Skip to content

Latest commit

 

History

History
79 lines (60 loc) · 7.46 KB

mitigations.md

File metadata and controls

79 lines (60 loc) · 7.46 KB

Mitigation Strategies Analysis for jverkoey/nimbus

Mitigation Strategy: Sanitize Input for NIAttributedLabel and Nimbus UI Components

Description:

  1. Identify Vulnerable Components: Locate all instances of NIAttributedLabel and any other Nimbus UI components that can render rich text or HTML, especially those displaying user-supplied or remotely-fetched content. This is crucial because Nimbus's built-in handling might not be sufficient against all XSS attacks.
  2. Choose a Sanitization Library: Select a robust HTML sanitization library (e.g., a well-maintained Swift port of OWASP Java HTML Sanitizer, or a library specifically designed for secure HTML rendering on iOS). Do not rely solely on Nimbus's internal handling.
  3. Implement Sanitization:
    • Before setting the content of the NIAttributedLabel (or other vulnerable Nimbus component), pass the input string through the sanitization library.
    • Configure the sanitizer to allow only a very strict whitelist of HTML tags and attributes. For example, allow only basic formatting tags like <b>, <i>, <a> (with careful attribute restrictions), and explicitly disallow tags like <script>, <iframe>, <object>, <embed>, etc. This is critical because NIAttributedLabel can render these.
    • For <a> tags, ensure that only href attributes with safe URL schemes (e.g., https://, mailto:) are allowed. Reject or sanitize any javascript: URLs or other potentially dangerous schemes. Nimbus might not automatically block these.
  4. Test Thoroughly: Test the sanitization with a variety of malicious inputs (XSS payloads) to ensure it effectively blocks attacks, specifically targeting NIAttributedLabel's rendering capabilities.

  • Threats Mitigated:

    • Cross-Site Scripting (XSS) (High Severity): Prevents attackers from injecting malicious JavaScript code into the application through Nimbus UI components.
    • UI Redressing/Phishing (Medium Severity): Reduces the risk of attackers manipulating the Nimbus-rendered UI to trick users.

  • Impact:

    • XSS: Risk significantly reduced (effectiveness depends on the sanitization library and configuration, and its interaction with Nimbus's rendering).
    • UI Redressing: Risk reduced, but other UI security measures are also important.

  • Currently Implemented:

    • Example: A basic sanitization function is used in the ContentDisplayHelper class, but it only removes <script> tags and doesn't fully address NIAttributedLabel's capabilities.

  • Missing Implementation:

    • Example: Need to replace the basic sanitization with a comprehensive HTML sanitization library, specifically tested with NIAttributedLabel. Need to apply sanitization to all instances of NIAttributedLabel and similar Nimbus components. Need to add thorough testing with XSS payloads targeting Nimbus's rendering.

Mitigation Strategy: Secure Usage of NIWebController and Web Content

Description:

  1. Content Security Policy (CSP): If using NIWebController to display web content, implement a strict Content Security Policy (CSP). This is a crucial step because NIWebController is essentially a web browser within your app.
    • Define a CSP header that restricts the sources from which the web view can load resources (scripts, images, stylesheets, etc.).
    • Use the connect-src, script-src, img-src, style-src, and other CSP directives to specify allowed origins.
    • Avoid using 'unsafe-inline' or 'unsafe-eval' in your CSP.
  2. Disable JavaScript (if possible): If the web content displayed in NIWebController does not require JavaScript, disable it entirely. This significantly reduces the attack surface.
  3. Validate URLs: Before loading any URL into NIWebController, thoroughly validate it to ensure it's a legitimate and expected URL. Avoid loading URLs based on user input without strict validation.
  4. Avoid loading local HTML files: If possible avoid loading local HTML files. If you must load local HTML files, ensure that they are not modifiable by the user or other applications.

  • Threats Mitigated:

    • Cross-Site Scripting (XSS) (High Severity): CSP and disabling JavaScript significantly reduce the risk of XSS attacks within the NIWebController.
    • Data Exfiltration (High Severity): CSP helps prevent malicious scripts from sending data to unauthorized servers.
    • Clickjacking/UI Redressing (Medium Severity): CSP can help prevent some forms of clickjacking.

  • Impact:

    • XSS: Risk significantly reduced with a strict CSP and/or disabling JavaScript.
    • Data Exfiltration: Risk significantly reduced with a well-defined CSP.
    • Clickjacking: Risk reduced, but other UI security measures are also important.

  • Currently Implemented:

    • Example: NIWebController is used to display help content, but no CSP is implemented. JavaScript is enabled.

  • Missing Implementation:

    • Example: Need to implement a strict CSP for all instances of NIWebController. Need to evaluate whether JavaScript can be disabled. Need to add URL validation before loading content into NIWebController.

Mitigation Strategy: Secure Custom URL Handling with Nimbus

Description:

  1. Identify Custom URL Schemes: If your application uses custom URL schemes in conjunction with Nimbus (e.g., for deep linking or inter-app communication), identify all such schemes.
  2. Strict URL Parsing and Validation:
    • Implement very strict parsing and validation of any URLs received via custom schemes. Do not rely on Nimbus to automatically handle this securely.
    • Validate the scheme, host, path, and query parameters. Reject any unexpected or potentially malicious components.
    • Treat all data received via custom URLs as untrusted input.
  3. Avoid Sensitive Actions: Avoid performing sensitive actions (e.g., authentication, data modification) directly based on data received via custom URLs without additional verification.
  4. Use Associated Domains (if possible): If possible use Associated Domains instead of custom URL schemes.

  • Threats Mitigated:

    • URL Scheme Hijacking (High Severity): Prevents attackers from exploiting custom URL schemes to inject malicious data or trigger unintended actions within your application, particularly through Nimbus components that might handle these URLs.
    • Data Injection (High Severity): Prevents attackers from injecting malicious data via custom URL parameters.

  • Impact:

    • URL Scheme Hijacking: Risk significantly reduced with strict URL validation and avoiding sensitive actions based solely on URL data.
    • Data Injection: Risk significantly reduced with thorough input validation.

  • Currently Implemented:

    • Example: The application uses a custom URL scheme (myapp://) for deep linking, but the URL parsing logic is basic and might be vulnerable.

  • Missing Implementation:

    • Example: Need to implement robust URL parsing and validation for all custom URL schemes, specifically checking how Nimbus components interact with these URLs. Need to avoid performing sensitive actions directly based on URL data without further verification.