Update CWE mapping on MASWE elements of MASVS-PLATFORM

[truerick]

• Update all CWE IDs on MASWE elements of MASVS-PLATFORM

This PR is related to issue #2858 .

[cpholguera]

Please explain how https://cwe.mitre.org/data/definitions/917.html relates to this weakness.

[truerick]

Deep Link parameters offers a wide range of possibilities. A malformed URI or parameter value, if not sanitized, may trigger an injection in different points of the application.

So, if CWE 939 prevents the exploit of the URI checking the source, CWE 917 prevents the exploit of the URI checking the content.

[cpholguera]

This CWE is DISCOURAGED and seems unrelated. It relates to "user authentication".

[truerick]

The "discouraged" mapping is appliable if you have to map a specific vulnerability to a weakness. Despite we tried to avoid mapping on high-level abstraction CWEs, depending on available content the "discouraged" CWEs may have been used to define the weaknesses.

If CWE-287 unfit the intended weakness, other possibilities may be:

• CWE-668: Exposure of Resource to Wrong Sphere
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

If both still don't fit the wekaness, we suggest to leave it blank and define CWEs once the weakness has been written to better understand the scope.

[cpholguera]

285 is DISCOURAGED and I'm not sure how it relates to this weakness.

I'm also not sure how this relates to 385, please elaborate.

[truerick]

CWE-285 is intended as exposing UIActivity information to untrusted apps or actors. Taking your suggestion to try be more focuses on the meaning, this may be changed to CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

Suggested CWE is 358 (Improperly Implemented Security Check for Standard), related to possible bad activityViewController implemented in the UIActivity, not 385 (Covert Timing Channel) which is actually out of scope.

[cpholguera]

How does 94 relate? Please elaborate.

[truerick]

CWE-94: Improper Control of Generation of Code ('Code Injection') is stricly related to Android FAQ linked in the MASWE item draft.

A bad Intent may allow attackers to inject code in the webview interface, so as a JS bridge.

[cpholguera]

22 (“Path Traversal”) deals with attackers manipulating file path inputs (like using “../”) to access files outside an intended directory. In contrast, the issue with WebViews allowing access to local resources via settings like setAllowFileAccessFromFileURLs isn’t about traversing directories, it’s about insecurely granting file access in the first place. Therefore, CWE‑22 isn’t the best match for this weakness I'd say.

Maybe we don't have a weakness for 22 yet, is it in CODE?

[truerick]

CWE-22 is suggested in CODE, in MASWE-0082: Unsafe Handling of Data From Local Storage.

From the CWE-22 page: "Path traversal also covers the use of absolute pathnames such as "/usr/local/bin" to access unexpected files."
I think that trying to access /data/[...] folder because the method is not correctly initialized may cause an actual path traversal attack.

See also https://developer.android.com/privacy-and-security/risks/webview-unsafe-file-inclusion?hl=en

[cpholguera]

200 is DISCOURAGED.

79 is XSS which can enable a successful attack here but it's a separate weakness: MASWE-0072.

[truerick]

CWE may be changed to CWE-669: Incorrect Resource Transfer Between Spheres

Since the usage of WebViewAssetLoader avoid using unsafe schemes that transfer content between app resources and a webview, it may fit.

I also noticed we should change platform of the MASWE only to Android

[truerick]

iOS removed from platform list.

[cpholguera]

20 is DISCOURAGED.

79 is about the injection and execution of malicious scripts in a web page, while 829 is about the risks associated with incorporating untrusted code or functionality, which can sometimes lead to various security problems but is not, by itself, defined as cross-site scripting.

---

829 seems like a good fit.

Maybe also https://cwe.mitre.org/data/definitions/830.html

[truerick]

CWE-830: Inclusion of Web Functionality from an Untrusted Source is a variant of CWE-829: Inclusion of Functionality from Untrusted Control Sphere; it can be a substitute but I wouldn't put both of them.

In the Example 1 of CWE-830 it says:
This webpage is now only as secure as the external domain it is including functionality from. If an attacker compromised the external domain and could add malicious scripts to the weatherwidget.js file, the attacker would have complete control, as seen in any XSS weakness (CWE-79).

I think then MASWE-0070 may lead in the same way to weakness CWE-79 and it should be listed.

Ok removing CWE-20 since better fitting option are available.

[cpholguera]

Maybe also https://cwe.mitre.org/data/definitions/940.html

[truerick]

Due to unverified nature of Implicit Intent, there may be no actual solution to "CWE-940: Improper Verification of Source of a Communication Channel".

In other words, the design of the component don't allow to verify the source and implement a verification of that.

[truerick]

Every comment has been discussed or answered.

[truerick]

Deep Link parameters offers a wide range of possibilities. A malformed URI or parameter value, if not sanitized, may trigger an injection in different points of the application.

So, if CWE 939 prevents the exploit of the URI checking the source, CWE 917 prevents the exploit of the URI checking the content.

[truerick]

The "discouraged" mapping is appliable if you have to map a specific vulnerability to a weakness. Despite we tried to avoid mapping on high-level abstraction CWEs, depending on available content the "discouraged" CWEs may have been used to define the weaknesses.

If CWE-287 unfit the intended weakness, other possibilities may be:

• CWE-668: Exposure of Resource to Wrong Sphere
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

If both still don't fit the wekaness, we suggest to leave it blank and define CWEs once the weakness has been written to better understand the scope.

[truerick]

CWE-285 is intended as exposing UIActivity information to untrusted apps or actors. Taking your suggestion to try be more focuses on the meaning, this may be changed to CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

Suggested CWE is 358 (Improperly Implemented Security Check for Standard), related to possible bad activityViewController implemented in the UIActivity, not 385 (Covert Timing Channel) which is actually out of scope.

[truerick]

Due to unverified nature of Implicit Intent, there may be no actual solution to "CWE-940: Improper Verification of Source of a Communication Channel".

In other words, the design of the component don't allow to verify the source and implement a verification of that.

[truerick]

CWE may be changed to CWE-669: Incorrect Resource Transfer Between Spheres

Since the usage of WebViewAssetLoader avoid using unsafe schemes that transfer content between app resources and a webview, it may fit.

I also noticed we should change platform of the MASWE only to Android

[truerick]

CWE-94: Improper Control of Generation of Code ('Code Injection') is stricly related to Android FAQ linked in the MASWE item draft.

A bad Intent may allow attackers to inject code in the webview interface, so as a JS bridge.

[truerick]

CWE-22 is suggested in CODE, in MASWE-0082: Unsafe Handling of Data From Local Storage.

From the CWE-22 page: "Path traversal also covers the use of absolute pathnames such as "/usr/local/bin" to access unexpected files."
I think that trying to access /data/[...] folder because the method is not correctly initialized may cause an actual path traversal attack.

See also https://developer.android.com/privacy-and-security/risks/webview-unsafe-file-inclusion?hl=en

[truerick]

CWE-830: Inclusion of Web Functionality from an Untrusted Source is a variant of CWE-829: Inclusion of Functionality from Untrusted Control Sphere; it can be a substitute but I wouldn't put both of them.

In the Example 1 of CWE-830 it says:
This webpage is now only as secure as the external domain it is including functionality from. If an attacker compromised the external domain and could add malicious scripts to the weatherwidget.js file, the attacker would have complete control, as seen in any XSS weakness (CWE-79).

I think then MASWE-0070 may lead in the same way to weakness CWE-79 and it should be listed.

Ok removing CWE-20 since better fitting option are available.

[truerick]

iOS removed from platform list.