계: Input Validation and Representation

입력 검증 및 표현 문제는 메타 문자, 대체 인코딩 및 숫자 표현 때문에 발생합니다. 보안 문제는 입력을 신뢰하기 때문에 발생합니다. 문제로는 "Buffer Overflows", "Cross-Site Scripting" 공격, "SQL Injection", 그 외 여러 가지가 있습니다.

Predicate Injection

Objective-C
Swift

Abstract

신뢰할 수 없는 소스에서 나온 입력으로 동적 NSPredicate를 생성하면 공격자는 해당 문의 의미를 수정할 수 있습니다.

Explanation

NSPredicate 인스턴스는 CoreData 영구적 저장소 시스템, 배열 및 사전과 같은 소스에서 컬렉션을 가져오거나 필터링하는 방법을 지정합니다. 해당 쿼리 언어는 컬렉션을 검색하는 논리적 조건을 정의할 수 있도록 SQL과 유사한 표현 언어를 제공합니다.

조건부에 영향을 미칠 수 있는 공격자는 예를 들어 데이터를 누출하거나, 보안 제어를 우회하거나, 다른 사용자로 가장하기 위해 해당 의미를 변경할 수 있습니다.

예제 1: 다음 예제는 응용 프로그램에 의해 저장된 일부 데이터에 액세스하기 위해 NSPredicate가 인증 요소로 사용되는 방법을 보여줍니다. 사용자가 임의의 PIN 값을 제공할 수 있으므로 와일드카드 문자(*)를 사용하여 PIN 보호를 우회할 수 있습니다.


NSString *pin = [self getPinFromUser];
NSPredicate *predicate = [NSPredicate predicateWithFormat:@"pin LIKE %@", pin];

References

[1] Swift Core Data Format String Injection nVisium

[2] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press

[3] Standards Mapping - Common Weakness Enumeration CWE ID 566

[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863

[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-001310, CCI-002165

[7] Standards Mapping - FIPS200 AC

[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation, SI-10 Information Input Validation

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-CODE-4

[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[16] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[17] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[20] Standards Mapping - OWASP Top 10 2021 A03 Injection

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002530 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002530 CAT II

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.dataflow.objc.predicate_injection

Abstract

신뢰할 수 없는 소스에서 나온 입력으로 동적 NSPredicate를 생성하면 공격자는 해당 문의 의미를 수정할 수 있습니다.

Explanation


let pin = getPinFromUser();
let predicate = NSPredicate(format: "pin LIKE '\(pin)'", argumentArray: nil)