Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optimize the document of Quark Script CWE-117 #44

Merged
merged 1 commit into from
Sep 18, 2024
Merged

Optimize the document of Quark Script CWE-117 #44

merged 1 commit into from
Sep 18, 2024

Conversation

JerryTasi
Copy link
Contributor

Detect CWE-117 in Android Application

This scenario seeks to find Improper Output Neutralization for Logs.

CWE-117: Improper Output Neutralization for Logs

We analyze the definition of CWE-117 and identify its characteristics.

See CWE-117 for more details.

image

Code of CWE-117 in allsafe.apk

We use the allsafe.apk sample to explain the vulnerability code of CWE-117.

image

Quark Script CWE-117.py

First, we design a detection rule writeContentToLog.json to spot on behavior using the method that writes contents to the log file.

Then, we use methodInstance.getArguments() to get all parameter values of this method. And we check if these parameters contain keywords of APIs for neutralization, such as escape, replace, format, and setFilter.

If the answer is YES, that may result in secret context leakage into the log file, or the attacker may perform log forging attacks.

from quark.script import Rule, runQuarkAnalysis

SAMPLE_PATH = "allsafe.apk"
RULE_PATH = "writeContentToLog.json"
KEYWORDS_FOR_NEUTRALIZATION = ["escape", "replace", "format", "setFilter"]

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for logOutputBehavior in quarkResult.behaviorOccurList:

    secondAPIParam = logOutputBehavior.secondAPI.getArguments()

    isKeywordFound = False
    for keyword in KEYWORDS_FOR_NEUTRALIZATION:
        if keyword in secondAPIParam:
            isKeywordFound = True
            break

    if not isKeywordFound:
        caller = logOutputBehavior.methodCaller.fullName
        print(f"CWE-117 is detected in method, {caller}")

Quark Rule: writeContentToLog.json

{
    "crime": "Write contents to the log.",
    "permission": [],
    "api": [
        {
            "descriptor": "()Landroid/text/Editable;",
            "class": "Lcom/google/android/material/textfield/TextInputEditText;",
            "method": "getText"
        },
        {
            "descriptor": "(Ljava/lang/String;Ljava/lang/String;)I",
            "class": "Landroid/util/Log;",
            "method": "d"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python CWE-117.py
CWE-117 is detected in method, Linfosecadventures/allsafe/challenges/InsecureLogging; lambda$onCreateView$0 (Lcom/google/android/material/textfield/TextInputEditText; Landroid/widget/TextView; I Landroid/view/KeyEvent;)Z

@zinwang zinwang self-requested a review September 18, 2024 07:01
@zinwang zinwang self-assigned this Sep 18, 2024
@zinwang zinwang added the documentation Improvements or additions to documentation label Sep 18, 2024
zinwang
zinwang approved these changes Sep 18, 2024
View reviewed changes
Copy link
Collaborator

@zinwang zinwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@zinwang zinwang merged commit 42f7600 into quark-engine:main Sep 18, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zinwang zinwang zinwang approved these changes

Assignees

@zinwang zinwang

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JerryTasi @zinwang