界: Security Features
軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。
Authentication Bad Practice: Ignored Authentication Method
Abstract
執行
NSURLConnectionDelegate.connection(_:willSendRequestFor:) 委派回呼方法將讓系統忽略 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) 和 NSURLConnectionDelegate.connection(_:didReceive:) 方法。Explanation
NSURLConnectionDelegate.connection(_:willSendRequestFor:) 委派方法允許委派立即就連線驗證做出明智的決策。如果委派執行此方法,則無需執行 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) 或 NSURLConnectionDelegate.connection(_:didReceive:)。事實上,不會叫用這些方法,因此將會忽略對其進行的任何安全檢查。References
[1] connection(_:willSendRequestFor:) API documentation Apple
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.objc.authentication_bad_practice_ignored_authentication_method
Abstract
執行
NSURLConnectionDelegate.connection(_:willSendRequestFor:) 委派回呼方法將讓系統忽略 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) 和 NSURLConnectionDelegate.connection(_:didReceive:) 方法。Explanation
NSURLConnectionDelegate.connection(_:willSendRequestFor:) 委派方法允許委派立即就連線驗證做出明智的決策。如果委派執行此方法,則無需執行 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) 或 NSURLConnectionDelegate.connection(_:didReceive:)。事實上,不會叫用這些方法,因此將會忽略對其進行的任何安全檢查。References
[1] connection(_:willSendRequestFor:) API documentation Apple
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.swift.authentication_bad_practice_ignored_authentication_method