In this exercise, the app stores data in Core Data Format. Your task is to locate the CoreData file and find the sensitive data that it contains.
Once we enter the Username and Password the records are stored successfully.
Copy /private/var/mobile/Containers/Data/Application/<AppFolder>
Using Grep command we can easily identify the Appfolder which was created during the App installation as shown below;
Copy Aruns-iPhone:/private/var/mobile/Containers/Data/Application root# find * | grep "iGoat-Swift"
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db-shm
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/Cache.db-wal
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal/functions.data
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/com.apple.metal/functions.maps
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/40C53B0C-C237-4741-AF82-5B687097E160
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/94E8BBAA-DDC5-4DAB-93F4-978831FD9922
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/OWASP.iGoat-Swift/fsCachedData/FF62F4DB-5862-49BB-957A-537DFFD1B378
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/4099D0AD-F39B-4C4C-A29F-AA3BE0FF5BA3@2x.ktx
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/4F042730-B3CA-4F80-898A-6C900F998054@2x.ktx
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/downscaled
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Caches/Snapshots/OWASP.iGoat-Swift/downscaled/84C3ADC6-8F6A-4EB7-BDE5-E8BDE70FFC10@2x.ktx
464B6C36-FBB9-4209-AC2C-6793098AB807/Library/Preferences/OWASP.iGoat-Swift.plist
Copy Aruns - iPhone: /private/ var / mobile / Containers /Data/Application/ 464B6C36 - FBB9 - 4209 - AC2C - 6793098AB807 / Library /Application Support root #
Aruns - iPhone: /private/ var / mobile / Containers /Data/Application/ 464B6C36 - FBB9 - 4209 - AC2C - 6793098AB807 / Library /Application Support root # ls
CoreData.sqlite CoreData.sqlite - shm CoreData.sqlite - wal
Aruns - iPhone: /private/ var / mobile / Containers /Data/Application/ 464B6C36 - FBB9 - 4209 - AC2C - 6793098AB807 / Library /Application Support root # sqlite3 CoreData.sqlite
SQLite version 3 . 24 . 0 2018 - 06 - 04 19 : 24 : 41
Enter ".help" for usage hints.
sqlite > .headers ON
sqlite > .tables
ZUSER Z_METADATA Z_MODELCACHE Z_PRIMARYKEY
sqlite > select * from ZUSER;
Z_PK|Z_ENT|Z_OPT|ZEMAIL|ZPASSWORD
1 | 1 | 1 |john@test.com|coredbpassword
sqlite >
Notice that all tables starting with prefix Z and the table ZUSER contains the sensitive user credentials stored in plain text.