계: Security Features
소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.
Privacy Violation: Shoulder Surfing
Abstract
중요한 정보를 수집하는 API 중 일부는 해당 정보를 부적절하게 처리할 수도 있습니다. 즉, 사용자가 입력 프롬프트에 입력하는 중요한 정보를 사용자에게 다시 돌려 보냅니다.
Explanation
민감한 정보를 수집하는 일부 API는 이러한 정보를 사용자에게 다시 돌려보내 잘못 처리할 수 있습니다.
예제 1: 다음 코드에 나와 있는 ASP.NET 모델에는 password 속성이 있지만
예제 1: 다음 코드에 나와 있는 ASP.NET 모델에는 password 속성이 있지만
DataType이 password로 지정되어 있지 않으므로 표시할 때 기본적으로 표시됩니다.
public class User
{
[Required]
public int ID { get; set; }
public string Title { get; set; }
[DataType(DataType.Date)]
[DisplayFormat(DataFormatString = "{0:yyyy-MM-dd}", ApplyFormatInEditMode = true)]
public DateTime DateOfEmployment { get; set; }
[DataType(DataType.Currency)]
public decimal Salary { get; set; }
[Required]
public string Username { get; set; }
[Required]
public string Password { get; set; }
...
}
Example 1에서 Password 속성은 [DataType(DataType.Password)] 속성을 지정하지 않았으므로 UI에 표시될 때 기본적으로 숨겨지지 않습니다.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 549
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[9] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[14] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.dotnet.privacy_violation_shoulder_surfing
Abstract
중요한 정보를 수집하는 API 중 일부는 해당 정보를 부적절하게 처리할 수도 있습니다. 즉, 사용자가 입력 프롬프트에 입력하는 중요한 정보를 사용자에게 다시 돌려 보냅니다.
Explanation
중요한 정보를 수집하는 API 중 일부는 해당 정보를 부적절하게 처리할 수도 있습니다(해당 정보를 사용자에게 다시 돌려 보냄).
예제 1: 다음 코드는 사용자가 입력 프롬프트에 입력하는 사용자 비밀번호를
예제 1: 다음 코드는 사용자가 입력 프롬프트에 입력하는 사용자 비밀번호를
TextField 위젯이 숨김 처리하지 않음을 보여 줍니다.
class SelectionContainerDisabledExampleApp extends StatelessWidget {
const SelectionContainerDisabledExampleApp({super.key});
@override
Widget build(BuildContext context) {
return MaterialApp(
home: Scaffold(
body: Center(
child: Column(
children: <Widget>[
TextField(
decoration: InputDecoration(
hintText: "Please enter your password",
),
),
],
),
),
),
);
}
}
Example 1에서는 obscureText 속성을 true로 설정하여 TextField 위젯을 인스턴스화하지 않았으므로 사용자가 "비밀번호를 입력하십시오." 프롬프트에 입력하는 비밀번호가 숨김 처리되지 않습니다.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 549
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[9] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[14] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dart.privacy_violation_shoulder_surfing
Abstract
중요한 정보를 수집하는 API 중 일부는 해당 정보를 부적절하게 처리할 수도 있습니다. 즉, 사용자가 입력 프롬프트에 입력하는 중요한 정보를 사용자에게 다시 돌려 보냅니다.
Explanation
민감한 정보를 수집하는 일부 API는 이러한 정보를 사용자에게 다시 돌려보내 잘못 처리할 수 있습니다.
예제 1: 다음 코드는 사용자가 입력 프롬프트에서 입력하는 사용자 비밀번호를 숨김 처리하지 않는 비밀번호 콜백 개체의 인스턴스화를 보여 줍니다.
예제 1: 다음 코드는 사용자가 입력 프롬프트에서 입력하는 사용자 비밀번호를 숨김 처리하지 않는 비밀번호 콜백 개체의 인스턴스화를 보여 줍니다.
PasswordCallback pc = new PasswordCallback("Please enter your password: ", true);예제 1의 pc는 두 번째 매개 변수인 onEcho가 true로 설정된 상태로 인스턴스화되었으므로 사용자가 "비밀번호를 입력하십시오." 프롬프트에 입력하는 비밀번호가 숨김 처리되지 않습니다.References
[1] FUNDAMENTALS-4: Establish trust boundaries Oracle
[2] CONFIDENTIAL-2: Do not log highly sensitive information Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 549
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[11] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[16] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[18] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.java.privacy_violation_shoulder_surfing
Abstract
식별된 메서드는 먼저 민감한 데이터를 올바르게 마스킹하지 않고 화면에 작성합니다.
Explanation
식별된 함수는 옵션 비활성화 없이 민감한 데이터를 수집하여 입력 프롬프트에서 사용자에게 다시 돌려보냅니다.
예제 1: 다음 코드는 사용자가 텍스트 필드에 입력하는 사용자 비밀번호를 숨김 처리하지 않는 비밀번호 필드 개체의 인스턴스화를 보여 줍니다.
예제 1: 다음 코드는 사용자가 텍스트 필드에 입력하는 사용자 비밀번호를 숨김 처리하지 않는 비밀번호 필드 개체의 인스턴스화를 보여 줍니다.
ViewController.h:
...
@property (nonatomic, retain) IBOutlet UITextField *passwordField;
...
ViewController.m:
...
NSString *password = _passwordField.text;
...
예제 1의 passwordField는 secureTextEntry 속성을 true로 설정하지 않았기 때문에 사용자가 텍스트 필드에 입력하는 비밀번호가 숨김 처리되지 않습니다.References
[1] UITextInputTraits Protocol Reference Apple
[2] Standards Mapping - Common Weakness Enumeration CWE ID 549
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[10] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[15] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.objc.privacy_violation_shoulder_surfing
Abstract
중요한 정보를 수집하는 API 중 일부는 해당 정보를 부적절하게 처리할 수도 있습니다. 즉, 사용자가 입력 프롬프트에 입력하는 중요한 정보를 사용자에게 다시 돌려 보냅니다.
Explanation
식별된 함수는 옵션 비활성화 없이 민감한 데이터를 수집하여 입력 프롬프트에서 사용자에게 다시 돌려보냅니다.
예제 1: 다음 코드는 사용자가 텍스트 필드에 입력하는 사용자 비밀번호를 숨김 처리하지 않는 비밀번호 필드 개체의 인스턴스화를 보여 줍니다.
예제 1: 다음 코드는 사용자가 텍스트 필드에 입력하는 사용자 비밀번호를 숨김 처리하지 않는 비밀번호 필드 개체의 인스턴스화를 보여 줍니다.
...
@IBOutlet weak var passwordField: UITextField!
...
let password = passwordField.text
...
예제 1의 passwordField는 secureTextEntry 속성을 true로 설정하지 않았기 때문에 사용자가 텍스트 필드에 입력하는 비밀번호가 숨김 처리되지 않습니다.References
[1] UITextInputTraits Protocol Reference Apple
[2] Standards Mapping - Common Weakness Enumeration CWE ID 549
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[10] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[15] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.swift.privacy_violation_shoulder_surfing
Abstract
암호가 보이면 시스템 보안에 위험이 됩니다.
Explanation
암호는 해당 소유자에게 보이지 않아도 되며, 다른 사람들은 이를 볼 수 없어야 합니다. 암호가 일반 텍스트로 표시될 경우, 주변 사람이 암호를 보고 시스템을 침해하는 데 사용할 수도 있습니다. 컴퓨터 보안에서 숄더서핑(shoulder surfing)은 어깨 너머로 훔쳐보는 것과 같은 직접적인 관찰 방법을 사용하여 정보를 얻는 것을 말합니다. 복잡한 공용 환경은 숄더서핑(shoulder surfing)에 특히 취약합니다. 특히 이러한 위협은 일반적으로 개인 또는 공용 환경 모두에서 사용하고자 하는 모바일 장치에 적용됩니다.
References
[1] input type="password"
[2] W3C W3 HTML Specifications
[3] Standards Mapping - Common Weakness Enumeration CWE ID 549
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000206
[11] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), IA-6 Authenticator Feedback (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, IA-6 Authentication Feedback
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[16] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-3, MASVS-STORAGE-2
[18] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.4.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.4.1
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective A.2.2 - Cardholder Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective A.2.2 - Cardholder Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective A.2.2 - Cardholder Data Protection
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3310 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3310 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3310 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3310 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3310 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3310 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3310 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001850 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001850 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001850 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001850 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001850 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001850 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001850 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001850 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001850 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001850 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001850 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001850 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001850 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001850 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001850 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.content.html.privacy_violation_shoulder_surfing