search

lukebrogan-mend / iGoat-Swift

OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS
https://igoatapp.com/
GNU General Public License v3.0
0 stars 0 forks source link

Code Security Report: 91 high severity findings, 376 total findings #16

Open mend-for-github-com[bot] opened 1 year ago

mend-for-github-com[bot] commented 1 year ago

Code Security Report

Latest Scan: 2022-10-20 08:20pm Total Findings: 376 Tested Project Files: 551 Detected Programming Languages: 5

Language: C/C++ (Beta)

No vulnerability findings detected.

Language: PHP

Severity CWE Vulnerability Type Count
High CWE-79 Cross-Site Scripting 1
Medium CWE-798 Hardcoded Password/Credentials 1
Medium CWE-472 Hidden HTML Input 8
Low CWE-113 HTTP Response Splitting 2

Details

The below list presents the 1 high vulnerability findings that need your attention. To view information on these findings, navigate to the Mend SAST Application.

Cross-Site Scripting (CWE-79) : 1

Findings

myapp/checkout.php:36 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/server/iGoat-Server-challenges/myapp/checkout.php#L31-L36
Trace https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/server/iGoat-Server-challenges/myapp/checkout.php#L8 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/server/iGoat-Server-challenges/myapp/checkout.php#L13 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/server/iGoat-Server-challenges/myapp/checkout.php#L14 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/server/iGoat-Server-challenges/myapp/checkout.php#L36

Language: Swift

Severity CWE Vulnerability Type Count
High CWE-89 SQL Functions 6
High CWE-73 File Manipulation 1
Medium CWE-319 Insufficient Transport Layer Protection 8
Medium CWE-749 WebView Implementation 8
Medium CWE-676 Miscellaneous Dangerous Functions 9
Medium CWE-200 Insecure Data Storage 28
Medium CWE-209 Log Messages 3
Low CWE-326 Weak Encryption Strength 3
Low []() External URL Access 22

Details

The below list presents the 7 high vulnerability findings that need your attention. To view information on these findings, navigate to the Mend SAST Application.

SQL Functions (CWE-89) : 6

Findings

Random Key Generation/RandomKeyGenerationExerciseVC.swift:63 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L58-L63
Random Key Generation/RandomKeyGenerationExerciseVC.swift:48 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L43-L48
Random Key Generation/RandomKeyGenerationExerciseVC.swift:63 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L58-L63
SQL Injection/SQLInjectionExerciseVC.swift:22 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/Source/Exercises/Injection Flaws/SQL Injection/SQLInjectionExerciseVC.swift#L17-L22
SQL Injection/SQLInjectionExerciseVC.swift:22 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/Source/Exercises/Injection Flaws/SQL Injection/SQLInjectionExerciseVC.swift#L17-L22
Random Key Generation/RandomKeyGenerationExerciseVC.swift:48 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L43-L48

File Manipulation (CWE-73) : 1 #### Findings
PlistStorage/PlistStorageExerciseViewController.swift:21 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/PlistStorage/PlistStorageExerciseViewController.swift#L16-L21

Language: iOS Objective-C

Severity CWE Vulnerability Type Count
High CWE-89 SQL Functions 75
High CWE-73 File Manipulation 8
Medium CWE-200 Insecure Data Storage 188
Medium CWE-209 Log Messages 1
Low CWE-326 Weak Encryption Strength 2
Low CWE-242 Use of Inherently Dangerous Function 2

Details

The below list presents the 20 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend SAST Application.

SQL Functions (CWE-89) : 20

Findings

YapDatabase/YapDatabaseTransaction.m:2015 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseTransaction.m#L2010-L2015
SecondaryIndex/YapDatabaseSecondaryIndexTransaction.m:617 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/SecondaryIndex/YapDatabaseSecondaryIndexTransaction.m#L612-L617
YapDatabase/YapDatabaseConnection.m:971 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L966-L971
SecondaryIndex/YapDatabaseSecondaryIndexTransaction.m:1279 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/SecondaryIndex/YapDatabaseSecondaryIndexTransaction.m#L1274-L1279
SecondaryIndex/YapDatabaseSecondaryIndexConnection.m:240 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/SecondaryIndex/YapDatabaseSecondaryIndexConnection.m#L235-L240
Views/YapDatabaseViewTransaction.m:288 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/Views/YapDatabaseViewTransaction.m#L283-L288
Views/YapDatabaseViewTransaction.m:1325 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/Views/YapDatabaseViewTransaction.m#L1320-L1325
Views/YapDatabaseViewConnection.m:793 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/Views/YapDatabaseViewConnection.m#L788-L793
YapDatabase/YapDatabaseConnection.m:1426 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1421-L1426
YapDatabase/YapDatabaseConnection.m:1406 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1401-L1406
YapDatabase/YapDatabaseConnection.m:1388 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1383-L1388
YapDatabase/YapDatabaseConnection.m:1369 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1364-L1369
YapDatabase/YapDatabaseConnection.m:1351 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1346-L1351
YapDatabase/YapDatabaseConnection.m:1332 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1327-L1332
YapDatabase/YapDatabaseConnection.m:1314 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1309-L1314
YapDatabase/YapDatabaseConnection.m:1296 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1291-L1296
YapDatabase/YapDatabaseConnection.m:1278 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1273-L1278
YapDatabase/YapDatabaseConnection.m:1260 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1255-L1260
YapDatabase/YapDatabaseConnection.m:1242 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1237-L1242
YapDatabase/YapDatabaseConnection.m:1224 https://github.com/lukebrogan-mend/iGoat-Swift/blob/bec90e833f376d3570c37eb608921f3d895dbd83/iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/YapDatabaseConnection.m#L1219-L1224

Language: Ruby

No vulnerability findings detected.