In this exercise the app stores data using a Plist file in the application sandbox.Your task is to locate the Plist file and find the sensitive data that it contains.
Once we enter the Username and Password the records are stored successfully in the Plist file in the application Sandbox.
In this example, the Plist file is stored in the below given path:
Download the Plist file to your host machine from the above path using SFTP/SCP.
╭─[email protected] ~/Documents/iOS/OWASP_iGoat╰─$ scp [email protected]:/private/var/mobile/Containers/Data/Application/464B6C36-FBB9-4209-AC2C-6793098AB807/Documents/Credentials.plist .[email protected]'s password:Credentials.plist 100% 279 1.5KB/s 00:00╭─[email protected] ~/Documents/iOS/OWASP_iGoat╰─$ lsCredentials.plist
Once you download application files, open the Credentials.plist file and you will observe that the sensitive information that is filled via UI is stored insecurely in plain text format.