{"id":13717228,"url":"https://github.com/OWASP/igoat","last_synced_at":"2025-05-07T07:30:43.987Z","repository":{"id":44170584,"uuid":"68228492","full_name":"OWASP/igoat","owner":"OWASP","description":"OWASP iGoat - A Learning Tool for iOS App Pentesting and Security by Swaroop Yermalkar","archived":false,"fork":false,"pushed_at":"2023-01-05T16:13:18.000Z","size":119708,"stargazers_count":418,"open_issues_count":4,"forks_count":102,"subscribers_count":34,"default_branch":"master","last_synced_at":"2024-10-26T07:39:22.108Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://igoatapp.com/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OWASP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-09-14T17:36:11.000Z","updated_at":"2024-10-21T01:44:28.000Z","dependencies_parsed_at":"2023-02-04T06:45:43.320Z","dependency_job_id":null,"html_url":"https://github.com/OWASP/igoat","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Figoat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Figoat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Figoat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Figoat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OWASP","download_url":"https://codeload.github.com/OWASP/igoat/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224573315,"owners_count":17333802,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T00:01:19.561Z","updated_at":"2024-11-14T05:31:07.991Z","avatar_url":"https://github.com/OWASP.png","language":"C","funding_links":[],"categories":["C","C (286)","Awesome Mobile Application Penetration Testing  ![awesome](https://awesome.re/badge.svg)","Mobile Security"],"sub_categories":["Mobile Penetration Testing Lab","Vulnerable Apps"],"readme":"![GSOC 2019](https://img.shields.io/static/v1.svg?label=GSOC\u0026message=Google%20Summer%20of%20Code%202019\u0026color=blue\u0026logo=%20data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAYAAADgdz34AAAAAXNSR0IArs4c6QAABLFJREFUSA2tVV1sVFUQ/s45d7ulpT+63VSkQC1IIsHyAugDAWLwQSEQI/EnaGL0QWOQ6AMo+uAzJooJJJiIiQ8qkWDURIxGIlLUqEQTKz9REEpbMFhKt7ss7e49P35zb9jaqKEkTnL33jNn5ps538ycBa5D7MH8etuTX38dLlM3jQ+2rXRf1Q/LI99T9VRTMYy/rF+hUflAIeTEPkANe2Tvz9w1fuha/pMChE/RbDNRd83JWnigwzTO2Gma5+ec6eCWgnEDcMXfhl35j43cH4yiqOYSxbZX3YviVcXEDjVWR4tMRvUEegUXQzfNRtT1PJBbw7WFjocTv5DJwZgoZy7t3+N/34YwdhbKZKA0MO6i5UQ6/K8BYBC8gNsYKr8a6rZdCJePwx97EmH0e+rTxFTUDNW8FHrOs9CLD8OdeBp+6BOoKAPBuAou70knSDaYucrfA73wXbhTW+EHdqX2ypCdlNHgigjDn8Pz0R1PwSx8B+7oBuDi/n9ATgoQW+vqp8+EWrCb4C/B9xPciMnfSuVjLhlMM1sm6/vfSNZmwZvwR5YilAZdmlH6S9YmxFjMVl2bEcon08wTcO4LqEhwMHNfhm65E+BJE2GB/SCpLP8K3bUFgpFupL+1AGNfTF8ZtbbtQNt9zOo17iaV5ltDz3iErzpyTO7bH6KOBZ/xYHoSBmXl4M++ymZYh6g1v0OwaJRIEiBwcOrMlX26cV4+eAU/+l2yqTJtiLr3Qd1EMDsONNzKzMvwpaPUbYC5fS9AG5FQZBMwJ8EQLMEUvbaH2tZ6lD4kbM7pmwl0CagOQzXOh1ncg1D9E66XWTNT1byELXmaNmW4Xx6m3RAi2ohtqNLPjsCZmTyzzwmmPdS+VhvYQmBp0gaRDmNBZSG829GUFtPAAFS33AEUf0i/RUfK6E7bqiRLkWYQQ/kOJYNKQasVhR7nMmt8QJ/xA3S6EUJNGDsD++MqHvsKqXiPgaZBNTDT4hGeO6JuT0KX/elu2vZB1eUTX8EQLEtMwU5qkF1V7rUe6/zlU6eV5hzcsDxJBH4M7tjjaQEbyT8n2JdPEKiOjbAd7vgTDDKWJt26jJPMq6V08rRgCaaco9ZF2VXoDcXCJlzYwwndzP5nnwtVnH8/9JkcGf7cbiAm16TED3Go5G4QG86E7qQPfePiyCbBEnCRWgBZhAxG/JnXSRHvms4XmJ0VbRIsuTL6XuFaCE5Bkz25o27ZklDkz2yHJwYNajJpksmtDvEQaXkUZtFHiZHr28ZALKJmLuQ+AZV+5KWlDGdj7laY2c/B/byOpxvioSIaSmKpTA5AnSY1vvANPB30greg82vg+ncgFA4nbZm4ZdugWpcT+BnWowW+l+CFr9PLzkonTsjkAKSbHTDuFfkf+ZZ3yzLoWRvrzLwXdVDSkqW0EU0T3yX48+97P7CzGqoXmTl9iB2IMQGfElpbh72YhvZsR6VCVZYPP0wFM9X0prdNU+ccpziIpN+E8/zD6TsbLpcec1mcE2Mxl5/BC5XBWQ+ArZWKVOyaUjlQ1x3p+GOtQqcY+6D6rM+wFau1bvkvkCkFEOfKgcbuyMTsTTLlMquv9rms/zepHmheIs/1AP4F9DYB6+AcwCcAAAAASUVORK5CYII=)\n\n____\n\nSelect the OWASP iGoat Version: [![Swift 4](https://img.shields.io/badge/Swift-4-blue.svg)](https://github.com/OWASP/iGoat-Swift) [![Objective C](https://img.shields.io/badge/Objective-C-blue.svg)](https://github.com/OWASP/igoat)\n\niGoat (Objective C) was presented at:\n[![AppSec USA 2017](https://img.shields.io/badge/AppSec%20USA-2017-red.svg)](https://appsecusa2017.sched.com/event/B2Xk/igoat-a-self-learning-tool-for-ios-app-pentesting-and-security) \u0026nbsp; [![c0c0n 2017](https://img.shields.io/badge/c0c0n-2017-red.svg)](http://is-ra.org/c0c0n/2017/agenda) \u0026nbsp; [![SEC-T 2017](https://img.shields.io/badge/SEC--T-2017-red.svg)](https://www.sec-t.org/archive/2017_events/schedule/) \u0026nbsp; [![BruCON 2017](https://img.shields.io/badge/BruCON-2017-red.svg)](https://2017.brucon.org/index.php/Practical_iOS_App_Exploitation_and_Defense_using_iGoat) \u0026nbsp; [![Bugcrowd Levelup 2017](https://img.shields.io/badge/BugcrowdLevelUp-2017-red.svg)](https://forum.bugcrowd.com/t/levelup-2017-discussion-swaroop-owasp-igoat/3052)\n\n## OWASP iGoat - A Learning Tool for iOS App Pentesting and Security [![Twitter Follow](https://img.shields.io/twitter/follow/espadrine.svg?style=social\u0026label=Follow)](https://twitter.com/OWASPiGoat/)\n\niGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it.\n\nAs such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.\n\n### The lessons are laid out in the following steps: ###\n\n1. Brief introduction to the problem.\n1. Verify the problem by exploiting it.\n1. Brief description of available remediations to the problem.\n1. Fix the problem by correcting and rebuilding the iGoat program.\n\nStep 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don't know how to fix a specific problem.\n\n\n### Documentation: [iGoat Guide](https://swaroopsy.gitbooks.io/owasp-igoat-setup/content/)\n\n### Project Details ###\n\n__Page__ - https://www.owasp.org/index.php/OWASP_iGoat_Tool_Project\n\n__Project Lead__ - Swaroop Yermalkar ([@swaroopsy](https://twitter.com/swaroopsy?lang=en))\n\n__Twitter__ - ([@OWASPiGoat](https://twitter.com/owaspigoat?lang=en))\n\n__Lead Developer__ - Anthony Gonsalves\n\n### Vulnerabities Covered (version 3.0): ###\n* __Key Management__\n  * Hardcoded Encryption Keys\n  * Key Storage Server Side\n  * Random Key Generation\n  \n* __URL Scheme Attack__\n  \n* __Social Engineering__\n  \n* __Reverse Engineering__\n  * String Analysis\n  \n* __Data Protection (Rest)__\n  * Local Data Storage (SQLite)\n  * Plist Storage\n  * Keychain Usage\n  * NSUserDefaults Storage\n  \n* __Data Protection (Transit)__\n  * Server Communication\n  * Public Key Pinning\n  \n* __Authentication__\n  * Remote Authentication\n  \n* __Side Channel Data Leaks__\n  * Device Logs\n  * Cut-and-Paste\n  * Backgrounding\n  * Keystroke Logging\n  \n* __Tampering__ \n  * Method Swizzling\n  \n* __Injection Flaws__\n  * SQL Injection\n  * Cross Site Scripting\n  \n* __Broken Cryptography__\n\n### How to countribute? ###\n* You can add new exercises\n* Testing iGoat and checking if any issues\n* Suggest us new attacks\n* Writing blogs / article about iGoat\n* Spreading iGoat :)\n\nTo contribute to iGoat project, please contact __Swaroop__ ( swaroop.yermalkar@owasp.org or @swaroopsy )\n\n### Project Contributors - ###\n* Anthony Gonsalves\n* Junard Lebajan (@junard)\n* Ken van Wyk\n* Arun @he_hacks \n* Jonathan Carter\n* Heefan\n* Tilak Kumar\n* Bernhard Mueller\n* Sagar Popat\n* Chandrakant Nial \n* Valligayatri Rachakonda\n* Suraj Kumar\n* masbog\n* Cheena Kathpal\n* Matt Tesauro\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2Figoat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FOWASP%2Figoat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2Figoat/lists"}