MASTG-TEST-0370: Missing Input Validation in Custom URL Scheme Handlers
Overview¶
Apps that register custom URL schemes must validate and sanitize all URL parameters before using them in security-sensitive operations ( Custom URL Schemes). Without input validation, any caller that opens a registered URL scheme can supply arbitrary parameter values, bypassing expected business logic constraints.
Since any app on the device can open a custom URL scheme, an attacker could craft URLs with malicious parameters. For example:
mastgtest://transfer?amount=-1oramount=9999999to bypass business logic bounds.mastgtest://open?path=../../private/secrets.txtfor path traversal if the value is used in file operations.mastgtest://search?q=<script>alert(1)</script>for script injection if the value is rendered in a WebView.
This test checks whether the app's URL scheme handler validates URL parameters before acting on them.
Note
If the app intentionally accepts arbitrary parameter values (for example, a search scheme that passes user-typed text to a search UI), input validation may not be required and this test may not apply.
Steps¶
- Use Exploring the App Package to extract the relevant binaries from the app package.
- Use Static Analysis on iOS to look for the relevant APIs in the app binaries.
Observation¶
The output should contain the disassembly of the URL handler, showing whether it performs type conversion or bounds checking on URL parameters.
Evaluation¶
The test case fails if the URL handler uses parameter values directly without performing adequate validation. This includes missing type conversion (e.g. not converting a numeric parameter to Int), missing bounds or range checks, missing sanitization of special characters, or missing allowlist checks when the parameter selects a resource or action.
Best Practices¶
MASTG-BEST-0045: Limit Sensitive Data Exposure Through iOS IPC Channels MASTG-BEST-0054: Validate Input Parameters in Custom URL Scheme Handlers
Demos¶
MASTG-DEMO-0134: Custom URL Scheme Handler Without Input Validation