Reino: Security Features
La seguridad de un software no es un software de seguridad. Nos preocupamos de cuestiones como la autenticación, el control de acceso, la confidencialidad, la criptografía y la gestión de privilegios.
Privacy Violation: Shoulder Surfing
Abstract
Algunas API que recopilan información confidencial pueden tratarla incorrectamente al devolverla al usuario a medida que la escribe en el indicador de entrada.
Explanation
Algunas API que recopilan información confidencial pueden tratarla incorrectamente y devolverla al usuario.
Ejemplo 1: el siguiente código muestra un modelo en ASP.NET que tiene una propiedad de contraseña, pero no especifica la condición de contraseña en la propiedad
Dado que la propiedad
Ejemplo 1: el siguiente código muestra un modelo en ASP.NET que tiene una propiedad de contraseña, pero no especifica la condición de contraseña en la propiedad
DataType, por lo que, de forma predeterminada, no se ocultará en la visualización:
public class User
{
[Required]
public int ID { get; set; }
public string Title { get; set; }
[DataType(DataType.Date)]
[DisplayFormat(DataFormatString = "{0:yyyy-MM-dd}", ApplyFormatInEditMode = true)]
public DateTime DateOfEmployment { get; set; }
[DataType(DataType.Currency)]
public decimal Salary { get; set; }
[Required]
public string Username { get; set; }
[Required]
public string Password { get; set; }
...
}
Dado que la propiedad
Password en el Example 1 no especificó el atributo [DataType(DataType.Password)], no se ocultará de forma predeterminada en la interfaz de usuario.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 549
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[9] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[14] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.dotnet.privacy_violation_shoulder_surfing
Abstract
Algunas API que recopilan información confidencial pueden tratarla incorrectamente al devolverla al usuario a medida que la escribe en el indicador de entrada.
Explanation
Algunas API que recopilan información confidencial pueden tratarla incorrectamente al devolverla al usuario.
Ejemplo 1: El siguiente código demuestra que el widget
Dado que el widget
Ejemplo 1: El siguiente código demuestra que el widget
TextField no oculta la contraseña de un usuario cuando la escribe en el indicador de entrada:
class SelectionContainerDisabledExampleApp extends StatelessWidget {
const SelectionContainerDisabledExampleApp({super.key});
@override
Widget build(BuildContext context) {
return MaterialApp(
home: Scaffold(
body: Center(
child: Column(
children: <Widget>[
TextField(
decoration: InputDecoration(
hintText: "Please enter your password",
),
),
],
),
),
),
);
}
}
Dado que el widget
TextField del Example 1 no había creado una instancia con la propiedad obscureText establecida en true, la contraseña del usuario no se ocultará cuando la introduzca en el mensaje "Introduzca su contraseña:" .References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 549
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[9] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[14] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dart.privacy_violation_shoulder_surfing
Abstract
Algunas API que recopilan información confidencial pueden tratarla incorrectamente al devolverla al usuario a medida que la escribe en el indicador de entrada.
Explanation
Algunas API que recopilan información confidencial pueden tratarla incorrectamente devolviéndola al usuario.
Ejemplo 1: El siguiente código muestra cómo crear instancias de un objeto de devolución de llamada de contraseña que no oculta la contraseña de un usuario cuando la escribe en el indicador de entrada:
Dado que
Ejemplo 1: El siguiente código muestra cómo crear instancias de un objeto de devolución de llamada de contraseña que no oculta la contraseña de un usuario cuando la escribe en el indicador de entrada:
PasswordCallback pc = new PasswordCallback("Please enter your password: ", true);Dado que
pc en el Example 1había creado una instancia con su segundo parámetro, onEcho, establecido en true, la contraseña del usuario no se ocultará cuando la introduzca en el mensaje "Introduzca su contraseña:" .References
[1] FUNDAMENTALS-4: Establish trust boundaries Oracle
[2] CONFIDENTIAL-2: Do not log highly sensitive information Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 549
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[11] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[16] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[18] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.java.privacy_violation_shoulder_surfing
Abstract
El método identificado escribe datos confidenciales en la pantalla sin enmascararlos correctamente primero.
Explanation
La función identificada recopila datos confidenciales sin deshabilitar la opción para devolverlos al usuario en el mensaje de entrada.
Ejemplo 1: El siguiente código muestra cómo instalar un objeto de campo de contraseña que no oculta la contraseña de un usuario cuando la escribe en el campo de texto:
Puesto que
Ejemplo 1: El siguiente código muestra cómo instalar un objeto de campo de contraseña que no oculta la contraseña de un usuario cuando la escribe en el campo de texto:
ViewController.h:
...
@property (nonatomic, retain) IBOutlet UITextField *passwordField;
...
ViewController.m:
...
NSString *password = _passwordField.text;
...
Puesto que
passwordField en el Example 1 no tenía la propiedad secureTextEntry establecida como true, la contraseña del usuario no se ocultará mientras la introduce en el campo de texto.References
[1] UITextInputTraits Protocol Reference Apple
[2] Standards Mapping - Common Weakness Enumeration CWE ID 549
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[10] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[15] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.objc.privacy_violation_shoulder_surfing
Abstract
Algunas API que recopilan información confidencial pueden tratarla incorrectamente al devolverla al usuario a medida que la escribe en el indicador de entrada.
Explanation
La función identificada recopila datos confidenciales sin deshabilitar la opción para devolverlos al usuario en el mensaje de entrada.
Ejemplo 1: El siguiente código muestra cómo instalar un objeto de campo de contraseña que no oculta la contraseña de un usuario cuando la escribe en el campo de texto:
Puesto que
Ejemplo 1: El siguiente código muestra cómo instalar un objeto de campo de contraseña que no oculta la contraseña de un usuario cuando la escribe en el campo de texto:
...
@IBOutlet weak var passwordField: UITextField!
...
let password = passwordField.text
...
Puesto que
passwordField en el Example 1 no tenía la propiedad secureTextEntry establecida como true, la contraseña del usuario no se ocultará mientras la introduce en el campo de texto.References
[1] UITextInputTraits Protocol Reference Apple
[2] Standards Mapping - Common Weakness Enumeration CWE ID 549
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[10] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[15] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.swift.privacy_violation_shoulder_surfing
Abstract
Una contraseña que pueda ser vista pone en peligro la seguridad del sistema.
Explanation
Es necesario que el propietario de una contraseña no pueda verla y el resto de usuarios no deben verla. Si la contraseña se muestra en texto sin formato, cualquiera que se encuentre cerca podría verla y utilizarla para comprometer el sistema. En seguridad informática, shoulder surfing hace referencia al uso de técnicas de observación directa, como mirar por encima del hombro de otra persona para obtener información. La observación directa es especialmente efectiva en entornos públicos con mucha afluencia de gente. Esta amenaza se aplica, en particular, a los dispositivos móviles, que por lo general se utilizan en todo tipo de entornos, tanto privados como públicos.
References
[1] input type="password"
[2] W3C W3 HTML Specifications
[3] Standards Mapping - Common Weakness Enumeration CWE ID 549
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[11] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[16] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[18] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.content.html.privacy_violation_shoulder_surfing