Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Exploring and Exploiting iOS Web Browsers

Today we begin a three-post series about mobile security. We start with a discussion of vulnerabilities in iOS web browsers. Later this week we'll cover apps executing on jailbroken devices and the detection of jailbroken devices. While the release and adoption of iOS 8 may plug some of the holes discussed in this post, many users will continue to use iOS 7 for some time and may remain vulnerable.

In Q1 2014, the market share of web traffic from mobile browsers exceeded 30% [1], and it is constantly growing. According to data provided by StatCounter, web traffic from iOS devices surpassed that of Mac OS X and Windows 8 [2]. Many vendors are trying to get a piece of the pie by introducing their own browsers on Apple's platform.

In reality, there is only one browser for the iOS platform, Mobile Safari, which is built from the base. The iOS App Store Review Guidelines requires that any other application used for web browsing use the iOS WebKit Framework and Javascript.

UIWebView is the main component of all browsers that allow running web content. The WebKit engine is the same as in Mobile Safari. The main difference is in the UI wrapped around WebKit.

Below I explain a number of vulnerabilities introduced by developers as they add functionality to their browsers.

The UIWebView API is quite simple. It allows you to load html content and offers some basic navigation functionality (goBack, goForward, stopLoading, reload). To manipulate the loaded html content, UIWebView exposes the stringByEvaluatingJavaScriptFromString function. This function allows executing javascript from a string with the same privileges the top frame (there is no possible way to manipulate, for example, iframe content).

Therefore, developers need to implement functionality such as tabs, password managers, address bars and download managers. Each addition in functionality brings with it the potential introduction of new bugs and security issues.

UXSS (Universal Cross-Site Scripting)

Cross-Site Scripting (XSS) enables attackers to inject client-side scripts into web pages viewed by other users, bypassing the same origin policy (SOP) and executing the injected scripts in the victim browser. UXSS differs in that the attacker exploits a vulnerability in a browser instead of a website. The root cause of this is related to SOP. In most cases, browsers support the use of multiple tabs. On iOS, WebKit does not allow multiple tabs, which means browser developers need to implement all of the required features and functionality themselves. Even though WebKit holds the SOP in it, it is not guaranteed between tabs.

CVE-2013-6893, CVE-2013-7197 and CVE-2012-2899 are a few examples of UXSS bugs in various browsers (Mercury, Yandex, Google).

Improper Content-Disposition handling can also lead to UXSS vulnerabilities.

ABS (Address Bar Spoofing)

On iOS, the address bar is not created inside the WebKit component. It must be separately developed by the browser developer. Some browsers have not implemented the address bar correctly, which gives malicious users the ability to change the content of the website without updating the address bar. This presents an opportunity for phishing attacks. ABS bugs were found in Kaspersky Safe Browser (fixed in 1.03 version) and F-Secure Safe browser (fixed in 2.50.201102 version). In some cases, the browser displayed information, such as the SSL certificate being valid, even if the webpage that was loading was using a self-signed certificate.

Other Common Weaknesses in iOS Browsers

Other vulnerabilities in iOS browsers include:

  • Improper URI schemes - this can allow attackers to, for example, send unauthenticated tweets and bypass popup blockers
  • URL handling issues - some browsers can not handle a URL that was not encoded correctly causing the Null Pointer Dereference
  • Format string memory corruption bug - this was an issue in Mobile Safari, which caused stack content to leak [CVE-2014-1315] [3].

As previously mentioned, iOS web browser developers also implement password manager functionality. One vector that can lead to the stealing of passwords from a password manager is using a Man-in-the-Middle (MITM) vulnerability to insert a hidden frame that automatically receives the username/password. The address bar will get updated very briefly, but in the vast majority of cases, this is overlooked by the user.

Finally, the way SSL is handled is important. By default, invalid certificates for iOS UIWebView https requests are rejected without user interaction. With certain bugs, this behavior can be changed (so the user would accept a self-signed certificate). Opera Coast 3.0 was one of the browsers that were vulnerable to a simple MITM attack[4].

Further reading

I presented more details about the issues described here at the Hack in The Box Amsterdam 2014 conference. The slides can be downloaded from

Special thanks to:

Lukasz Pilorz, Pawel Wyleciał, Aleksander Droś



Latest SpiderLabs Blogs

Fare Thee Well ModSecurity: End-of-Life and Last Commercial Rules Update for June 2024

A Fourteen-Year Journey Comes to an End In June 2010, Trustwave acquired Breach Security, which brought with it the popular Open-Source Web Application Firewall ModSecurity for Apache. At that time,...

Read More

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More