Port MASTG-TEST-0077 WebView file access testing to v2 (iOS)

[Copilot]

This PR closes #3185

Description

Ports the WebView file access portion of MASTG-TEST-0077 to v2 atomic tests, mirroring the Android implementation in MASTG-TEST-0252/0253.

New Tests:

• MASTG-TEST-0318 (static): References to file access APIs in iOS WebViews - checks for allowFileAccessFromFileURLs, allowUniversalAccessFromFileURLs (undocumented KVC-only properties), UIWebView usage, and loadFileURL:allowingReadAccessToURL: configurations
• MASTG-TEST-0319 (dynamic): Runtime enumeration of WebView instances using Frida - inspects actual configuration values at runtime

Best Practice:

• MASTG-BEST-0028: iOS counterpart to MASTG-BEST-0011 - covers secure WKWebView usage, avoiding undocumented file access properties, and proper baseURL handling

Knowledge Updates:

• Added 76-line WebView file access section to MASTG-KNOW-0076 covering UIWebView vs WKWebView behavior, undocumented properties, and file loading methods

Demos:

• MASTG-DEMO-0081 (static): Demonstrates static analysis using radare2 to detect file access configuration in WKWebView - includes Swift sample code and rabin2 analysis script
• MASTG-DEMO-0082 (dynamic): Demonstrates runtime monitoring using Frida to enumerate WKWebView instances and inspect their file access settings - includes Frida script and sample output

Deprecation:

• Marked MASTG-TEST-0077 as deprecated with covered_by references to new tests

All tests reference MASWE-0069 and link to platform-specific knowledge (MASTG-KNOW-0076) and best practices. The demos focus on WKWebView only (UIWebView excluded as deprecated).

---

[x] I have read the contributing guidelines.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>MASTG v1->v2 MASTG-TEST-0077: Testing WebView Protocol Handlers (ios)</issue_title>
<issue_description>
Create a new MASTG v2 test covering for":

• Title: Testing WebView Protocol Handlers
• ID: MASTG-TEST-0077
• Link: https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0077/
• Platform: ios
• MASVS v1: ['MSTG-PLATFORM-6']
• MASVS v2: ['MASVS-PLATFORM-2']

Follow the guidelines
</issue_description>

<agent_instructions>Port this test but only focus on the area of "Testing WebView file access" from the v1 test. Create the new tests and demos in alignment with their Android counterparts:
https://mas.owasp.org/MASTG/tests/android/MASVS-PLATFORM/MASTG-TEST-0252/
https://mas.owasp.org/MASTG/tests/android/MASVS-PLATFORM/MASTG-TEST-0253/

Also create the corresponding best practice, counterpart of MASTG-BEST-0011 for iOS.

Link the best practice and tests to MASTG-KNOW-0076 in their metadata and add any missing sections to MASTG-KNOW-0076.md about WebView file access
</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@cpholguera @barbieri-mobisec please check https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0076/ again, I've restored some content that was missing. Maybe this will help clarify your questions.

Also, keep in mind that we're porting these v1 tests to v2 because they may be "old/outdated", have overlaps, etc. We recognized this and created a whole new concept for MASTG tests called "atomic tests" where we reduce tests to their minimum.

In this case:

• MASTG-TEST-0076 can be split into:

  • Testing if JavaScript is Enabled
  • Testing for Mixed Content
  • Testing for WebView URI manipulation

• MASTG-TEST-0077 can be split into:

  • Testing How WebViews Load Content
  • Testing WebView file access
  • Checking telephone number detection

We use this just as a starting point, as we take the chance to review the content and see

• if we really still need everything that's currently there
• if we need to further split the topics
• if we need to add any missing topics

For WKWebView (since UIWebView is deprecated), I can use a Frida script to understand how content is loaded in the WebView.
However, it’s unclear what specific risks or issues this aims to uncover. Manipulating the URI seems more relevant to MASTG-TEST-0076, which explicitly addresses WebView URI manipulation.

There are 2 different concerns here:

• WebViews loading URI which may be controlled by an attacker
• WebViews loading untrusted content which may also be controlled by an attacker

In MASTG-TEST-0077 > Dynamic Analysis > "Testing How WebViews Load Content", the test explains why baseURL being set to nil is safe for WKWebView and it's not safe for UIWebView because the effective origin is not set to "null", instead it's set to "applewebdata://". But it also says that you should not use UIWebView anyway and that's why the PR adds an additional test for "Deprecated Usage of UIWebView".

I encourage you to keep an eye on the new PRs for these tests and provide feedback and questions in them, and please remember that once the PRs are complete, both MASTG-TEST-0076 and MASTG-TEST-0077 will be deprecated. They will not receive any updates and should not be used for testing as we will provide a new and improved version of this content that is up to date.</comment_new>

• Fixes MASTG v1->v2 MASTG-TEST-0077: Testing WebView Protocol Handlers (ios) #2967

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[cpholguera]

Suggested change

	deprecation_note: "This test has been split into multiple atomic v2 tests. For WebView file access testing, use MASTG-TEST-0318 (static) and MASTG-TEST-0319 (dynamic)."
	deprecation_note: New version available in MASTG V2

[Copilot]

Updated in bc6ed86

[cpholguera]

@copilot add one demo per new test but ignore the UIWebView case

[Copilot]

@copilot add one demo per new test but ignore the UIWebView case

Created two demos in bc6ed86:

• MASTG-DEMO-0081: Static analysis with radare2 for MASTG-TEST-0318
• MASTG-DEMO-0082: Dynamic analysis with Frida for MASTG-TEST-0319

Both demos focus on WKWebView file access configuration (ignoring UIWebView as requested).