This project forked from owasp/igoat-swift
OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS
Home Page: https://igoatapp.com/
License: GNU General Public License v3.0
Unscrubbed_Secret issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/CouchBase/CouchbaseLite.framework/Headers/CBLAuthenticator.h in branch master
Method + at line 30 of iGoat-Swift\iGoat-Swift\ThirdParty\CouchBase\CouchbaseLite.framework\Headers\CBLAuthenticator.h defines password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to password, this variable is never cleared from memory.
Severity: Low
CWE:226
Vulnerability details and guidance
Lines: 31
password: (NSString*)password;
Unchecked_CString_Convertion issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/CocoaLumberjack/DDTTYLogger.m in branch master
The element app at line 810 of iGoat-Swift\iGoat-Swift\ThirdParty\CocoaLumberjack\DDTTYLogger.m contains a C-String that was converted from a CFString object. The length of app was not checked after conversion.
Severity: Low
CWE:252
Vulnerability details and guidance
BOOL processedID = [processID getCString:pid maxLength:(pidLen+1) encoding:NSUTF8StringEncoding];
BOOL fgCodeRawEsc = [fgCodeRaw getCString:(fgCode+len1) maxLength:(len2+1) encoding:NSUTF8StringEncoding];
BOOL bgCodeRawEsc = [bgCodeRaw getCString:(bgCode+len1) maxLength:(len2+1) encoding:NSUTF8StringEncoding];
BOOL processedAppName = [appName getCString:app maxLength:(appLen+1) encoding:NSUTF8StringEncoding];
BOOL logMsgEnc = [logMsg getCString:msg maxLength:(msgLen + 1) encoding:NSUTF8StringEncoding];
Use_of_Hardcoded_Password issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/KeychainAnalyze/KeychainExerciseVC.swift in branch master
The application uses a single, hard-coded password passwordItem for authentication purposes, either using it to verify users' identities, or to access another remote system. This password at line 14 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\KeychainAnalyze\KeychainExerciseVC.swift appears in the code as plaintext, and cannot be changed without rebuilding the application.
Severity: Low
CWE:259
Vulnerability details and guidance
let passwordItem = KeychainPasswordItem(service: "SaveUser",
let passwordItem = KeychainPasswordItem(service: "SaveUser",
Jailbrake_File_Referenced_By_Name issue exists @ iGoat-Swift/iGoat-Swift/Source/External/SVProgressHUD/SVProgressHUD.m in branch master
A method imageWithContentsOfFile: at line 398 of iGoat-Swift\iGoat-Swift\Source\External\SVProgressHUD\SVProgressHUD.m accessing a file by filename.
Severity: Low
CWE:668
Vulnerability details and guidance
UIImage* infoImage = [UIImage imageWithContentsOfFile:[imageBundle pathForResource:@"info" ofType:@"png"]];
UIImage* successImage = [UIImage imageWithContentsOfFile:[imageBundle pathForResource:@"success" ofType:@"png"]];
UIImage* errorImage = [UIImage imageWithContentsOfFile:[imageBundle pathForResource:@"error" ofType:@"png"]];
Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/KeychainAnalyze/KeychainExerciseVC.swift in branch master
The passwordTextField at line 6 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\KeychainAnalyze\KeychainExerciseVC.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.
Severity: High
CWE:829
Vulnerability details and guidance
let password = passwordTextField.text
@IBOutlet weak var passwordTextField: UITextField!
passwordTextField.resignFirstResponder()
Dynamic_SQL_Queries issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/Views/YapDatabaseViewTransaction.m in branch master
Severity: Information
CWE:89
Vulnerability details and guidance
Lines: 1315 1317 278 552 1320 507 558 1310 527
[query appendFormat:@"?"];
[query appendFormat:@", ?"];
NSString *string = [NSString stringWithFormat:
NSString *createMapTable = [NSString stringWithFormat:
[query appendString:@");"];
NSString *dropKeyTable = [NSString stringWithFormat:@"DROP TABLE IF EXISTS \"%@\";", keyTableName];
NSString *createPageTable = [NSString stringWithFormat:
[query appendFormat:@"SELECT \"rowid\", \"pageKey\" FROM \"%@\" WHERE \"rowid\" IN (", [self mapTableName]];
NSString *dropPageTable = [NSString stringWithFormat:@"DROP TABLE IF EXISTS \"%@\";", [self pageTableName]];
Client_Hardcoded_Domain issue exists @ igoat-swift/igoat-swift/resources/html/splash.html in branch master
The JavaScript file imported in "https://platform.twitter.com/widgets.js" in igoat-swift\igoat-swift\resources\html\splash.html at line 16 is from a remote domain, which may allow attackers to replace its contents with malicious code.
Severity: Low
CWE:829
Vulnerability details and guidance
Swaroop Yermalkar <a href="https://twitter.com/swaroopsy?ref_src=twsrc%5Etfw" class="twitter-follow-button" data-show-count="false">Follow @swaroopsy</a><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
Get latest updates about project <a href="https://twitter.com/owaspigoat?ref_src=twsrc%5Etfw" class="twitter-follow-button" data-show-count="false">Follow @owaspigoat</a><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift in branch master
The passwordField at line 8 of iGoat-Swift\iGoat-Swift\Source\Exercises\Key Management\Random Key Generation\RandomKeyGenerationExerciseVC.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.
Severity: High
CWE:829
Vulnerability details and guidance
Lines: [20](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L20) [8](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L8) [25](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L25) [10](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L10) [14](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L14)
[Code (Line #20):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L20)
let password = passwordField.text
[Code (Line #8):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L8)
@IBOutlet weak var passwordField: UITextField!
[Code (Line #25):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L25)
passwordField.text = ""
[Code (Line #10):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L10)
@IBOutlet weak var secretKeyField: UITextField!
[Code (Line #14):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L14)
let message = (encryptionKeyStr == secretKeyField.text) ? "Success!!" : "Try Harder!!"
Dynamic_SQL_Queries issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/SecondaryIndex/YapDatabaseSecondaryIndexTransaction.m in branch master
Severity: Information
CWE:89
Vulnerability details and guidance
Lines: 608 226 610 613 1061 230 234 238 1262 602 251 220 190
[query appendFormat:@"?"];
[createTable appendFormat:@", \"%@\" INTEGER", column.name];
[query appendFormat:@", ?"];
[query appendString:@");"];
[NSString stringWithFormat:@"SELECT \"rowid\" FROM \"%@\" %@;", [self tableName], query.queryString];
[createTable appendFormat:@", \"%@\" REAL", column.name];
[createTable appendFormat:@", \"%@\" TEXT", column.name];
[createTable appendString:@");"];
[NSString stringWithFormat:@"SELECT COUNT(*) AS NumberOfRows FROM \"%@\" %@;",
[query appendFormat:@"DELETE FROM \"%@\" WHERE \"rowid\" IN (", [self tableName]];
[NSString stringWithFormat:@"CREATE INDEX IF NOT EXISTS \"%@\" ON \"%@\" (\"%@\");",
[createTable appendFormat:@"CREATE TABLE IF NOT EXISTS \"%@\" (\"rowid\" INTEGER PRIMARY KEY", tableName];
NSString *dropTable = [NSString stringWithFormat:@"DROP TABLE IF EXISTS \"%@\";", tableName];
Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/Realm/RealmExerciseVC.swift in branch master
The creditNameTextField at line 12 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\Realm\RealmExerciseVC.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.
Severity: High
CWE:829
Vulnerability details and guidance
@IBOutlet weak var creditNameTextField: UITextField!
let isVerified = verifyName(name: creditNameTextField.text!, number: creditNumberTextField.text!, cvv: creditCVVTextField.text!)
@IBOutlet weak var creditNumberTextField: UITextField!
@IBOutlet weak var creditCVVTextField: UITextField!
Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/PlistStorage/PlistStorageExerciseViewController.swift in branch master
The txt_pwd at line 8 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\PlistStorage\PlistStorageExerciseViewController.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.
Severity: High
CWE:829
Vulnerability details and guidance
let password = txt_pwd.text
txt_pwd.text = ""
@IBOutlet weak var txt_pwd: UITextField!
if self.txt_user.text!.isEmpty || self.txt_pwd.text!.isEmpty {
Autocorrection_Keystroke_Logging issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift in branch master
The UI element ssnField at line 15 of iGoat-Swift\iGoat-Swift\Source\Exercises\Server Communication\ServerCommunicationExerciseVC.swift provides interactive input of sensitive text data. Autocorrection dictionary may cache the sensitive information, and make it accessible to attackers.
Severity: Medium
CWE:359
Vulnerability details and guidance
Lines: [15](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L15)
[Code (Line #15):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L15)
@IBOutlet weak var ssnField: UITextField!
Screen_Caching issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/PlistStorage/PlistStorageExerciseViewController.swift in branch master
The UI element txt_pwd at line 8 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\PlistStorage\PlistStorageExerciseViewController.swift displays sensitive data on screen. Background screen caching of this sensitive information is not prevented by any means.
Severity: Medium
CWE:524
Vulnerability details and guidance
Lines: 8
@IBOutlet weak var txt_pwd: UITextField!
Jailbrake_File_Referenced_By_Name issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/Relationships/YapDatabaseRelationshipTransaction.m in branch master
A method removeItemAtPath:error: at line 2959 of iGoat-Swift\iGoat-Swift\ThirdParty\YapDatabase\Extensions\Relationships\YapDatabaseRelationshipTransaction.m accessing a file by filename.
Severity: Low
CWE:668
Vulnerability details and guidance
Lines: 2966
if (![fileManager removeItemAtPath:filePath error:&error])
Missing_Device_Lock_Verification issue exists @ iGoat-Swift/iGoat-SwiftTests/Info.plist in branch master
The application does not perform any checks to verify if the device must be lockable.
Severity: Low
CWE:829
Vulnerability details and guidance
Lines: 1
<?xml version="1.0" encoding="UTF-8"?>
Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/Yap/YapExerciseVC.swift in branch master
The passwordTextField at line 15 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\Yap\YapExerciseVC.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.
Severity: High
CWE:829
Vulnerability details and guidance
@IBOutlet weak var passwordTextField: UITextField!
let isVerified = verifyName(usernameTextField.text!, enteredPassword: passwordTextField.text!)
Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift in branch master
The ssnField at line 15 of iGoat-Swift\iGoat-Swift\Source\Exercises\Server Communication\ServerCommunicationExerciseVC.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.
Severity: High
CWE:829
Vulnerability details and guidance
Lines: [23](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L23) [29](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L29) [15](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L15)
[Code (Line #23):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L23)
"socialSecurityNumber":ssnField.text]
[Code (Line #29):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L29)
ssnField.resignFirstResponder()
[Code (Line #15):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Server Communication/ServerCommunicationExerciseVC.swift#L15)
@IBOutlet weak var ssnField: UITextField!
Dynamic_SQL_Queries issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/SearchResults/YapDatabaseSearchResultsViewTransaction.m in branch master
Severity: Information
CWE:89
Vulnerability details and guidance
[query appendFormat:@"DELETE FROM \"%@\" WHERE \"rowid\" IN (", [self snippetTableName]];
[query appendFormat:@"?"];
[query appendFormat:@", ?"];
NSString *createSnippetTable = [NSString stringWithFormat:
[query appendString:@");"];
Empty_Password issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Social Engineering/SocialEngineeringVC.swift in branch master
The application uses the empty password password for authentication purposes, either using it to verify users' identities, or to access another remote system. This empty password is set at line 29 of iGoat-Swift\iGoat-Swift\Source\Exercises\Social Engineering\SocialEngineeringVC.swift appears in the code, cannot be changed without rebuilding the application and indicates its associated account is exposed.
Severity: Low
CWE:521
Vulnerability details and guidance
Lines: [31](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Social Engineering/SocialEngineeringVC.swift#L31)
[Code (Line #31):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Social Engineering/SocialEngineeringVC.swift#L31)
let password = passwordTxtField.text ?? ""
Signed_Memory_Arithmetic issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/CocoaLumberjack/DDTTYLogger.m in branch master
Signed integer useStack at line 1162 of iGoat-Swift\iGoat-Swift\ThirdParty\CocoaLumberjack\DDTTYLogger.m specifies size of memory to allocate.
Severity: High
CWE:190
Vulnerability details and guidance
Lines: 1218
const BOOL useStack = msgLen < (1024 * 4);
Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift in branch master
The passwordTextField at line 30 of iGoat-Swift\iGoat-Swift\Source\Exercises\Key Management\Hard Coded Keys\BrokenCryptographyExerciseVC.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.
Severity: High
CWE:829
Vulnerability details and guidance
Lines: [33](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L33) [11](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L11)
[Code (Line #33):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L33)
passwordTextField.text = password
[Code (Line #11):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L11)
@IBOutlet weak var passwordTextField: UITextField!
Unscrubbed_Secret issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift in branch master
Method UITextField! at line 4 of iGoat-Swift\iGoat-Swift\Source\Exercises\Binary Patching\BinaryPatchingVC.swift defines passwordTextField, which is designated to contain user passwords. However, while plaintext passwords are later assigned to passwordTextField, this variable is never cleared from memory.
Severity: Low
CWE:226
Vulnerability details and guidance
Lines: [4](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift#L4) [11](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift#L11)
[Code (Line #4):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift#L4)
@IBOutlet weak var passwordTextField: UITextField!
[Code (Line #11):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift#L11)
let password = passwordTextField.text!
Unscrubbed_Secret issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/FilteredViews/YapDatabaseFilteredViewTransaction.m in branch master
Method - at line 759 of iGoat-Swift\iGoat-Swift\ThirdParty\YapDatabase\Extensions\FilteredViews\YapDatabaseFilteredViewTransaction.m defines passesFilter, which is designated to contain user passwords. However, while plaintext passwords are later assigned to passesFilter, this variable is never cleared from memory.
Severity: Low
CWE:226
Vulnerability details and guidance
BOOL passesFilter;
BOOL passesFilter;
BOOL passesFilter;
BOOL passesFilter;
Empty_Password issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/CoreData/KeychainUsage/KeychainDumper.swift in branch master
The application uses the empty password passwordInGenp for authentication purposes, either using it to verify users' identities, or to access another remote system. This empty password is set at line 9 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\CoreData\KeychainUsage\KeychainDumper.swift appears in the code, cannot be changed without rebuilding the application and indicates its associated account is exposed.
Severity: Low
CWE:521
Vulnerability details and guidance
Lines: 9
var passwordInGenp = ""
Unscrubbed_Secret issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Authentication/Remote/RemoteAuthenticationExerciseVC.swift in branch master
Method loginUser at line 5 of iGoat-Swift\iGoat-Swift\Source\Exercises\Authentication\Remote\RemoteAuthenticationExerciseVC.swift defines password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to password, this variable is never cleared from memory.
Severity: Low
CWE:226
Vulnerability details and guidance
static func loginUser(name: String, password: String) -> String {
let password = passwordTextField.text ?? ""
@IBOutlet weak var passwordTextField: UITextField!
Dynamic_SQL_Queries issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/FullTextSearch/YapDatabaseFullTextSearchTransaction.m in branch master
Severity: Information
CWE:89
Vulnerability details and guidance
Lines: 434 179 181 200 440 442 171 445 142
[query appendFormat:@"DELETE FROM \"%@\" WHERE \"rowid\" IN (", [self tableName]];
[createTable appendFormat:@"\"%@\"", columnName];
[createTable appendFormat:@", \"%@\"", columnName];
[createTable appendString:@");"];
[query appendFormat:@"?"];
[query appendFormat:@", ?"];
[createTable appendFormat:@"CREATE VIRTUAL TABLE IF NOT EXISTS \"%@\" USING fts4(", tableName];
[query appendString:@");"];
NSString *dropTable = [NSString stringWithFormat:@"DROP TABLE IF EXISTS \"%@\";", tableName];
Use_of_Hardcoded_Password issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift in branch master
The application uses a single, hard-coded password password for authentication purposes, either using it to verify users' identities, or to access another remote system. This password at line 30 of iGoat-Swift\iGoat-Swift\Source\Exercises\Key Management\Hard Coded Keys\BrokenCryptographyExerciseVC.swift appears in the code as plaintext, and cannot be changed without rebuilding the application.
Severity: Low
CWE:259
Vulnerability details and guidance
Lines: [32](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L32)
[Code (Line #32):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L32)
let password = "b@nkP@ssword123"
Unscrubbed_Secret issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/CouchBase/CouchbaseLite.framework/Headers/CBLDatabase.h in branch master
Method - at line 99 of iGoat-Swift\iGoat-Swift\ThirdParty\CouchBase\CouchbaseLite.framework\Headers\CBLDatabase.h defines keyOrPassword, which is designated to contain user passwords. However, while plaintext passwords are later assigned to keyOrPassword, this variable is never cleared from memory.
Severity: Low
CWE:226
Vulnerability details and guidance
Lines: 99
- (BOOL) changeEncryptionKey: (nullable id)keyOrPassword
Sensitive_Data_In_Temp_Folders issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift in branch master
The app's viewDidLoad method takes sensitive personal data, data: at line 30 of iGoat-Swift\iGoat-Swift\Source\Exercises\Key Management\Hard Coded Keys\BrokenCryptographyExerciseVC.swift. The viewDidLoad of iGoat-Swift\iGoat-Swift\Source\Exercises\Key Management\Hard Coded Keys\BrokenCryptographyExerciseVC.swift then saves this data to disk, at line 30. However, the atomic parameter causes the operation to write the data to a temporary file.
Severity: Low
CWE:377
Vulnerability details and guidance
Lines: [32](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L32) [34](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L34)
[Code (Line #32):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L32)
let password = "b@nkP@ssword123"
[Code (Line #34):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L34)
let data = password.data(using: .utf8)
App_Transport_Security_Bypass issue exists @ iGoat-Swift/iGoat-Swift/Info.plist in branch master
App Transport Security was disabled in line number 1. This may lead to file disclosures. ATS should not be disabled in order to comply with Apple Store's security compliance and make the application safe.
Severity: High
CWE:319
Vulnerability details and guidance
Lines: 1
<?xml version="1.0" encoding="UTF-8"?>
Unchecked_CString_Convertion issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Internal/YapDatabaseString.h in branch master
The element str at line 75 of iGoat-Swift\iGoat-Swift\ThirdParty\YapDatabase\Internal\YapDatabaseString.h contains a C-String that was converted from a CFString object. The length of str was not checked after conversion.
Severity: Low
CWE:252
Vulnerability details and guidance
Lines: 95
[nsStr getCString:dbStr->str maxLength:(dbStr->length + 1) encoding:NSUTF8StringEncoding];
Unscrubbed_Secret issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift in branch master
Method UITextField! at line 8 of iGoat-Swift\iGoat-Swift\Source\Exercises\Key Management\Random Key Generation\RandomKeyGenerationExerciseVC.swift defines passwordField, which is designated to contain user passwords. However, while plaintext passwords are later assigned to passwordField, this variable is never cleared from memory.
Severity: Low
CWE:226
Vulnerability details and guidance
Lines: [20](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L20) [8](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L8) [28](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L28)
[Code (Line #20):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L20)
let password = passwordField.text
[Code (Line #8):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L8)
@IBOutlet weak var passwordField: UITextField!
[Code (Line #28):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L28)
func storeCredentials(forUsername username: String?, withPassword password: String?) {
Third_Party_Keyboard_Enabled issue exists @ iGoat-Swift/iGoat-Swift/AppDelegate.swift in branch master
We did not find any code in the application that disables third party keyboards.
Severity: Low
CWE:829
Vulnerability details and guidance
Lines: 7
class AppDelegate: UIResponder, UIApplicationDelegate {
Screen_Caching issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift in branch master
The UI element passwordTextField at line 11 of iGoat-Swift\iGoat-Swift\Source\Exercises\Key Management\Hard Coded Keys\BrokenCryptographyExerciseVC.swift displays sensitive data on screen. Background screen caching of this sensitive information is not prevented by any means.
Severity: Medium
CWE:524
Vulnerability details and guidance
Lines: [11](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L11)
[Code (Line #11):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L11)
@IBOutlet weak var passwordTextField: UITextField!
Autocorrection_Keystroke_Logging issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift in branch master
The UI element passwordTextField at line 11 of iGoat-Swift\iGoat-Swift\Source\Exercises\Key Management\Hard Coded Keys\BrokenCryptographyExerciseVC.swift provides interactive input of sensitive text data. Autocorrection dictionary may cache the sensitive information, and make it accessible to attackers.
Severity: Medium
CWE:359
Vulnerability details and guidance
Lines: [11](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L11)
[Code (Line #11):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Hard Coded Keys/BrokenCryptographyExerciseVC.swift#L11)
@IBOutlet weak var passwordTextField: UITextField!
Dynamic_SQL_Queries issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/Relationships/YapDatabaseRelationshipTransaction.m in branch master
Severity: Information
CWE:89
Vulnerability details and guidance
NSString *createSrcIndex = [NSString stringWithFormat:
NSString *createTable = [NSString stringWithFormat:
NSString *createDstIndex = [NSString stringWithFormat:
NSString *dropTable = [NSString stringWithFormat:@"DROP TABLE IF EXISTS \"%@\";", tableName];
NSString *createNameIndex = [NSString stringWithFormat:
Jailbrake_File_Referenced_By_Name issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/CocoaLumberjack/DDFileLogger.m in branch master
A method createFileAtPath:contents:attributes: at line 455 of iGoat-Swift\iGoat-Swift\ThirdParty\CocoaLumberjack\DDFileLogger.m accessing a file by filename.
Severity: Low
CWE:668
Vulnerability details and guidance
Lines: 496 1264 1265 1270 200 235 1132 477
[[NSFileManager defaultManager] createFileAtPath:filePath contents:nil attributes:attributes];
if ([[NSFileManager defaultManager] fileExistsAtPath:newFilePath] &&
![[NSFileManager defaultManager] removeItemAtPath:newFilePath error:&error])
if (![[NSFileManager defaultManager] moveItemAtPath:filePath toPath:newFilePath error:&error])
[[NSFileManager defaultManager] removeItemAtPath:logFileInfo.filePath error:nil];
if (![[NSFileManager defaultManager] fileExistsAtPath:_logsDirectory])
fileAttributes = [[NSFileManager defaultManager] attributesOfItemAtPath:filePath error:nil];
if (![[NSFileManager defaultManager] fileExistsAtPath:filePath])
Missing_Jailbreak_Check issue exists @ iGoat-Swift/iGoat-SwiftTests/Info.plist in branch master
No checks to identify whether the device has been rooted were found.
Severity: Low
CWE:693
Vulnerability details and guidance
Lines: 1
<?xml version="1.0" encoding="UTF-8"?>
Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift in branch master
The passwordTextField at line 4 of iGoat-Swift\iGoat-Swift\Source\Exercises\Binary Patching\BinaryPatchingVC.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.
Severity: High
CWE:829
Vulnerability details and guidance
Lines: [4](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift#L4) [7](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift#L7) [11](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift#L11)
[Code (Line #4):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift#L4)
@IBOutlet weak var passwordTextField: UITextField!
[Code (Line #7):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift#L7)
if passwordTextField.text?.isEmpty ?? true {
[Code (Line #11):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Binary Patching/BinaryPatchingVC.swift#L11)
let password = passwordTextField.text!
Dynamic_SQL_Queries issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/FullTextSearch/YapDatabaseFullTextSearch.m in branch master
Severity: Information
CWE:89
Vulnerability details and guidance
Lines: 32
NSString *dropTable = [NSString stringWithFormat:@"DROP TABLE IF EXISTS \"%@\";", tableName];
Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/CoreData/CoreDataExerciseVC.swift in branch master
The passwordTextField at line 52 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\CoreData\CoreDataExerciseVC.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.
Severity: High
CWE:829
Vulnerability details and guidance
let password = passwordTextField.text
@IBOutlet weak var passwordTextField: UITextField!
Autocorrection_Keystroke_Logging issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Authentication/Remote/RemoteAuthenticationExerciseVC.swift in branch master
The UI element passwordTextField at line 13 of iGoat-Swift\iGoat-Swift\Source\Exercises\Authentication\Remote\RemoteAuthenticationExerciseVC.swift provides interactive input of sensitive text data. Autocorrection dictionary may cache the sensitive information, and make it accessible to attackers.
Severity: Medium
CWE:359
Vulnerability details and guidance
Lines: 13
@IBOutlet weak var passwordTextField: UITextField!
Dynamic_SQL_Queries issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/SearchResults/YapDatabaseSearchResultsView.m in branch master
Severity: Information
CWE:89
Vulnerability details and guidance
Lines: 38
NSString *dropTable = [NSString stringWithFormat:@"DROP TABLE IF EXISTS \"%@\";", snippetTableName];
Unscrubbed_Secret issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/KeychainAnalyze/KeychainPasswordItem.swift in branch master
Method noPassword at line 15 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\KeychainAnalyze\KeychainPasswordItem.swift defines noPassword, which is designated to contain user passwords. However, while plaintext passwords are later assigned to noPassword, this variable is never cleared from memory.
Severity: Low
CWE:226
Vulnerability details and guidance
Lines: 16 70 150 72 154 61 62 15
case unexpectedPasswordData
func savePassword(_ password: String) throws {
var passwordItems = [KeychainPasswordItem]()
let encodedPassword = password.data(using: String.Encoding.utf8)!
let passwordItem = KeychainPasswordItem(service: service, account: account, accessGroup: accessGroup)
let passwordData = existingItem[kSecValueData as String] as? Data,
let password = String(data: passwordData, encoding: String.Encoding.utf8)
case noPassword
Autocorrection_Keystroke_Logging issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/InsecureLocalDataStorage/CoreData/CoreDataExerciseVC.swift in branch master
The UI element passwordTextField at line 52 of iGoat-Swift\iGoat-Swift\Source\Exercises\InsecureLocalDataStorage\CoreData\CoreDataExerciseVC.swift provides interactive input of sensitive text data. Autocorrection dictionary may cache the sensitive information, and make it accessible to attackers.
Severity: Medium
CWE:359
Vulnerability details and guidance
Lines: 52
@IBOutlet weak var passwordTextField: UITextField!
SQL_Injection issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Injection Flaws/SQL Injection/SQLInjectionExerciseVC.swift in branch master
Method search at line 7 of iGoat-Swift\iGoat-Swift\Source\Exercises\Injection Flaws\SQL Injection\SQLInjectionExerciseVC.swift gets user input from the text element. This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in a database query in method search at line 7 of iGoat-Swift\iGoat-Swift\Source\Exercises\Injection Flaws\SQL Injection\SQLInjectionExerciseVC.swift. This may enable an SQL Injection attack.
Severity: High
CWE:89
Vulnerability details and guidance
Lines: [17](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Injection Flaws/SQL Injection/SQLInjectionExerciseVC.swift#L17)
[Code (Line #17):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Injection Flaws/SQL Injection/SQLInjectionExerciseVC.swift#L17)
searchStr = "%" + "\(searchField.text!)" + "%"
Empty_Password issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Authentication/Remote/RemoteAuthenticationExerciseVC.swift in branch master
The application uses the empty password password for authentication purposes, either using it to verify users' identities, or to access another remote system. This empty password is set at line 15 of iGoat-Swift\iGoat-Swift\Source\Exercises\Authentication\Remote\RemoteAuthenticationExerciseVC.swift appears in the code, cannot be changed without rebuilding the application and indicates its associated account is exposed.
Severity: Low
CWE:521
Vulnerability details and guidance
Lines: 25
let password = passwordTextField.text ?? ""
Log_Forging issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/SideChannelDataLeaks/DeviceLogs/DeviceLogsExerciseVC.swift in branch master
Method submitItemPressed at line 8 of iGoat-Swift\iGoat-Swift\Source\Exercises\SideChannelDataLeaks\DeviceLogs\DeviceLogsExerciseVC.swift gets user input from element text. This element’s value flows through the code without being properly sanitized or validated, and is eventually used in writing an audit log in submitItemPressed at line 8 of iGoat-Swift\iGoat-Swift\Source\Exercises\SideChannelDataLeaks\DeviceLogs\DeviceLogsExerciseVC.swift.
Severity: Low
CWE:117
Vulnerability details and guidance
NSLog("ccNo: %@", ccNoTextField.text ?? "")
NSLog("cvvNo: %@", cvvTextField.text ?? "")
NSLog("pinNo: %@", pinTextField.text ?? "")
Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Authentication/Remote/RemoteAuthenticationExerciseVC.swift in branch master
The passwordTextField at line 13 of iGoat-Swift\iGoat-Swift\Source\Exercises\Authentication\Remote\RemoteAuthenticationExerciseVC.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.
Severity: High
CWE:829
Vulnerability details and guidance
} else if passwordTextField.text?.isEmpty ?? true {
let password = passwordTextField.text ?? ""
@IBOutlet weak var passwordTextField: UITextField!
Dynamic_SQL_Queries issue exists @ iGoat-Swift/iGoat-Swift/ThirdParty/YapDatabase/Extensions/Relationships/YapDatabaseRelationship.m in branch master
Severity: Information
CWE:89
Vulnerability details and guidance
Lines: 41
NSString *dropTable = [NSString stringWithFormat:@"DROP TABLE IF EXISTS \"%@\";", tableName];
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.