Port MASTG-TEST-0076 (by @guardsquare)

tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-1.md

@@ -0,0 +1,26 @@
+---
+platform: ios
+title: Deprecated Usage of UIWebView
+id: MASTG-TEST-0x76-1
+type: [static]
+weakness: MASWE-0072
+---
+
+## Overview
+
+`UIWebView` was deprecated in iOS 12.0 in favor of `WKWebView` which is available since iOS 8.0. `WKWebView` offers [better control over its capabilities](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs: UIWebView"), e.g. it allows you to disable JavaScript with `javaScriptEnabled` and it can verify resources with the `hasOnlySecureContent`. Thus, it should be preferred over `UIWebView`.
+
+In this test we can check any references to `UIWebView` inside the binary.
+
+## Steps
+
+1. Extract the app as described in @MASTG-TECH-0058.
+2. Look for references to `UIWebView` in the app using @MASTG-TECH-0070 on all executables and libraries.
+
+## Observation
+
+The output shows function names and methods for the binaries.
+
+## Evaluation
+
+The test case fails if there are any references to `UIWebView`.

tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-2.md

@@ -0,0 +1,31 @@
+---
+platform: ios
+title: JavaScript Enabled in WKWebView
+id: MASTG-TEST-0x76-2
+type: [static]
+weakness: MASWE-0070
+---
+
+## Overview
+
+[`WKWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer")offers the `javaScriptEnabled` and `allowsContentJavaScript` settings to disable all JavaScript execution. Disabling them avoids all [script injection flaws](../../../Document/0x06h-Testing-Platform-Interaction.md "iOS Platform APIs").
+
+## Steps
+
+1. Extract the app as described in @MASTG-TECH-0058.
+2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify references to `WkWebView`, calls to `WkPreferences.javaScriptEnabled` and
+   `WKWebPagePreferences.allowsContentJavaScript`.
+
+## Observation
+
+The output could contain references to `WkWebView` or calls to `WkPreferences.javaScriptEnabled` and `WKWebPagePreferences.allowsContentJavaScript`.
+
+## Evaluation
+
+The test case fails if there are references to `WkWebView` and one of the following is true:
+
+- There are no references to `WkPreferences.javaScriptEnabled` or `defaultWebpagePreferences.allowsContentJavaScript`.
+- `WkPreference.javaScriptEnabled` is set to `1`.
+- `WKWebpagePreferences.allowsContentJavaScript` is set to `1`.
+
+The preferences should be set to `NO` (0), so that JavaScript is not executed in the `WkWebView` to avoid possible script injections.

tests-beta/ios/MASVS-PLATFORM/MASTG-TEST-0x76-3.md

@@ -0,0 +1,28 @@
+---
+platform: ios
+title: URI Manipulation in WebView 
+id: MASTG-TEST-0x76-3
+type: [static]
+weakness: MASWE-0071
+---
+
+## Overview
+
+The target URL of a [`WkWebView`](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") can be set dynamically, for example via the [load](https://developer.apple.com/documentation/webkit/wkwebview/1414954-load "Apple Developer") method. This will load the corresponding content into the view.
+
+The `WkWebView` can be tricked into showing malicious content if this URL can be controlled by an attacker. The input must be properly sanitized to avoid this issue.
+
+## Steps
+
+1. Extract the app as described in @MASTG-TECH-0058.
+2. Review the code or reverse engineer the binary according to @MASTG-TECH-0076 and identify data flows from attacker-controlled input to the load method of `WkWebView`.
+
+## Observation
+
+The output could contain [load operations](https://developer.apple.com/documentation/webkit/wkwebview "Apple Developer") where the URL in the [`URLRequest`](https://developer.apple.com/documentation/foundation/urlrequest?language=objc "Apple Developer") is not hard-coded.
+
+## Evaluation
+
+The test case fails if an attacker-controlled input is passed into a load operation without being sanitized.
+
+The URL should not depend on dynamic input. If this is not avoidable, the input must be sanitized. For example, the app must ensure that only URLs with a set of well-known domains are loaded.

tests/ios/MASVS-PLATFORM/MASTG-TEST-0076.md

@@ -8,6 +8,8 @@ title: Testing iOS WebViews
 masvs_v1_levels:
 - L1
 - L2
+covered_by: [MASTG-TEST-0x76-1,MASTG-TEST-0x76-2,MASTG-TEST-0x76-3]
+status: deprecated
 ---
 
 ## Overview