File permission manipulation errors occur when any of the following conditions are met:

1. An attacker might specify a path used in an operation that modifies permissions on the file system.

2. An attacker might specify the permissions assigned by an operation on the file system.

Example 1: The following code uses input from system environment variables to set file permissions. If attackers can alter the system environment variables, they might use the program to gain access to files manipulated by the program. If the program is also vulnerable to path manipulation, an attacker might use this vulnerability to access arbitrary files on system.

    permissions := strconv.Atoi(os.Getenv("filePermissions"));
    fMode := os.FileMode(permissions)
    os.chmod(filePath, fMode);
    ...

File permission manipulation errors occur when any of the following conditions are met:

1. An attacker is able to specify a path used in an operation that modifies permissions on the file system.

2. An attacker is able to specify the permissions assigned by an operation on the file system.

Example: The following code is designed to set proper file permissions for users uploading Web pages through FTP. It uses input from an HTTP request to mark a file as viewable for external users.

	$rName = $_GET['publicReport'];
	chmod("/home/". authenticateUser . "/public_html/" . rName,"0755");
...

However, if an attacker provides a malicious value for publicReport, such as "../../localuser/public_html/.htpasswd", the application will make the specified file readable to the attacker.

Example 2: The following code uses input from a configuration file to set the default permission mask. If attackers can alter the configuration file, they can use the program to gain access to files manipulated by the program. If the program is also vulnerable to path manipulation, an attacker may use this vulnerability to access arbitrary files on system.

...
$mask = $CONFIG_TXT['perms'];
chmod($filename,$mask);
...

File permission manipulation errors occur when any of the following conditions are met:

1. An attacker is able to specify a path used in an operation that modifies permissions on the file system.

2. An attacker is able to specify the permissions assigned by an operation on the file system.

Example 1: The following code uses input from system environment variables to set file permissions. If attackers can alter the system environment variables, they may use the program to gain access to files manipulated by the program. If the program is also vulnerable to path manipulation, an attacker may use this vulnerability to access arbitrary files on system.

    permissions = os.getenv("filePermissions");
    os.chmod(filePath, permissions);
    ...

File permission manipulation errors occur when any of the following conditions are met:

1. An attacker is able to specify a path used in an operation that modifies permissions on the file system.

2. An attacker is able to specify the permissions assigned by an operation on the file system.

Example: The following code is designed to set proper file permissions for users uploading Web pages through FTP. It uses input from an HTTP request to mark a file as viewable for external users.

...
  rName = req['publicReport']
  File.chmod("/home/#{authenticatedUser}/public_html/#{rName}", "0755")
...

However, if an attacker provides a malicious value for publicReport, such as "../../localuser/public_html/.htpasswd", the application will make the specified file readable to the attacker.

Example 2: The following code uses input from a configuration file to set the default permission mask. If attackers can alter the configuration file, they may use the program to gain access to files manipulated by the program. If the program is also vulnerable to path manipulation, an attacker may use this vulnerability to access arbitrary files on system.

...
mask = config_params['perms']
File.chmod(filename, mask)
...

Format string vulnerabilities occur when:

1. Data enters the application from an untrusted source.



2. The data is passed as the format string argument to a function like sprintf(), FormatMessageW(), syslog(), NSLog, or NSString.stringWithFormatExample 1: The following code utilizes a command line argument as a format string in NSString.stringWithFormat:.

int main(int argc, char **argv){
	char buf[128];
	...
	[NSString stringWithFormat:argv[1], argv[2] ];
}

This code allows an attacker to view the contents of the stack and corrupt the stack using a command line argument containing a sequence of formatting directives. The attacker may read from the stack by providing more formatting directives, such as %x, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.)

Objective-C supports the legacy C standard libraries so the following examples are exploitable if your application uses C APIs.

Example 2: Certain implementations make more advanced attacks even easier by providing format directives that control the location in memory to read from or write to. An example of these directives is shown in the following code, written for glibc:

	printf("%d %d %1$d %1$d\n", 5, 9);

This code produces the following output:

5 9 5 5

It is also possible to use half-writes (%hn) to accurately control arbitrary DWORDS in memory, which greatly reduces the complexity needed to execute an attack that would otherwise require four staggered writes, such as the one mentioned in Example 1.

Example 3: Simple format string vulnerabilities often result from seemingly innocuous shortcuts. The use of some such shortcuts is so ingrained that programmers might not even realize that the function they are using expects a format string argument.

For example, the syslog() function is sometimes used as follows:

	...
	syslog(LOG_ERR, cmdBuf);
	...

Because the second parameter to syslog() is a format string, any formatting directives included in cmdBuf are interpreted as described in Example 1.

The following code shows a correct usage of syslog():

	...
	syslog(LOG_ERR, "%s", cmdBuf);
	...

Example 4: Apple core classes provide interesting avenues for exploiting format string vulnerabilities.

For example, the String.stringByAppendingFormat() function is sometimes used as follows:

	...
	NSString test = @"Sample Text.";
	test = [test stringByAppendingFormat:[MyClass
	formatInput:inputControl.text]];
	...

stringByAppendingFormat will parse any format string characters contained within the NSString passed to it.

The following code shows a correct usage of stringByAppendingFormat():

	...
	NSString test = @"Sample Text.";
	test = [test stringByAppendingFormat:@"%@", [MyClass
	formatInput:inputControl.text]];
	...

Keyboard extensions are allowed to read every single keystroke that a user enters. Third-party keyboards are normally used to ease the text input or to add additional emojis and they may log what the user enters or even send it to a remote server for processing. Malicious keyboards can also be distributed to act as a keylogger and read every key entered by the user in order to steal sensitive data such as credentials or credit card numbers.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections. In these cases, an encrypted (secure) protocol should be used.

Example 1: The following example sends data over the HTTP protocol (instead of using HTTPS).

...
HttpRequest req = new HttpRequest();
req.setEndpoint('http://example.com');
HTTPResponse res = new Http().send(req);
...

The incoming HttpResponse object, res, might be compromised as it is delivered over an unencrypted and unauthenticated channel.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to man-in-the-middle attacks, where devices frequently connect to unsecured, public, wireless networks using WiFi connections.

Example 1: The following code uses insecure HTTP protocol (instead of using HTTPS):

    var account = new CloudStorageAccount(storageCredentials, false);

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections.

Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS).

  ...
  String url = 'http://10.0.2.2:11005/v1/key';
  Response response = await get(url, headers: headers);
  ...

The incoming response,response, might have been compromised as it is delivered over an unencrypted and unauthenticated channel.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in environments where devices frequently connect to unsecured public wireless networks.

Example 1: The following example sets up a Web server using the HTTP protocol (instead of using HTTPS).

	helloHandler := func(w http.ResponseWriter, req *http.Request) {
		io.WriteString(w, "Hello, world!\n")
	}

	http.HandleFunc("/hello", helloHandler)
	log.Fatal(http.ListenAndServe(":8080", nil))

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections.

Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS).

var http = require('http');
...
http.request(options, function(res){
  ...
});
...

The incoming http.IncomingMessage object,res, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.

All data sent over HTTP is sent in the clear and subject to compromise.

Example 1: The following example sends data over the HTTP protocol (versus HTTPS).

NSString * const USER_URL = @"http://localhost:8080/igoat/user";
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:USER_URL]];
[[NSURLConnection alloc] initWithRequest:request delegate:self];

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in environments where devices frequently connect to unsecured public wireless networks.

Example 1: The following example disables encryption on a socket.

...
stream_socket_enable_crypto($fp, false);
...

All communication sent with an insecure, unencrypted, or plain text protocol is subject to compromise.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise.

Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS).

require 'net/http'
conn = Net::HTTP.new(URI("http://www.website.com/"))
in = conn.get('/index.html')
...

The incoming stream,in, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections.

Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS).

   val url = Uri.from(scheme = "http", host = "192.0.2.16", port = 80, path = "/")
   val responseFuture: Future[HttpResponse] = Http().singleRequest(HttpRequest(uri = url))

The incoming response, responseFuture, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.

All data sent over HTTP is sent in the clear and subject to compromise.

Example 1: The following example sends data over the HTTP protocol (versus HTTPS).

let USER_URL = "http://localhost:8080/igoat/user"
let request : NSMutableURLRequest = NSMutableURLRequest(URL:NSURL(string:USER_URL))
let conn : NSURLConnection = NSURLConnection(request:request, delegate:self)

Programmers who deal with the exchange of information such as credentials, credit card numbers, social security numbers, and other similarly sensitive private information must protect it from unauthorized access and modification. Transmitting sensitive data using query parameters leaves it susceptible to interception and tampering by attackers using man-in-the-middle attacks. At a minimum, this issue can enable an attacker to garner information from query strings that can be utilized in escalating the method of attack, such as information about the internal workings of the application or database column names.
The attacker can exploit this issue to impersonate a legitimate user, obtain proprietary data, or execute actions not intended by the application developers.
Data transferred using query string parameters are also logged on the server. This further exposes the sensitive information to unauthorized access.

Cipher suites are a set of algorithms used to establish secure communications. While establishing a connection between a server and a client, the server typically determines which of the mutually supported cipher suites to use. The server and clients can have different sets of supported cipher suites. Older cipher suites are generally not recommended and might introduce security vulnerabilities in the application. Strong cipher suites, with no known security vulnerabilities, are generally recommended for use.

The server's preferred cipher suite could include a cipher suite with a known weakness. If the user chooses a vulnerable cipher suite, it could allow them to choose a cipher suite with a known weakness to try to introduce security vulnerabilities.

Example 1: The following Paramiko code allows an attacker to set a list of disabled algorithms, providing the ability to downgrade the cipher.

    client = SSHClient()
    algorithms_to_disable = { "ciphers": untrusted_user_input }
    client.connect(host, port, "user", "password", disabled_algorithms=algorithms_to_disable)

Paramiko allows a developer to do an inverse cipher suite selection. Paramiko's preferred algorithms are AES128-CTR, AES192-CTR, AES256-CTR, AES128-CBC, AES192-CBC, AES256-CBC, and lastly 3DES-CBC. If an attacker is able to control what algorithms are disabled, they can force SSHClient.connect(...) to use the weaker algorithm 3DES-CBC.

The application communicates with its database server over unencrypted channels, which can pose a significant security risk to the company and users of the application. In this case, an attacker can modify the user entered data or even execute arbitrary SQL commands against the database server.

Example 1: The following code causes the application to communicate with its database server over unencrypted channels:

  ...
  insecure_config = {
        'user': username,
        'password': retrievedPassword,
        'host': databaseHost,
        'port': "3306",
        'ssl_disabled': True
    }

    mysql.connector.connect(**insecure_config)
  ...

Using unspecified Google Remote Procedure Call (gRPC) channel credential settings results in security settings that are set to an unsecure default value of None. Data sent with insecure channel credential settings cannot be trusted.

Example 1: The following code shows a gRPC channel credentials object created with all default parameters, which results in all channel credential security settings being set to insecure default values. In this instance, the value of the root_certificates parameter will be set to None, the value of the private_key parameter will be set to None, and the value of the certificate_chain parameter will be set to None.

...
channel_creds = grpc.ssl_channel_credentials()
...

Using unspecified Google Remote Procedure Call (gRPC) server credential settings results in security settings being set to an insecure default of None or False. Data sent to and from a server with insecure server credential settings cannot be trusted.

Example 1: The following code shows a gRPC server credentials object created with default parameters, resulting in client authentication being disabled.

...
pk_cert_chain = your_organization.securelyGetPrivateKeyCertificateChainPairs()
server_creds = grpc.ssl_server_credentials(pk_cert_chain)
...

An HTTPS stripping attack is a type of man-in-the-middle attack where the attacker watches all the HTTP traffic for location headers and links referencing HTTPS and replaces them with HTTP ones. The attacker keeps a list of all HTTP substitutions made so that they can make the HTTPS request back to the server. All stripped HTTP connections are proxied out to the server over HTTPS. All traffic between the victim and the attacker is sent over HTTP, revealing usernames, passwords, and other private information, but the server is still receiving the expected HTTPS traffic from the attacker so nothing seems wrong.

HTTP Strict Transport Security (HSTS) is a security header that instructs the browser to always connect to the site returning the HSTS headers over SSL/TLS during a period specified in the header itself. Any connection to the server over HTTP will be automatically replaced with an HTTPS one, even if the user types http:// in the browser URL bar.

An HTTPS stripping attack is a type of man-in-the-middle attack where the attacker watches all the HTTP traffic for location headers and links referencing HTTPS and replaces them with HTTP versions. The attacker keeps a list of all HTTP substitutions made so that they can make the HTTPS request back to the server. All stripped HTTP connections are proxied out to the server over HTTPS. All traffic between the victim and the attacker is sent over HTTP, revealing usernames, passwords, and other private information, but the server is still receiving the expected HTTPS traffic from the attacker so nothing seems wrong.

HTTP Strict Transport Security (HSTS) is a security header that instructs the browser to always connect to the site returning the HSTS headers over SSL/TLS during a period specified in the header itself. Any connection to the server over HTTP will be automatically replaced with an HTTPS one, even if the user types http:// in the browser URL bar.

An HTTPS stripping attack is a type of man-in-the-middle attack where the attacker watches all the HTTP traffic for location headers and links referencing HTTPS and replaces them with HTTP versions. The attacker keeps a list of all HTTP substitutions made so that they can make the HTTPS request back to the server. All stripped HTTP connections are proxied out to the server over HTTPS. All traffic between the victim and the attacker is sent over HTTP, revealing usernames, passwords, and other private information, but the server is still receiving the expected HTTPS traffic from the attacker so nothing seems wrong.

HTTP Strict Transport Security (HSTS) is a security header that instructs the browser to always connect to the site returning the HSTS headers over SSL/TLS during a period specified in the header itself. Any connection to the server over HTTP will be automatically replaced with an HTTPS one, even if the user types http:// in the browser URL bar.

Diffie-Hellman key exchange algorithm uses fixed primes as a base for computing the secret key used to secure the communication channel. The size of the small prime p deployed dictates the security level of the generated key. This in turn defines the effective security provided by the Diffie-Hellman key exchange algorithm. Research indicates that Diffie-Hellman group using prime size of 1024-bit provides only about 77-80 bits of security. Communication channels that are secured using this key are vulnerable to man-in-the-middle attack. All anonymous, ephemeral and fixed Diffie-Hellman key exchange algorithms except for Elliptical-Curve Diffie-Hellman (ECDHE) key exchange are vulnerable to this attack.

An HTTPS stripping attack is a type of man-in-the-middle attack where the attacker watches all the HTTP traffic for location headers and links referencing HTTPS and replaces them with HTTP versions. The attacker keeps a list of all HTTP substitutions made so that they can make the HTTPS request back to the server. All stripped HTTP connections are proxied out to the server over HTTPS. All traffic between the victim and the attacker is sent over HTTP, revealing usernames, passwords, and other private information, but the server is still receiving the expected HTTPS traffic from the attacker so nothing seems wrong.

HTTP Strict Transport Security (HSTS) is a security header that instructs the browser to always connect to the site returning the HSTS headers over SSL/TLS during a period specified in the header itself. Any connection to the server over HTTP will be automatically replaced with an HTTPS one, even if the user types http:// in the browser URL bar.

Sensitive data sent over the wire unencrypted is subject to be read/modified by any attacker that can intercept the network traffic.

Example 1: The following SmtpClient is configured incorrectly, not using SSL/TLS to communicate with an SMTP server:

  string to = "bob@acme.com";
  string from = "alice@acme.com";
  MailMessage message = new MailMessage(from, to);
  message.Subject = "SMTP client.";
  message.Body = @"You can send an email message from an application very easily.";
  SmtpClient client = new SmtpClient("smtp.acme.com");
  client.UseDefaultCredentials = true;
  client.Send(message);

Sensitive data sent over the wire unencrypted is subject to be read/modified by any attacker that can intercept the network traffic.

Example 1: The following SMTP client is configured incorrectly, not using SSL/TLS to communicate with an SMTP server:

session = smtplib.SMTP(smtp_server, smtp_port)
session.ehlo()
session.login(username, password)
session.sendmail(frm, to, content)