Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port MASTG test 0019 (by @guardsquare) #3030

Merged
merged 13 commits into from
Dec 7, 2024

Conversation

titze
Copy link
Collaborator

@titze titze commented Nov 4, 2024

This PR closes #2959.

Adds new draft tests:

  • Using low-level APIs (e.g. Socket) to set up a custom HTTP connection.
  • Cleartext traffic is allowed for cross-platform frameworks
  • Runtime Use of Network APIs Transmitting Cleartext Traffic (Frida)

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md Outdated Show resolved Hide resolved
platform: android
id: MASTG-TEST-0x19-2
type: [static]
weakness: MASWE-0050
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment on lines 15 to 17
1. Reverse engineer the app (@MASTG-TECH-0017).
2. Run a static analysis (@MASTG-TECH-0014) tool and look for all usages of `SSLSocket`.
3. Verify each usage performans manual hostname verification correctly.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After changing the above, we should update the steps and be more specific. We can tell them to search for uses of SSLSocket that are not using HostnameVerifier, or that are using it but potentially incorrectly (as indicated above).

Examples (not for linking here, but maybe to use later for demos):

Since Android 9 (API level 28) cleartext HTTP traffic is blocked by default (thanks to the [default Network Security Configuration](../../../Document/0x05g-Testing-Network-Communication.md#default-configurations)) but there are multiple ways in which an application can still send it:

- Setting the [`android:usesCleartextTraffic`](https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic "Android documentation - usesCleartextTraffic flag") attribute of the `<application>` tag in the AndroidManifest.xml file. Note that this flag is ignored in case the Network Security Configuration is configured.
- Configuring the Network Security Configuration to enable cleartext traffic by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Configuring the Network Security Configuration to enable cleartext traffic by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements.
- Configuring the [Network Security Configuration to enable cleartext traffic](https://developer.android.com/privacy-and-security/security-config#CleartextTrafficPermitted) by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements.


1. Reverse engineer the app (@MASTG-TECH-0017).
2. Verify `usesCleartextTraffic` is not set to `true` in the AndroidManifest.xml
3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and make sure `cleartextTrafficPermitted` is not set to `true` for any domain.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and make sure `cleartextTrafficPermitted` is not set to `true` for any domain.
3. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and make sure that `cleartextTrafficPermitted` is not set to `true`
- globally in the `<base-config>` element.
- or for specific domains in their `<domain-config>` elements.

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md Outdated Show resolved Hide resolved

## Observation

The output contains a list of domains for which cleartext traffic is enabled.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More accurate like this I think.

Suggested change
The output contains a list of domains for which cleartext traffic is enabled.
The output contains a list of configurations allowing for cleartext traffic.

Comment on lines 6 to 17
weakness: MASWE-0050
---

## Overview

Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed.

## Steps

## Observation

## Evaluation
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can do this as long as there's a new Issue. Please mention the issue in the PR description.

Suggested change
weakness: MASWE-0050
---
## Overview
Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed.
## Steps
## Observation
## Evaluation
weakness: MASWE-0050
status: draft
note: Cross-platform frameworks (e.g. Flutter, React native, ...), typically have their own implementations for HTTP libraries, where cleartext traffic can be allowed.
---


## Overview

Intercept the tested app's incoming and outgoing network traffic and make sure that this traffic is encrypted.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rephrase to highlight more why we're doing this test, what's the value/benefit. For example, this are REAL cleartext connections not just potential ones (as it is the case if we just retrieve the hardcoded URLs).

Limitations:

  • thanks to doing this we can know what domains are contacted in cleartext but we don't know which location in the code is producing this traffic, right? (we can add a note in the Evaluation)
  • this depends on how much of the app you can exercise so you cannot expect full coverage

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md Outdated Show resolved Hide resolved
tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-1.md Outdated Show resolved Hide resolved

## Evaluation

The test case fails if any HTTP URLs are used for communication.
Copy link
Collaborator

@cpholguera cpholguera Dec 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my new comment above, in the evaluation we can now use the output and explain how to discard false positives. This is not an easy task, but there are some things we can do to get a better list.

tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md Outdated Show resolved Hide resolved
tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md Outdated Show resolved Hide resolved
tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md Outdated Show resolved Hide resolved
tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-5.md Outdated Show resolved Hide resolved
tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-3.md Outdated Show resolved Hide resolved
tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-4.md Outdated Show resolved Hide resolved
tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md Outdated Show resolved Hide resolved
tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x19-2.md Outdated Show resolved Hide resolved
@cpholguera cpholguera merged commit bc93250 into OWASP:master Dec 7, 2024
3 checks passed
@titze titze deleted the port-MASTG-TEST-0019 branch December 9, 2024 08:21
serek8 pushed a commit to serek8/owasp-mstg that referenced this pull request Jan 2, 2025
* Port MASTG test 0019

* Fix markdown

* Review feedback

* Add Frida to trace traffic

* Apply suggestions from code review

* Refine MASTG-TEST-0x19-1.md for clarity on hardcoded HTTP URLs and their usage

* Update covered_by references in MASTG-TEST-0019.md to reflect new test cases

* Rename MASTG-TEST-0x19 test cases to MASTG-TEST-0233 through MASTG-TEST-0239

* update IDs

* Update MASTG-TEST-0233 to modify title, improve evaluation and add related test references

* Update MASTG-TEST-0239 note to clarify potential support for multiple weaknesses

* Add --- at end of files for MASTG-TEST-0237, MASTG-TEST-0238, and MASTG-TEST-0239

* rm bare URL

---------

Co-authored-by: Carlos Holguera <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0019: Testing Data Encryption on the Network (android)
2 participants