Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Authentication Bad Practice: Missing Check against Protection Space
Abstract
The
NSURLConnection delegate handles authentication challenges without first verifying that the application knows how to handle the authentication challenge for a particular protection space.Explanation
An
When establishing a URL connection that requires authentication against a protection space, the
NSURLProtectionSpace object represents a server or an area on a server, commonly referred to as a realm, that requires authentication.When establishing a URL connection that requires authentication against a protection space, the
NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) method will be called right before the call to the NSURLConnectionDelegate.connection(_:didReceive:) method that should perform the authentication. This allows the NSURLConnectionDelegate to inspect the protection space before attempting to authenticate against it. By returning true, the delegate indicates that it can handle the form of authentication, which it does in the subsequent call to connection(_:didReceive:). If your delegate does not implement this method and the protection space uses client certificate authentication or server trust authentication, the system will attempt to use the user's keychain to authenticate which may not be the desired behavior.References
[1] connection(_:canAuthenticateAgainstProtectionSpace:) API documentation Apple
[2] URLProtectionSpace API documentation Apple
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - CIS Kubernetes Benchmark partial
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.objc.authentication_bad_practice_missing_check_against_protection_space
Abstract
The
NSURLConnection delegate handles authentication challenges without first verifying that the application knows how to handle the authentication challenge for a particular protection space.Explanation
An
When establishing a URL connection that requires authentication against a protection space, the
NSURLProtectionSpace object represents a server or an area on a server, commonly referred to as a realm, that requires authentication.When establishing a URL connection that requires authentication against a protection space, the
NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) method will be called right before the call to the NSURLConnectionDelegate.connection(_:didReceive:) method that should perform the authentication. This allows the NSURLConnectionDelegate to inspect the protection space before attempting to authenticate against it. By returning true, the delegate indicates that it can handle the form of authentication, which it does in the subsequent call to connection(_:didReceive:). If your delegate does not implement this method and the protection space uses client certificate authentication or server trust authentication, the system will attempt to use the user's keychain to authenticate which may not be the desired behavior.References
[1] connection(_:canAuthenticateAgainstProtectionSpace:) API documentation Apple
[2] URLProtectionSpace API documentation Apple
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - CIS Kubernetes Benchmark partial
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.swift.authentication_bad_practice_missing_check_against_protection_space