Skip to content

Commit 11e2a18

Browse files
authored
Add CWE-117 Quark Script (#35)
* Create CWE-117.py * Create README.md * Create writeContentToLog.json
1 parent 34a4c1e commit 11e2a18

File tree

3 files changed

+104
-0
lines changed

3 files changed

+104
-0
lines changed

CWE-117/CWE-117.py

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
from quark.script import Rule, runQuarkAnalysis
2+
3+
SAMPLE_PATH = "allsafe.apk"
4+
RULE_PATH = "writeContentToLog.json"
5+
KEYWORDS_FOR_NEUTRALIZATION = ["escape", "replace", "format", "setFilter"]
6+
7+
ruleInstance = Rule(RULE_PATH)
8+
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
9+
10+
for logOutputBehavior in quarkResult.behaviorOccurList:
11+
12+
secondAPIParam = logOutputBehavior.getParamValues()[1]
13+
14+
isKeywordFound = False
15+
for keyword in KEYWORDS_FOR_NEUTRALIZATION:
16+
if keyword in secondAPIParam:
17+
isKeywordFound = True
18+
break
19+
20+
if not isKeywordFound:
21+
print(f"CWE-117 is detected in method,{secondAPIParam}")

CWE-117/README.md

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
# Detect CWE-117 in Android Application (allsafe.apk)
2+
This scenario seeks to find **Improper Output Neutralization for Logs**. See [CWE-117](https://cwe.mitre.org/data/definitions/117.html) for more details.
3+
4+
Let’s use this [APK](https://github.com/t0thkr1s/allsafe) and the above APIs to show how the Quark script finds this vulnerability.
5+
6+
First, we design a detection rule ``writeContentToLog.json`` to spot on behavior using the method that writes contents to the log file.
7+
8+
Then, we use ``behaviorInstance.getParamValues()`` to get all parameter values of this method. And we check if these parameters contain keywords of APIs for neutralization, such as escape, replace, format, and setFilter.
9+
10+
If the answer is **YES**, that may result in secret context leakage into the log file, or the attacker may perform log forging attacks.
11+
12+
## Quark Script CWE-117.py
13+
```python
14+
15+
from quark.script import Rule, runQuarkAnalysis
16+
17+
SAMPLE_PATH = "allsafe.apk"
18+
RULE_PATH = "writeContentToLog.json"
19+
KEYWORDS_FOR_NEUTRALIZATION = ["escape", "replace", "format", "setFilter"]
20+
21+
ruleInstance = Rule(RULE_PATH)
22+
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
23+
24+
for logOutputBehavior in quarkResult.behaviorOccurList:
25+
26+
secondAPIParam = logOutputBehavior.getParamValues()[1]
27+
28+
isKeywordFound = False
29+
for keyword in KEYWORDS_FOR_NEUTRALIZATION:
30+
if keyword in secondAPIParam:
31+
isKeywordFound = True
32+
break
33+
34+
if not isKeywordFound:
35+
print(f"CWE-117 is detected in method,{secondAPIParam}")
36+
```
37+
38+
## Quark Rule: writeContentToLog.json
39+
```json
40+
{
41+
"crime": "Write contents to the log.",
42+
"permission": [],
43+
"api": [
44+
{
45+
"descriptor": "()Landroid/text/Editable;",
46+
"class": "Lcom/google/android/material/textfield/TextInputEditText;",
47+
"method": "getText"
48+
},
49+
{
50+
"descriptor": "(Ljava/lang/String;Ljava/lang/String;)I",
51+
"class": "Landroid/util/Log;",
52+
"method": "d"
53+
}
54+
],
55+
"score": 1,
56+
"label": []
57+
}
58+
```
59+
## Quark Script Result
60+
- **allsafe.apk**
61+
62+
```
63+
$ python CWE-117.py
64+
CWE-117 is detected in method,Ljava/lang/StringBuilder;->toString()Ljava/lang/String;(Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;(Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;(Ljava/lang/StringBuilder;-><init>()V(Ljava/lang/StringBuilder;),User entered secret: ),Ljava/lang/Object;->toString()Ljava/lang/String;(Lcom/google/android/material/textfield/TextInputEditText;->getText()Landroid/text/Editable;())))
65+
```

CWE-117/writeContentToLog.json

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
{
2+
"crime": "Write contents to the log.",
3+
"permission": [],
4+
"api": [
5+
{
6+
"descriptor": "()Landroid/text/Editable;",
7+
"class": "Lcom/google/android/material/textfield/TextInputEditText;",
8+
"method": "getText"
9+
},
10+
{
11+
"descriptor": "(Ljava/lang/String;Ljava/lang/String;)I",
12+
"class": "Landroid/util/Log;",
13+
"method": "d"
14+
}
15+
],
16+
"score": 1,
17+
"label": []
18+
}

0 commit comments

Comments
 (0)