|
| 1 | +# Detect CWE-117 in Android Application (allsafe.apk) |
| 2 | +This scenario seeks to find **Improper Output Neutralization for Logs**. See [CWE-117](https://cwe.mitre.org/data/definitions/117.html) for more details. |
| 3 | + |
| 4 | +Let’s use this [APK](https://github.com/t0thkr1s/allsafe) and the above APIs to show how the Quark script finds this vulnerability. |
| 5 | + |
| 6 | +First, we design a detection rule ``writeContentToLog.json`` to spot on behavior using the method that writes contents to the log file. |
| 7 | + |
| 8 | +Then, we use ``behaviorInstance.getParamValues()`` to get all parameter values of this method. And we check if these parameters contain keywords of APIs for neutralization, such as escape, replace, format, and setFilter. |
| 9 | + |
| 10 | +If the answer is **YES**, that may result in secret context leakage into the log file, or the attacker may perform log forging attacks. |
| 11 | + |
| 12 | +## Quark Script CWE-117.py |
| 13 | +```python |
| 14 | + |
| 15 | +from quark.script import Rule, runQuarkAnalysis |
| 16 | + |
| 17 | +SAMPLE_PATH = "allsafe.apk" |
| 18 | +RULE_PATH = "writeContentToLog.json" |
| 19 | +KEYWORDS_FOR_NEUTRALIZATION = ["escape", "replace", "format", "setFilter"] |
| 20 | + |
| 21 | +ruleInstance = Rule(RULE_PATH) |
| 22 | +quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) |
| 23 | + |
| 24 | +for logOutputBehavior in quarkResult.behaviorOccurList: |
| 25 | + |
| 26 | + secondAPIParam = logOutputBehavior.getParamValues()[1] |
| 27 | + |
| 28 | + isKeywordFound = False |
| 29 | + for keyword in KEYWORDS_FOR_NEUTRALIZATION: |
| 30 | + if keyword in secondAPIParam: |
| 31 | + isKeywordFound = True |
| 32 | + break |
| 33 | + |
| 34 | + if not isKeywordFound: |
| 35 | + print(f"CWE-117 is detected in method,{secondAPIParam}") |
| 36 | +``` |
| 37 | + |
| 38 | +## Quark Rule: writeContentToLog.json |
| 39 | +```json |
| 40 | +{ |
| 41 | + "crime": "Write contents to the log.", |
| 42 | + "permission": [], |
| 43 | + "api": [ |
| 44 | + { |
| 45 | + "descriptor": "()Landroid/text/Editable;", |
| 46 | + "class": "Lcom/google/android/material/textfield/TextInputEditText;", |
| 47 | + "method": "getText" |
| 48 | + }, |
| 49 | + { |
| 50 | + "descriptor": "(Ljava/lang/String;Ljava/lang/String;)I", |
| 51 | + "class": "Landroid/util/Log;", |
| 52 | + "method": "d" |
| 53 | + } |
| 54 | + ], |
| 55 | + "score": 1, |
| 56 | + "label": [] |
| 57 | +} |
| 58 | +``` |
| 59 | +## Quark Script Result |
| 60 | +- **allsafe.apk** |
| 61 | + |
| 62 | +``` |
| 63 | +$ python CWE-117.py |
| 64 | +CWE-117 is detected in method,Ljava/lang/StringBuilder;->toString()Ljava/lang/String;(Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;(Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;(Ljava/lang/StringBuilder;-><init>()V(Ljava/lang/StringBuilder;),User entered secret: ),Ljava/lang/Object;->toString()Ljava/lang/String;(Lcom/google/android/material/textfield/TextInputEditText;->getText()Landroid/text/Editable;()))) |
| 65 | +``` |
0 commit comments