owasp / igoat Goto Github PK

I followed the link from this project to https://igoatapp.com/ where I scrolled down to the Download iGoat section and clicked on SWIFT VERSION. The mouse cursor did not change to a hand as usual. When I clicked a new browser tab opened with the following scam URL trying to convince me to launch some fake update. "https" has been replaced with "hxxps" so nobody clicks it by mistake.

hxxps://interfrogs.com/11/click/1/?source=3398217&csum=hNjjFae2TcG3E9vWM1KDKBiIiUzFrtfe-hwsKwTaBaI5ZkXldVrSN-4lYotsF1yxhsXavSIvTYzzsqMCDy15Tw%2C%2C&_subid=3qnkfg41cnbq1vlgti3m&_token=uuid_3qnkfg41cnbq1vlgti3m_3qnkfg41cnbq1vlgti3m600ebc5287a4e5.22325693

I could not reproduce this. I suspected cookies to be used to deliver the page only once so I opened https://igoatapp.com/ in a Firefox private window but the update page didn't show up.

The interfrogs link above cycles through different scams. When visited once more I got a "win an iPhone" scam instead.

Please review the site. Maybe some of the self-hosted minified JavaScript libraries are infected?

Hi Team,
In the iGoat - Side Channel Data Leaks Module;
Most of all sub categories are having the UI scaling issues when we try to provide any user inputs.
This behaviour is observed in the iPhone 6s with iOS 10.2.
The below given screenshots depicts the same.

Documenting a fix for this bug:

1. Enable HTTPS on the API call.
2. Store the key in the keychain instead of a local variable.

Can you enable both HTTP and HTTPS on this endpoint? This should be pretty easy to achieve using AWS certificate manager or . Or swap the endpoint over to an API Gateway lambda call, which supports HTTPS out of the box.

Unable to install dependencies for server

pfa screenshots

Hi,

I'm sorry if it is a stupid question, but why all the requests made by the iGoat app target localhost (such as the authentication challenge) ?

If I understood well, the Ruby server is meant to be launched on the attacker machine, but HTTP traffic against localhost doesn't go through the proxy. As a consequence, I get the error message "Server reqest failed; see log for details". And I did, with the mention that there is no server at localhost.

Thanks in advance!

My Environment
iOS 9.3.3 Jailbroken
Device - iPad Air 2

Downloaded the IPA file
https://github.com/OWASP/igoat/blob/master/iGoat.ipa

Installing using "installipa iGoat.ipa " But its showing the error.

"private/var/tmp/iGoat.ipa is not a valid IPA" snap shot attached

Hello

In current igoat version 2.6 is getting stuck while doing "Public Key Pinning" exercise in "Data Protection (Transit) category.

After clicking submit button in Public Key Pinning exercise the application is getting stuck, then we have to re-start the application.

please go through attached snap.

Thanks.

I tried to install the ipa using installipa but failed :(
How to install the app?

reverse engineering string not found in hopper?
any pointers

Can you please provide with an installable IPA file of the latest version of iGoat application.