MASTG-TEST-0333: Overly Broad File Read Access in WebViews
Overview¶
iOS apps can load local files into a WKWebView using loadFileURL(_:allowingReadAccessTo:).
This test checks whether the app uses loadFileURL(_:allowingReadAccessTo:) with an overly broad readAccessURL. If attacker-controlled input influences the loaded file URL and the read access scope is too broad, the WebView may gain access to sensitive files within the app container.
Steps¶
- Use Exploring the App Package to extract the relevant binaries from app package.
- Use Static Analysis on iOS to look for the relevant APIs in the app binaries.
Observation¶
The output should contain a list of locations in the binary where WKWebView.loadFileURL(_:allowingReadAccessTo:) is called.
Evaluation¶
The test case fails if any call to loadFileURL(_:allowingReadAccessTo:) is found where the readAccessURL argument grants overly broad read access, for example to the entire Documents directory or the app container root.
Further Validation Required:
Inspect each reported code location using Reviewing Disassembled Objective-C and Swift Code:
- Inspect the
fileURLargument and determine whether it can be influenced by attacker-controlled input. - Inspect the
readAccessURLargument and determine whether it grants broader access than necessary. - Verify that the allowed read scope is restricted to the minimum directory required for the intended content.
Best Practices¶
MASTG-BEST-0033: Securely Load File Content in a WebView
Demos¶
MASTG-DEMO-0096: HTML Injection in a Local WebView Leading to Local File Access