Cadet 3rd Class
Cadet 3rd Class
3979 views

Cross-Site Scripting: Reflected iOS App

We have an iOS App which we put through HP Fortify Mobile Assessment. One of the issue which the have pointed out is related Cross-Site Scripting. Basically what we are doing in our code is that we are sending value from iOS app to WebView. Below is the summary of the issue which they have provided.

Summary

The method webViewDidFinishLoad:() in ForgotViewController.m sends unvalidated data to a web browser on line 176, which can result in the browser executing malicious code.The method sends unvalidated data to a web browser which can result in the browser executing malicious code.

 

Explanation

Cross-site scripting (XSS) vulnerabilities occur when:
1. Data enters a web page through an untrusted source. In the case of Reflected XSS, the untrusted source is typically through user components, URL scheme handlers, or notifications, while in the case of Persistent (also known as Stored) XSS it is typically a database or other back-end datastore.

In this case the data enters at text() in ForgotViewController.m at line 138.

2. The data is included in dynamic content that is sent to a UIWebView component without being validated.
In this case the data is sent at
stringByEvaluatingJavaScriptFromString:() in ForgotViewController.m at line 176.

 

Please see below the code Snippet where the issue is pointed line 138 is . Please help me out what is real issue they have pointed and how do we fix

 

    NSString * emailValue = _txtEmail.text;

 

- (void)webViewDidFinishLoad:(UIWebView *)webView

{

    NSString * emailValue = _txtEmail.text;

    

    if (![Utility NSStringIsValidEmail:emailValue])

    {

        

        NSString*title=[appDelegate.dictCulture valueForKey:@"Alert"];

        NSString*message= [appDelegate.dictCulture valueForKey:@"PleaseEnterAValidEmailAddress"];

        NSString*okText =[appDelegate.dictCulture valueForKey:@"Ok"];

        

        if (title.length==0)

        {

            title=@"Alert";

        }

        

        if (message.length==0)

        {

            message =@"Please enter a valid email address";

        }

        

        if (okText.length==0)

        {

            

            okText =@"Ok";

        }

        

        UIAlertController*  Empty_Error = [UIAlertController alertControllerWithTitle: title message:message preferredStyle:UIAlertControllerStyleAlert];

        

        UIAlertAction *ok = [UIAlertAction actionWithTitle:okText style:UIAlertActionStyleDefault handler:nil];

        

        [Empty_Error addAction:ok];

        

        [self presentViewController:Empty_Error animated:YES completion:nil];

    }

 

    else

    {

    

    NSString *javaScript = [NSString stringWithFormat:@"var textField = document.getElementById('testID').value = '%@';",emailValue];

    [self.webView stringByEvaluatingJavaScriptFromString:javaScript];

    NSString *jsStat = @"document.forms[0].submit()";

    [webView stringByEvaluatingJavaScriptFromString:jsStat];

    html = [self.webView stringByEvaluatingJavaScriptFromString:@"document.getElementsByTagName('html')[0].innerHTML"];

    

    NSString  * doc = [self.webView stringByEvaluatingJavaScriptFromString:@"document.documentElement.outerHTML"];

    [self dismissViewControllerAnimated:YES completion:nil];

    

    if([doc containsString:@"Thank you"])

    {

        [[NSURLCache sharedURLCache] removeAllCachedResponses];

        self.webView=nil;

        self.webView.delegate=nil;

        

        NSString*title=[appDelegate.dictCulture valueForKey:@"Alert"];

        NSString*message= [appDelegate.dictCulture valueForKey:@"ForgotPasswordText"];

        NSString*okText =[appDelegate.dictCulture valueForKey:@"Ok"];

        if (title.length==0)

        {

            title=@"Alert";

        }

        if (message.length == 0)

        {

            message =@"Thank you. You will receive further instructions by email how to renew your password.";

        }

        

        if (okText.length==0)

        {

            okText =@"Ok";

        }

        

        UIAlertController*  alert = [UIAlertController alertControllerWithTitle:title message:message preferredStyle:UIAlertControllerStyleAlert];

        UIAlertAction *ok = [UIAlertAction actionWithTitle:okText style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {

            

            [self stopLoading];

        }];

        

        [alert addAction:ok];

        [self presentViewController:alert animated:YES completion:nil];

    }

        

    }

}

0 Likes
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.