Mobile Security Framework Stored Cross-Site Scripting Vulnerability in Dynamic Analysis Component

A stored cross-site scripting vulnerability has been identified in the Mobile Security Framework (MobSF) version 4.3.0, specifically within the iOS dynamic analysis component. This issue arises because the application bundle identifier can be manually altered to include special characters, violating Apple's guidelines. The modified bundle ID is not properly sanitized before being displayed in the dynamic analysis report, allowing for the injection of malicious scripts that are executed when the report is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the report. This could potentially lead to unauthorized actions being performed as the user, including administrative users.

Reproduction

To reproduce this vulnerability, unzip an IPA file of an iOS application and modify the 'CFBundleIdentifier' key in the 'Info.plist' file to include special characters. After re-zipping the IPA file, upload it to a virtual device using the Corellium platform. Once the modified application is installed, access the dynamic analysis feature in MobSF and hover over the 'Uninstall' button for the malicious app, which will trigger the execution of the injected script.

Remediation

Users are advised to upgrade to MobSF version 4.3.1, where this vulnerability has been patched.