search

Custodela / iGoat-Swift

OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS
https://igoatapp.com/
GNU General Public License v3.0
0 stars 0 forks source link

CX Unscrubbed_Secret @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/KeychainAnalyze/KeychainExerciseVC.swift [master] #66

Open tsunez opened 3 years ago

tsunez commented 3 years ago

Unscrubbed_Secret issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/KeychainAnalyze/KeychainExerciseVC.swift in branch master

Method UITextField! at line 6 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\KeychainAnalyze\KeychainExerciseVC.swift defines passwordTextField, which is designated to contain user passwords. However, while plaintext passwords are later assigned to passwordTextField, this variable is never cleared from memory.

Severity: Low

CWE:226

Vulnerability details and guidance

Checkmarx

Recommended Fix

Lines: 32 48 17 50 53 6 14

Code (Line #32):

            let password = passwordTextField.text

Code (Line #48):

    func checkLogin(username: String, password: String) -> Bool {

Code (Line #17):

            let passwordItem = KeychainPasswordItem(service: "SaveUser",

Code (Line #50):

            let passwordItem = KeychainPasswordItem(service: "SaveUser",

Code (Line #53):

            let keychainPassword = try passwordItem.readPassword()

Code (Line #6):

    @IBOutlet weak var passwordTextField: UITextField!

Code (Line #14):

    func secureStore(userName: String, password: String) {
tsunez commented 3 years ago

Issue still exists.

SUMMARY

Issue has 7 vulnerability/vulnerabilities left to be fixed (Please scroll to the top for more information)

tsunez commented 3 years ago

Issue still exists.

SUMMARY

Issue has 7 vulnerability/vulnerabilities left to be fixed (Please scroll to the top for more information)