Optimize the document of Quark Script CWE-117

[JerryTasi]

Detect CWE-117 in Android Application

This scenario seeks to find Improper Output Neutralization for Logs.

CWE-117: Improper Output Neutralization for Logs

We analyze the definition of CWE-117 and identify its characteristics.

See CWE-117 for more details.

Code of CWE-117 in allsafe.apk

We use the allsafe.apk sample to explain the vulnerability code of CWE-117.

Quark Script CWE-117.py

First, we design a detection rule writeContentToLog.json to spot on behavior using the method that writes contents to the log file.

Then, we use methodInstance.getArguments() to get all parameter values of this method. And we check if these parameters contain keywords of APIs for neutralization, such as escape, replace, format, and setFilter.

If the answer is YES, that may result in secret context leakage into the log file, or the attacker may perform log forging attacks.

from quark.script import Rule, runQuarkAnalysis

SAMPLE_PATH = "allsafe.apk"
RULE_PATH = "writeContentToLog.json"
KEYWORDS_FOR_NEUTRALIZATION = ["escape", "replace", "format", "setFilter"]

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for logOutputBehavior in quarkResult.behaviorOccurList:

    secondAPIParam = logOutputBehavior.secondAPI.getArguments()

    isKeywordFound = False
    for keyword in KEYWORDS_FOR_NEUTRALIZATION:
        if keyword in secondAPIParam:
            isKeywordFound = True
            break

    if not isKeywordFound:
        caller = logOutputBehavior.methodCaller.fullName
        print(f"CWE-117 is detected in method, {caller}")

Quark Rule: writeContentToLog.json

{
    "crime": "Write contents to the log.",
    "permission": [],
    "api": [
        {
            "descriptor": "()Landroid/text/Editable;",
            "class": "Lcom/google/android/material/textfield/TextInputEditText;",
            "method": "getText"
        },
        {
            "descriptor": "(Ljava/lang/String;Ljava/lang/String;)I",
            "class": "Landroid/util/Log;",
            "method": "d"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python CWE-117.py
CWE-117 is detected in method, Linfosecadventures/allsafe/challenges/InsecureLogging; lambda$onCreateView$0 (Lcom/google/android/material/textfield/TextInputEditText; Landroid/widget/TextView; I Landroid/view/KeyEvent;)Z

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.71%. Comparing base (847c813) to head (d98bd5b).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #691   +/-   ##
=======================================
  Coverage   78.71%   78.71%           
=======================================
  Files          71       71           
  Lines        5656     5656           
=======================================
  Hits         4452     4452           
  Misses       1204     1204           

Flag	Coverage Δ
unittests	78.71% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zinwang]

LGTM!