search

lukebrogan-mend / iGoat-Swift

OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS
https://igoatapp.com/
GNU General Public License v3.0
0 stars 0 forks source link

Code Security Report: 2 high severity findings, 130 total findings #18

Open mend-for-github-com[bot] opened 3 months ago

mend-for-github-com[bot] commented 3 months ago

Code Security Report

Scan Metadata

Latest Scan: 2024-04-25 05:54pm Total Findings: 130 | New Findings: 0 | Resolved Findings: 0 Tested Project Files: 113 Detected Programming Languages: 5 (Ruby, C/C++ (Beta), Swift, iOS Objective-C, PHP)

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

SeverityVulnerability TypeCWEFileData FlowsDate
HighFile Manipulation [CWE-73](https://cwe.mitre.org/data/definitions/73.html) [PlistStorageExerciseViewController.swift:21](https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/PlistStorage/PlistStorageExerciseViewController.swift#L21) 12024-04-25 05:55pm
Vulnerable Code https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/PlistStorage/PlistStorageExerciseViewController.swift#L16-L21
1 Data Flow/s detected
https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/PlistStorage/PlistStorageExerciseViewController.swift#L21
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior File Manipulation Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/swift/vanilla) ● Videos    ▪ [Secure Code Warrior File Manipulation Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighCross-Site Scripting [CWE-79](https://cwe.mitre.org/data/definitions/79.html) [checkout.php:36](https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/server/iGoat-Server-challenges/myapp/checkout.php#L36) 12024-04-25 05:55pm
Vulnerable Code https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/server/iGoat-Server-challenges/myapp/checkout.php#L31-L36
1 Data Flow/s detected
https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/server/iGoat-Server-challenges/myapp/checkout.php#L8 https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/server/iGoat-Server-challenges/myapp/checkout.php#L13 https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/server/iGoat-Server-challenges/myapp/checkout.php#L14 https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/server/iGoat-Server-challenges/myapp/checkout.php#L36
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Cross-Site Scripting Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/xss/reflected/php/vanilla) ● Videos    ▪ [Secure Code Warrior Cross-Site Scripting Video](https://media.securecodewarrior.com/v2/module_73_reflected_cross_site_scripting.mp4)
 
MediumInsufficient Transport Layer Protection [CWE-319](https://cwe.mitre.org/data/definitions/319.html) [CryptoChallengeVC.swift:23](https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Broken Cryptography/Crypto Challenge/CryptoChallengeVC.swift#L23) 12024-04-25 05:55pm
Vulnerable Code https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Broken Cryptography/Crypto Challenge/CryptoChallengeVC.swift#L18-L23
1 Data Flow/s detected
https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Broken Cryptography/Crypto Challenge/CryptoChallengeVC.swift#L23
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/itlp/sensitiveinfo/swift/vanilla) ● Videos    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Video](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)
 
MediumInsufficient Transport Layer Protection [CWE-319](https://cwe.mitre.org/data/definitions/319.html) [BinaryCookiesExerciseVC.swift:11](https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/BinaryCookies/BinaryCookiesExerciseVC.swift#L11) 12024-04-25 05:55pm
Vulnerable Code https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/BinaryCookies/BinaryCookiesExerciseVC.swift#L6-L11
1 Data Flow/s detected
https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/BinaryCookies/BinaryCookiesExerciseVC.swift#L11
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/itlp/sensitiveinfo/swift/vanilla) ● Videos    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Video](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)
 
MediumInsufficient Transport Layer Protection [CWE-319](https://cwe.mitre.org/data/definitions/319.html) [WebkitCacheExerciseVC.swift:27](https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/WebKit Cache/WebkitCacheExerciseVC.swift#L27) 12024-04-25 05:55pm
Vulnerable Code https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/WebKit Cache/WebkitCacheExerciseVC.swift#L22-L27
1 Data Flow/s detected
https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/WebKit Cache/WebkitCacheExerciseVC.swift#L27
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/itlp/sensitiveinfo/swift/vanilla) ● Videos    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Video](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)
 
MediumInsufficient Transport Layer Protection [CWE-319](https://cwe.mitre.org/data/definitions/319.html) [RemoteAuthenticationExerciseVC.swift:6](https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Authentication/Remote/RemoteAuthenticationExerciseVC.swift#L6) 12024-04-25 05:55pm
Vulnerable Code https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Authentication/Remote/RemoteAuthenticationExerciseVC.swift#L1-L6
1 Data Flow/s detected
https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Authentication/Remote/RemoteAuthenticationExerciseVC.swift#L6
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/itlp/sensitiveinfo/swift/vanilla) ● Videos    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Video](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)
 
MediumInsufficient Transport Layer Protection [CWE-319](https://cwe.mitre.org/data/definitions/319.html) [CloudMisconfigurationExerciseVC.swift:19](https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/SideChannelDataLeaks/CloudMisconfiguration/CloudMisconfigurationExerciseVC.swift#L19) 12024-04-25 05:55pm
Vulnerable Code https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/SideChannelDataLeaks/CloudMisconfiguration/CloudMisconfigurationExerciseVC.swift#L14-L19
1 Data Flow/s detected
https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/SideChannelDataLeaks/CloudMisconfiguration/CloudMisconfigurationExerciseVC.swift#L19
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/itlp/sensitiveinfo/swift/vanilla) ● Videos    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Video](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)
 
MediumInsufficient Transport Layer Protection [CWE-319](https://cwe.mitre.org/data/definitions/319.html) [KeyStorageServerSideVC.swift:6](https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Key Storage Server Side/KeyStorageServerSideVC.swift#L6) 12024-04-25 05:55pm
Vulnerable Code https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Key Storage Server Side/KeyStorageServerSideVC.swift#L1-L6
1 Data Flow/s detected
https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Key Storage Server Side/KeyStorageServerSideVC.swift#L6
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/itlp/sensitiveinfo/swift/vanilla) ● Videos    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Video](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)
 
MediumInsufficient Transport Layer Protection [CWE-319](https://cwe.mitre.org/data/definitions/319.html) [Exercise.swift:37](https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Model/Exercise.swift#L37) 12024-04-25 05:55pm
Vulnerable Code https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Model/Exercise.swift#L32-L37
1 Data Flow/s detected
https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Model/Exercise.swift#L37
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/itlp/sensitiveinfo/swift/vanilla) ● Videos    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Video](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)
 
MediumInsufficient Transport Layer Protection [CWE-319](https://cwe.mitre.org/data/definitions/319.html) [ServerCommunicationExerciseVC.swift:17](https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L17) 12024-04-25 05:55pm
Vulnerable Code https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L12-L17
1 Data Flow/s detected
https://github.com/lukebrogan-mend/iGoat-Swift/blob/cc10fcf067224b79387392e54f8b97e6ed998bcb/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L17
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/itlp/sensitiveinfo/swift/vanilla) ● Videos    ▪ [Secure Code Warrior Insufficient Transport Layer Protection Video](https://media.securecodewarrior.com/v2/module_200_unprotected_transport_of_sensitive_information.mp4)

Findings Overview

Severity Vulnerability Type CWE Language Count
High Cross-Site Scripting CWE-79 PHP 1
High File Manipulation CWE-73 Swift 1
Medium Hardcoded Password/Credentials CWE-798 PHP 1
Medium WebView Implementation CWE-749 Swift 8
Medium Insufficient Transport Layer Protection CWE-319 Swift 8
Medium Miscellaneous Dangerous Functions CWE-676 Swift 46
Medium Log Messages CWE-209 Swift 3
Medium Hidden HTML Input CWE-472 PHP 8
Medium Insecure Data Storage CWE-200 Swift 25
Low SQL Functions CWE-89 Swift 6
Low HTTP Response Splitting CWE-113 PHP 1
Low External URL Access [N/A]() Swift 22