Security controls bypass or absence - Session Invalidation - Swift

Security controls bypass or absence - Session Invalidation - Swift

Need

Implementation of proper security controls and session invalidation mechanisms

Context

  • Usage of Swift for iOS and macOS app development
  • Usage of UIKit for building modern and responsive user interfaces

Description

Non compliant code

        import UIKit

class UserSession: NSObject {
    var sessionCode: String
    var main: String

    init(sessionCode: String, main: String) {
        self.sessionCode = sessionCode
        self.main = main
    }

    func getMainFromSessionCode() -> String {
        if sessionCode.contains("auto") {
            return main
        } else {
            return "Access Denied"
        }
    }
}

The above Swift code represents a simple user session class. It has two properties: sessionCode and main. The sessionCode is a unique identifier for a user session while main represents the main data for the user.

The class has a method getMainFromSessionCode() that returns the main property if the sessionCode contains the word "auto". This is a security vulnerability because it allows unauthorized access to the main data if an attacker knows to use a session code containing the word "auto".

This is a classic example of a security control bypass vulnerability. The intention was probably to allow developers to easily access the main data during the debugging phase, but the code was inadvertently left in the production version of the app, creating a security risk.

To exploit this vulnerability, an attacker would only need to know a valid session code that contains the word "auto". The application does not invalidate or check the session code for authenticity, thus allowing the attacker to bypass security controls and gain access to sensitive user data.

Steps

  • Remove the debugging code from the getMainFromSessionCode() function.
  • Implement proper session invalidation logic to ensure that the session is invalidated when the user logs out or when the session expires.
  • Avoid using sensitive information, such as session codes, in a way that can be easily bypassed or manipulated.
  • Consider implementing secure session management techniques, such as using session tokens, encryption, and secure storage mechanisms.
  • Regularly review and update the application's security controls to address any potential vulnerabilities.

Compliant code

        import UIKit

class UserSession: NSObject {
    var sessionCode: String
    var main: String

    init(sessionCode: String, main: String) {
        self.sessionCode = sessionCode
        self.main = main
    }

    func getMainFromSessionCode() -> String {
        if sessionCode != "" {
            return main
        } else {
            return "Access Denied"
        }
    }
    
    func invalidateSession() {
        self.sessionCode = ""
        self.main = ""
    }
}

The updated code removes the debugging code that allowed any session code containing the word "auto" to bypass security controls. Now, the getMainFromSessionCode() function checks if the session code is not empty, which means a session is active. If the session code is empty, it returns "Access Denied".

A new function invalidateSession() is added to invalidate the session when the user logs out or when the session expires. This function sets the sessionCode and main to an empty string, effectively invalidating the session.

This code still assumes that proper session management techniques are being used elsewhere in the application, such as using session tokens, encryption, and secure storage mechanisms. Regular reviews and updates of the application's security controls should be conducted to address any potential vulnerabilities.

References