.
 
diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md
new file mode 100644
index 0000000000..4058805928
--- /dev/null
+++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md
@@ -0,0 +1,31 @@
+---
+platform: ios
+title: JavaScript Enabled in WKWebView
+id: MASTG-TEST-0x76-2
+type: [static]
+weakness: MASWE-0070
+---
+
+## Overview
+
+[`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer")offers the `javaScriptEnabled` and `allowsContentJavaScript` settings to disable all JavaScript execution. Disabling them avoids all [script injection flaws](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs").
+
+## Steps
+
+1. Extract the app as described in @MASTG-TECH-0058.
+2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify references to `WkWebView`, calls to `WkPreferences.javaScriptEnabled` and
+   `WKWebPagePreferences.allowsContentJavaScript`.
+
+## Observation
+
+The output could contain references to `WkWebView` or calls to `WkPreferences.javaScriptEnabled` and `WKWebPagePreferences.allowsContentJavaScript`.
+
+## Evaluation
+
+The test case fails if there are references to `WkWebView` and one of the following is true:
+
+- There are no references to `WkPreferences.javaScriptEnabled` or `defaultWebpagePreferences.allowsContentJavaScript`.
+- `WkPreference.javaScriptEnabled` is set to `1`.
+- `WKWebpagePreferences.allowsContentJavaScript` is set to `1`.
+
+The preferences should be set to `NO` (0), so that JavaScript is not executed in the `WkWebView` to avoid possible script injections.

From 398a153f462fc1be395b4619e6899aceeaaeb1f6 Mon Sep 17 00:00:00 2001
From: Pascal Jungblut <mail@pascalj.de>
Date: Wed, 6 Nov 2024 14:53:59 +0000
Subject: [PATCH 3/3] Add MASTG-TEST-0x76-3

---
 .../ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md   | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md

diff --git a/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md
new file mode 100644
index 0000000000..380fc0e0f8
--- /dev/null
+++ b/tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md
@@ -0,0 +1,28 @@
+---
+platform: ios
+title: URI Manipulation in WebView 
+id: MASTG-TEST-0x76-3
+type: [static]
+weakness: MASWE-0071
+---
+
+## Overview
+
+The target URL of a [`WkWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") can be set dynamically, for example via the [load](https://developer.apple.com/documentation/webkit/wkwebview/1414954-load "Apple Developer") method. This will load the corresponding content into the view.
+
+The `WkWebView` can be tricked into showing malicious content if this URL can be controlled by an attacker. The input must be properly sanitized to avoid this issue.
+
+## Steps
+
+1. Extract the app as described in @MASTG-TECH-0058.
+2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify data flows from attacker-controlled input to the load method of `WkWebView`.
+
+## Observation
+
+The output could contain [load operations](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") where the URL in the [`URLRequest`](https://developer.apple.com/documentation/foundation/urlrequest?language=objc "Apple Developer") is not hard-coded.
+
+## Evaluation
+
+The test case fails if an attacker-controlled input is passed into a load operation without being sanitized.
+
+The URL should not depend on dynamic input. If this is not avoidable, the input must be sanitized. For example, the app must ensure that only URLs with a set of well-known domains are loaded.