Select the OWASP iGoat Version:
iGoat (Objective C) was presented at:
OWASP iGoat - A Learning Tool for iOS App Pentesting and Security
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it.
As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.
The lessons are laid out in the following steps:
- Brief introduction to the problem.
- Verify the problem by exploiting it.
- Brief description of available remediations to the problem.
- Fix the problem by correcting and rebuilding the iGoat program.
Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.
iGoat Guide
Documentation:Project Details
Page - https://www.owasp.org/index.php/OWASP_iGoat_Tool_Project
Project Lead - Swaroop Yermalkar (@swaroopsy)
Twitter - (@OWASPiGoat)
Lead Developer - Anthony Gonsalves
Vulnerabities Covered (version 3.0):
-
Key Management
- Hardcoded Encryption Keys
- Key Storage Server Side
- Random Key Generation
-
URL Scheme Attack
-
Social Engineering
-
Reverse Engineering
- String Analysis
-
Data Protection (Rest)
- Local Data Storage (SQLite)
- Plist Storage
- Keychain Usage
- NSUserDefaults Storage
-
Data Protection (Transit)
- Server Communication
- Public Key Pinning
-
Authentication
- Remote Authentication
-
Side Channel Data Leaks
- Device Logs
- Cut-and-Paste
- Backgrounding
- Keystroke Logging
-
Tampering
- Method Swizzling
-
Injection Flaws
- SQL Injection
- Cross Site Scripting
-
Broken Cryptography
How to countribute?
- You can add new exercises
- Testing iGoat and checking if any issues
- Suggest us new attacks
- Writing blogs / article about iGoat
- Spreading iGoat :)
To contribute to iGoat project, please contact Swaroop ( [email protected] or @swaroopsy )
Project Contributors -
- Anthony Gonsalves
- Junard Lebajan (@junard)
- Ken van Wyk
- Arun @he_hacks
- Jonathan Carter
- Heefan
- Tilak Kumar
- Bernhard Mueller
- Sagar Popat
- Chandrakant Nial
- Valligayatri Rachakonda
- Suraj Kumar
- masbog
- Cheena Kathpal
- Matt Tesauro