Port MAST-TEST-0019 (by @guardsquare)#3030
Merged
cpholguera merged 13 commits intoOWASP:masterfrom Dec 7, 2024
Merged
Conversation
cpholguera
requested changes
Nov 5, 2024
| platform: android | ||
| id: MASTG-TEST-0x19-2 | ||
| type: [static] | ||
| weakness: MASWE-0050 |
Collaborator
There was a problem hiding this comment.
Wouldn't https://mas.owasp.org/MASWE/MASVS-NETWORK/MASWE-0052/ be a better fit?
Comment on lines
15
to
17
| 1. Reverse engineer the app (@MASTG-TECH-0017). | ||
| 2. Run a static analysis (@MASTG-TECH-0014) tool and look for all usages of `SSLSocket`. | ||
| 3. Verify each usage performans manual hostname verification correctly. |
Collaborator
There was a problem hiding this comment.
After changing the above, we should update the steps and be more specific. We can tell them to search for uses of SSLSocket that are not using HostnameVerifier, or that are using it but potentially incorrectly (as indicated above).
Examples (not for linking here, but maybe to use later for demos):
| Since Android 9 (API level 28) cleartext HTTP traffic is blocked by default (thanks to the [default Network Security Configuration](../../../Document/0x05g-Testing-Network-Communication.md#default-configurations)) but there are multiple ways in which an application can still send it: | ||
|
|
||
| - Setting the [`android:usesCleartextTraffic`](https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic "Android documentation - usesCleartextTraffic flag") attribute of the `<application>` tag in the AndroidManifest.xml file. Note that this flag is ignored in case the Network Security Configuration is configured. | ||
| - Configuring the Network Security Configuration to enable cleartext traffic by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements. |
Collaborator
There was a problem hiding this comment.
Suggested change
| - Configuring the Network Security Configuration to enable cleartext traffic by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements. | |
| - Configuring the [Network Security Configuration to enable cleartext traffic](https://developer.android.com/privacy-and-security/security-config#CleartextTrafficPermitted) by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements. |
|
|
||
| 1. Reverse engineer the app (@MASTG-TECH-0017). | ||
| 2. Verify `usesCleartextTraffic` is not set to `true` in the AndroidManifest.xml | ||
| 3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and make sure `cleartextTrafficPermitted` is not set to `true` for any domain. |
Collaborator
There was a problem hiding this comment.
Suggested change
| 3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and make sure `cleartextTrafficPermitted` is not set to `true` for any domain. | |
| 3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and make sure that `cleartextTrafficPermitted` is not set to `true` | |
| - globally in the `<base-config>` element. | |
| - or for specific domains in their `<domain-config>` elements. |
|
|
||
| ## Observation | ||
|
|
||
| The output contains a list of domains for which cleartext traffic is enabled. |
Collaborator
There was a problem hiding this comment.
More accurate like this I think.
Suggested change
| The output contains a list of domains for which cleartext traffic is enabled. | |
| The output contains a list of configurations allowing for cleartext traffic. |
Comment on lines
6
to
17
| weakness: MASWE-0050 | ||
| --- | ||
|
|
||
| ## Overview | ||
|
|
||
| Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed. | ||
|
|
||
| ## Steps | ||
|
|
||
| ## Observation | ||
|
|
||
| ## Evaluation |
Collaborator
There was a problem hiding this comment.
We can do this as long as there's a new Issue. Please mention the issue in the PR description.
Suggested change
| weakness: MASWE-0050 | |
| --- | |
| ## Overview | |
| Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed. | |
| ## Steps | |
| ## Observation | |
| ## Evaluation | |
| weakness: MASWE-0050 | |
| status: draft | |
| note: Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed. | |
| --- |
|
|
||
| ## Overview | ||
|
|
||
| Intercept the tested app's incoming and outgoing network traffic and make sure that this traffic is encrypted. |
Collaborator
There was a problem hiding this comment.
Rephrase to highlight more why we're doing this test, what's the value/benefit. For example, this are REAL cleartext connections not just potential ones (as it is the case if we just retrieve the hardcoded URLs).
Limitations:
- thanks to doing this we can know what domains are contacted in cleartext but we don't know which location in the code is producing this traffic, right? (we can add a note in the Evaluation)
- this depends on how much of the app you can exercise so you cannot expect full coverage
cpholguera
requested changes
Dec 7, 2024
|
|
||
| ## Evaluation | ||
|
|
||
| The test case fails if any HTTP URLs are used for communication. |
Collaborator
There was a problem hiding this comment.
See my new comment above, in the evaluation we can now use the output and explain how to discard false positives. This is not an easy task, but there are some things we can do to get a better list.
cpholguera
reviewed
Dec 7, 2024
…lated test references
cpholguera
approved these changes
Dec 7, 2024
serek8
pushed a commit
to serek8/owasp-mstg
that referenced
this pull request
Jan 2, 2025
* Port MASTG test 0019 * Fix markdown * Review feedback * Add Frida to trace traffic * Apply suggestions from code review * Refine MASTG-TEST-0x19-1.md for clarity on hardcoded HTTP URLs and their usage * Update covered_by references in MASTG-TEST-0019.md to reflect new test cases * Rename MASTG-TEST-0x19 test cases to MASTG-TEST-0233 through MASTG-TEST-0239 * update IDs * Update MASTG-TEST-0233 to modify title, improve evaluation and add related test references * Update MASTG-TEST-0239 note to clarify potential support for multiple weaknesses * Add --- at end of files for MASTG-TEST-0237, MASTG-TEST-0238, and MASTG-TEST-0239 * rm bare URL --------- Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
titze
added a commit
to titze/owasp-mastg
that referenced
this pull request
Feb 18, 2025
* Port MASTG test 0019 * Fix markdown * Review feedback * Add Frida to trace traffic * Apply suggestions from code review * Refine MASTG-TEST-0x19-1.md for clarity on hardcoded HTTP URLs and their usage * Update covered_by references in MASTG-TEST-0019.md to reflect new test cases * Rename MASTG-TEST-0x19 test cases to MASTG-TEST-0233 through MASTG-TEST-0239 * update IDs * Update MASTG-TEST-0233 to modify title, improve evaluation and add related test references * Update MASTG-TEST-0239 note to clarify potential support for multiple weaknesses * Add --- at end of files for MASTG-TEST-0237, MASTG-TEST-0238, and MASTG-TEST-0239 * rm bare URL --------- Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
cpholguera
changed the title
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR closes #2959.
Adds new
drafttests: