GitBook: [master] 3 pages modified

2024-11-15 01:17:36 +00:00 · 2021-05-21 11:41:36 +00:00 · 2021-05-21 11:41:36 +00:00 · 23948173f0
commit 23948173f0
parent fc77b585a9
3 changed files with 77 additions and 0 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -507,6 +507,7 @@
 * [Online Platforms with API](online-platforms-with-api.md)
 * [Stealing Sensitive Information Disclosure from a Web](stealing-sensitive-information-disclosure-from-a-web.md)
 * [iOS Pentesting](ios-pentesting/README.md)
+  * [iOS Protocol Handlers](ios-pentesting/ios-protocol-handlers.md)
  * [iOS WebViews](ios-pentesting/ios-webviews.md)
  * [Basic iOS Testing Operations](ios-pentesting/basic-ios-testing-operations.md)
  * [Burp Suite Configuration for iOS](ios-pentesting/burp-configuration-for-ios.md)
--- a/ios-pentesting/ios-protocol-handlers.md
+++ b/ios-pentesting/ios-protocol-handlers.md
@ -0,0 +1,6 @@
+# iOS Protocol Handlers
+
+## WebView Protocol Handlers
+
+
+
--- a/ios-pentesting/ios-webviews.md
+++ b/ios-pentesting/ios-webviews.md
@ -145,3 +145,73 @@ onMatch:  <WKWebView: 0x1508b1200; frame = (0 0; 320 393); layer = <CALayer: 0x1
 hasOnlySecureContent:  false
 ```

+## WebView Protocol Handling
+
+Several default schemes are available that are being interpreted in a WebView on iOS, for example:
+
+* http\(s\)://
+* file://
+* tel://
+
+WebViews can load remote content from an endpoint, but they can also load local content from the app data directory. If the local content is loaded, the user shouldn't be able to influence the filename or the path used to load the file, and users shouldn't be able to edit the loaded file.
+
+### WebView content load
+
+* **UIWebView**: It can use deprecated methods [`loadHTMLString:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617979-loadhtmlstring?language=objc) or [`loadData:MIMEType:textEncodingName:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617941-loaddata?language=objc)to load content.
+* **WKWebView**: It can use the methods  [`loadHTMLString:baseURL:`](https://developer.apple.com/documentation/webkit/wkwebview/1415004-loadhtmlstring?language=objc) or [`loadData:MIMEType:textEncodingName:baseURL:`](https://developer.apple.com/documentation/webkit/wkwebview/1415011-loaddata?language=objc) to load local HTML files and `loadRequest:` for web content. Typically, the local files are loaded in combination with methods including, among others: [`pathForResource:ofType:`](https://developer.apple.com/documentation/foundation/nsbundle/1410989-pathforresource), [`URLForResource:withExtension:`](https://developer.apple.com/documentation/foundation/nsbundle/1411540-urlforresource?language=objc) or [`init(contentsOf:encoding:)`](https://developer.apple.com/documentation/swift/string/3126736-init). In addition, you should also verify if the app is using the method [`loadFileURL:allowingReadAccessToURL:`](https://developer.apple.com/documentation/webkit/wkwebview/1414973-loadfileurl?language=objc). Its first parameter is `URL` and contains the URL to be loaded in the WebView, its second parameter `allowingReadAccessToURL` may contain a single file or a directory. If containing a single file, that file will be available to the WebView. However, if it contains a directory, all files on that **directory will be made available to the WebView**. Therefore, it is worth inspecting this and in case it is a directory, verifying that no sensitive data can be found inside it.
+
+If you have the source code you can search for those methods. Having the **compiled** **binary** you can also search for these methods: 
+
+```bash
+$ rabin2 -zz ./WheresMyBrowser | grep -i "loadHTMLString"
+231 0x0002df6c 24 (4.__TEXT.__objc_methname) ascii loadHTMLString:baseURL:
+```
+
+### File Access
+
+* **UIWebView:** 
+  * The `file://` scheme is always enabled.
+  * File access from `file://` URLs is always enabled.
+  * Universal access from `file://` URLs is always enabled.
+  * If you retrieve the effective origin from a `UIWebView` where `baseURL` is also set to `nil` you will see that it is **not set to "null"**, instead you'll obtain something similar to the following: `applewebdata://5361016c-f4a0-4305-816b-65411fc1d78`0. This origin "applewebdata://" is similar to the "file://" origin as it **does not implement Same-Origin Policy** and allow access to local files and any web resources.
+* **WKWebView**:
+  * `allowFileAccessFromFileURLs` \(`WKPreferences`, `false` by default\): it enables JavaScript running in the context of a `file://` scheme URL to access content from other `file://` scheme URLs.
+  * `allowUniversalAccessFromFileURLs` \(`WKWebViewConfiguration`, `false` by default\): it enables JavaScript running in the context of a `file://` scheme URL to access content from any origin.
+
+You can search for those functions in the source code of the application or in the compiled binary.  
+Also, you can use the following frida script to find this information:
+
+```bash
+ObjC.choose(ObjC.classes['WKWebView'], {
+  onMatch: function (wk) {
+    console.log('onMatch: ', wk);
+    console.log('URL: ', wk.URL().toString());
+    console.log('javaScriptEnabled: ', wk.configuration().preferences().javaScriptEnabled());
+    console.log('allowFileAccessFromFileURLs: ',
+            wk.configuration().preferences().valueForKey_('allowFileAccessFromFileURLs').toString());
+    console.log('hasOnlySecureContent: ', wk.hasOnlySecureContent().toString());
+    console.log('allowUniversalAccessFromFileURLs: ',
+            wk.configuration().valueForKey_('allowUniversalAccessFromFileURLs').toString());
+  },
+  onComplete: function () {
+    console.log('done for WKWebView!');
+  }
+});
+```
+
+```bash
+frida -U -f com.authenticationfailure.WheresMyBrowser -l webviews_inspector.js
+
+onMatch:  <WKWebView: 0x1508b1200; frame = (0 0; 320 393); layer = <CALayer: 0x1c4238f20>>
+URL:  file:///var/mobile/Containers/Data/Application/A654D169-1DB7-429C-9DB9-A871389A8BAA/
+        Library/WKWebView/scenario1.html
+javaScriptEnabled:  true
+allowFileAccessFromFileURLs:  0
+hasOnlySecureContent:  false
+allowUniversalAccessFromFileURLs:  0
+```
+
+## References
+
+* [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction\#testing-webview-protocol-handlers-mstg-platform-6](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-webview-protocol-handlers-mstg-platform-6)
+