I have created a flutter IOS project(empty with default page),
prepared the IPA,
then submit to MobSF Static analysis.
Without adding anything on it, i get 2 high severity issues.
1.
Binary makes use of insecure API(s)
CWE: CWE-676: Use of Potentially Dangerous Function OWASP Top 10: M7: Client Code Quality
OWASP MASVS: MSTG-CODE-8
binary may contain the following insecure API(s) _printf , _fopen , _memcpy , _sscanf
2.
Binary makes use of malloc function
CWE: CWE-789: Uncontrolled Memory Allocation
OWASP Top 10: M7: Client Code Quality
OWASP MASVS: MSTG-CODE-8
The binary may use _malloc function instead of calloc
So, i am not sure if this is a flutter issue, or MobSF issue, or some misconfiguration on IOS Xcode side?
Appreciate if anyone can help.
Related
I am developing a web application with reCAPTCHA enterprise (score based, not checklist based). Everything has been integrated, and when I test it I often get reCAPTCHA error with invalid_reason "6". "6" however is not registered in the Google Cloud API Go library I am using. It is beyond the supported enum values in the library (extracted from the package recaptchaenterprise package):
TokenProperties_InvalidReason_name = map[int32]string{
0: "INVALID_REASON_UNSPECIFIED",
1: "UNKNOWN_INVALID_REASON",
2: "MALFORMED",
3: "EXPIRED",
4: "DUPE",
5: "MISSING",
}
This is from the v1 package. The v1beta1 package, I guess, will make use of the v1beta1 API. Using this package, I got invalid_reason "7", again outside the supported enum values:
TokenProperties_InvalidReason_name = map[int32]string{
0: "INVALID_REASON_UNSPECIFIED",
1: "UNKNOWN_INVALID_REASON",
2: "MALFORMED",
3: "EXPIRED",
4: "DUPE",
5: "SITE_MISMATCH",
6: "MISSING",
}
Looking at the documentation at https://cloud.google.com/recaptcha-enterprise/docs/reference/rest/v1/projects.assessments#invalidreason, there are 7 possible values for InvalidReason. The error is probably BROWSER_ERROR, something which I am not sure why.
This is not always the case though. Sometimes assessment can be made and the score is returned. This is a development site key that is configured to always return 0 score. Many times however I got that weird response.
A pattern that I have been seeing is that it succeeds in one network, and it fails in the other. I tried to create a setup in localhost with my web service and backend service running, and it succeeds with wifi connection, and it doesn't with mobile connection. Deploying the site to somewhere else I also get the same error. For now all I know is this error is flaky, not sure if it's related to network or not.
I have disabled domain verification for this key.
EDIT: I have created another key that is not a testing key. The result is still the same. I have modified the domain verification countless times, changing domains countless times, and the result is still the same.
A pattern that I have observed is the grecaptcha.enterprise.execute sometimes throw Timeout errors. This is an exception, and so the script will break. I don't know what it is doing but if, for the first time, execute runs for a few seconds, a token will be generated, but it will fail during assessment. If for the first time a token is generated quickly (less than a second), it will succeed. Successful tries mostly happen only in local deployment, in which I use the same domain (I used static DNS by putting the domain in /etc/hosts).
None of the documentation mention how to solve this issue. It does seem that we are better off using hCaptcha instead.
Anyone encountered this issue before? Any suggestion on how to deal with this? I am currently working on REDUX.
A page or script is accessing at least one of navigator.userAgent, navigator.appVersion, and navigator.platform. Starting in Chrome 101, the amount of information available in the User Agent string will be reduced.
To fix this issue, replace the usage of navigator.userAgent, navigator.appVersion, and navigator.platform with feature detection, progressive enhancement, or migrate to navigator.userAgentData.
Note that for performance reasons, only the first access to one of the properties is shown.
1 source
content.js:1
This has been resolved. I was able to find where my issue was. Was missing the logout function to pass on another function.
I have my website hosted on IIS with window 2016 OS. When I am going to disable the Form Authentication under IIS, it is giving me the following error.
Form Authentication.
Exception from HRESULT: 0xC00CEF03
i had a similar issue but it occurred when i was trying to disable the 'Machine key' - 'automatically generate at runtime' and then Applying the same.
For your error, please verify if the authentication is enabled/disabled for Default Web-site. Change that setting and then try disabling you specific websites status. It should ideally work.
I've seen this error stem from three different controls on the authentication method:
If configuring the authentication method on an application, and the authentication method you're trying to disable is enabled on the containing site.
If configuring the authentication method on a site, and the authentication method you're trying to disable is enabled on the Default Web Site.
If configuring the authentication method that has been defined in a web.config file. You should adjust it in the config file.
0xC00CEF03 error code translates to WR_E_NSPREFIXWITHEMPTYNSURI which refers to “Writer: cannot use prefix with empty namespace URI” (Reference).
This error occurs when there is something wrong with the web.config file. It’s probably corrupted or there are incompatible tags and parameters. As a result of this corruption and incompatibility, IIS is not able to read this file. Therefore, it can’t make a change.
The issue mostly happens after migration because a piece of configuration that works in the older version of IIS (and .NET Framework) probably became unsupported in the newer version.
The shortest way of finding what part of the web.config is causing the issue is to remove sections one by one and test. High-level steps:
Remove a section from the bottom of the file (Let’s say you removed system.serviceModel section)
If the issue goes away, add the section back and start removing the subsections of it one by one. (For example, ws2007HttpBinding subsection in system.serviceModel section)
If the issue goes away again, bring the subsection back and go through each lines. Prefixes like wsid:, asm:, and trust: are the most common causes of this issue
Source: 0xC00CEF03 error (Cannot use prefix with empty namespace URI)
I have written a small Symfony2-Webapp. This worked on win in dev and prod. Than I uploaded all files to the provider and run into some issues:
The log-file tells me, that the twig-engine can't find a view. This helped, because a saw, that I had to correct one capital (index instead of Index) - it's always the same developing under windows and having production under unix.
I corrected the file and uploaded it. Than I deleted the cache (no console).
Still, the error resists!
What can I do?
New informations:
The problem exists, when not warming up the cache (dev and prod). If using console cache:warmup, than the cache is generated right.
As I found out, the in one generated file, the function 'getTemplateName()' is wrong. All other references in that file are correct.
Sadly, I have no console on my server.
EDIT: Answers:
1) Error is: request.CRITICAL: Uncaught PHP Exception InvalidArgumentException: "Unable to find template "sisicalBundle:Index:index.html.twig"." at /var/www/web1261/html/sisical/vendor/symfony/symfony/src/Symfony/Bridge/Twig/TwigEngine.php line 133 {"exception":"[object]
I searched the hole src-folder in eclipse: none of my code uses 'Index' (with capital) any more (since I corrected this). Does symphony create sources in 'vendors...' when installing them via composer?
2) I think I don't use assets and they are not the problem.
3) As logs and cache are written, permissions seem to be OK.
4) Good idea, but I can't find an use. I use templating and for that no 'use'-imports for templates. Seaching for 'Index' I found the wrong template-name generated in the cache. Clearing and warming cache does not help.
Is it possible, that twig generates wrong when using Index as a package/folder name?
I debugged a little bit:
When warming the cache, the FilesystemLoader parses the file system... > works well. But when running with no cache, the template-engine uses the TemplateGuesser.php which calculates the foldername from the controllername. This one is capital, because it's from a class-name....
I now saw, that I use upper cases in my other project. This time I thought 'always lower cases is the easiest...'.
The folk in the QA department use visual studio team test (2008 IIRC) to run load tests against our web application.
The latest set of tests have failed on several pages. The error reported is
Request failed: The server committed a protocol violation. Section=ResponseHeader Detail=CR must be followed by LF
Searching for this using google yields quite a few results. it would appear that this error message is generated from the .Net framework WebRequest class (i.e. it is not a visual studio specific message). The most useful result is this one, which details my exact problem and how to suppress the error.
But of course, I want to get to the bottom of why this error occurs in the first place. Here are some more facts: -
This error never used to occur when the tests were run against an older version of the web app. The web app. host OS and web server (Win 2003 and IIS 6) are identical in both cases.
Not all the pages generate this error - only some.
The only significant change to these pages (that I can think of) is that they now use some AJAX whereas before they did not (IIRC)
In order to narrow down the problem, I created the simplest page that I could to replicate the problem. Luckily, that was not too hard. I then inspected the bytes in the header using Fiddler but I could not find an occurrence of a CR (0x0D) that was not followed by a LF (0x0A).
The raw HTTP response (as stored from Fiddler by response saving bytes - so its encoding should not have been altered during the save) is here as text if you don't believe me!
So now I am left thinking that the supposed error might be a false alarm. Does anyone else have experience of this/can help shed light?
This is definitely not a false alarm - I've been getting this error in my app a lot while trying to communicate with Facebook API.
I've just stumbled upon this response from Steven Cheng - http://www.velocityreviews.com/forums/t302174-why-do-i-get-the-server-committed-a-protocol-violation.html - and let me quote him:
From your description, you're using
the HttpWebRequest component to send
some http request to some external web
resource in your ASP.NET web
application. However, you're always
getting the "The server committed a
protocol violation.
Section=ResponseStatusLine" error
unless you set the following section
in the web.config file:
<system.net>
<settings>
<httpWebRequest useUnsafeHeaderParsing="true" />
</settings>
</system.net>
And you're wondering the cause of this behavior, correct?
As for this issue, I've performed some
research on this and found that the
problem is actually caused by the
critical http header
parsing/validating of the
HttpWebRequest component. According to
the Http Specification(http1.1), the
HTTP header keys shoud specifically
not include any spaces in their names.
However, some web servers do not fully
respect standards they're meant to.
Applications running on the Dotnet
framework and making heavy use of http
requests usually use the
httpWebRequest class, which
encapsulates everything a web oriented
developer could dream of. With all the
recently issues related to security,
the "httpWebRequest" class provides a
self protection mechanism preventing
it to accept HTTP answers which not
fully qualify to the specifications.
The common case is having a space in
the "content-length" header key. The
server actually returns a "content
length" key, which, assuming no spaces
are allowed, is considered as an
attack vector (HTTP response split
attack), thus, triggering a "HTTP
protocol violation error" exception.
Will try if this helps right now and post results later