How to write custom rules for only specific file?

[ne0z]

What happened:
Currently, I use Horusec to scan android application. In my use case, I want to implement OWASP Mobile Security Testing Checklist. One of my use cases the specific file AndroidManifest.xml should have attribute android:allowBackup="false". for an example:

<manifest ... >
    ...
    <application android:allowBackup="true" ... >
        ...
    </application>
</manifest>

So, how to write custom rules to specific files that they should contains what we want?
I have tried read docs there have RegExps type NotMatch but when I tried this Regexps all files will be detected as findings.

Reference: https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05d-testing-data-storage#testing-backups-for-sensitive-data-mstg-storage-8

How to reproduce it (as minimally and precisely as possible):

1. Clone Vulnerable Android App

git clone https://github.com/dineshshetty/Android-InsecureBankv2.git

2. Prepare Horusec configuration

cd Android-InsecureBankv2
horusec generate

3. Write custom rules

cat << EOF >> custom-rules.json   
[
    {
       "id": "HS-LEAKS-0001",
       "name": "MSTG-STORAGE-8: Cleartext Storage of Sensitive Information",
       "description": "Android is not implement android:allowBackup=\"false\" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an \"adb backup\" command",
       "language": "Leaks",
       "severity": "HIGH",
       "confidence": "HIGH",
       "type": "NotMatch",
       "expressions": [
          "android\\\:allowBackup=\"false\""
       ]
    }
]
EOF

4. Start horusec scan

horusec start -p . -c ./custom-rules.json

Anything else we need to know?:
All files detected by custom rules, not only AndroidManifest.xml

...
Language: Leaks
Severity: HIGH
Line: 0
Column: 0
SecurityTool: HorusecEngine
Confidence: HIGH
File: /home/danang/Personal/ne0z/Android-InsecureBankv2/wip-attackercode/ExploitAES/app/src/main/res/layout/activity_main.xml
Code: 
RuleID: HS-LEAKS-0001
Details: MSTG-STORAGE-8: Cleartext Storage of Sensitive Information
Android is not implement android:allowBackup="false" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an "adb backup" command
Type: Vulnerability
ReferenceHash: 391da7b94861e97fbdf54f41ec23fa5db91cdb75aee1482661c4a6e8213897b6

==================================================================================

Language: Leaks
Severity: HIGH
Line: 0
Column: 0
SecurityTool: HorusecEngine
Confidence: HIGH
File: /home/danang/Personal/ne0z/Android-InsecureBankv2/Walkthroughs/Exploit Android Keyboard Cache.docx
Code: 
RuleID: HS-LEAKS-0001
Details: MSTG-STORAGE-8: Cleartext Storage of Sensitive Information
Android is not implement android:allowBackup="false" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an "adb backup" command
Type: Vulnerability
ReferenceHash: 4910e7684fc9fd8b31c6e367b6d0a169db2b8fe2786588d10e71bf0b37930d56

==================================================================================

Language: Leaks
Severity: HIGH
Line: 0
Column: 0
SecurityTool: HorusecEngine
Confidence: HIGH
File: /home/danang/Personal/ne0z/Android-InsecureBankv2/Walkthroughs/Android Debugging using JDWP.docx
Code: 
RuleID: HS-LEAKS-0001
Details: MSTG-STORAGE-8: Cleartext Storage of Sensitive Information
Android is not implement android:allowBackup="false" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an "adb backup" command
Type: Vulnerability
ReferenceHash: fc71e36d4af68da4a25eadf7fd0eefb6ed603aafe9b63dfd0ebb1610c10ac541

==================================================================================

Language: Leaks
Severity: HIGH
Line: 0
Column: 0
SecurityTool: HorusecEngine
Confidence: HIGH
File: /home/danang/Personal/ne0z/Android-InsecureBankv2/Walkthroughs/Bypass Android Root Detection.docx
Code: 
RuleID: HS-LEAKS-0001
Details: MSTG-STORAGE-8: Cleartext Storage of Sensitive Information
Android is not implement android:allowBackup="false" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an "adb backup" command
Type: Vulnerability
ReferenceHash: 606360cd726ef9556110cd98e3c7463817b8dcb042febd92b1eff69923be43fb

==================================================================================
...

Environment: Ubuntu 20.04

• Horusec version (use horusec version): v2.6.4
• Operating System: Ubuntu
• Network plugin / Tool and version (if this is a network-related / tool bug): N/A
• Others: N/A

[wiliansilvazup]

hello @ne0z this is really great idea tnks \o/

but currently this is not possible, because as you can see in this logic we have a restriction on which extensions we can analyze this rule, an implementation would be needed to analyze by file name, I will add this improvement in our backlog, but feel free to contribute too \o/

[ne0z]

@wiliansilvazup Thanks ! But, I don't know from where to start the contribution. I mean about "analyze by file name". Is it mean to create another format rules? or just give an additional JSON field on the existing format rules?

Example "files" as a new JSON field:

    {
       "id": "HS-LEAKS-0001",
       "name": "MSTG-STORAGE-8: Cleartext Storage of Sensitive Information",
       "description": "Android is not implement android:allowBackup=\"false\" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an \"adb backup\" command",
       "language": "Leaks",
       "files": ["AndroidManifest.xml"],
       "severity": "HIGH",
       "confidence": "HIGH",
       "type": "NotMatch",
       "expressions": [
            .....
       ]
    }

Also I am not sure scanning AndroidManifest.xml file with Leaks language. Because based on the name, Leaks is more relevant if the rules related with "information leaks". I have look another language options but other language seems more irrelevant. Any ideas about this?

[wiliansilvazup]

I understand, to make the change you will need:
1st Change struct in horusec-engine adding a new field filter where only files that match this filter are validated by this rule;

2nd Soon after, it will be necessary to add validation in the method runRule so that it can find vulnerability only if the directory is found. You can use the same library double-star that we used in horusec to perform validation of which file we should ignore in the specific rule.

[ne0z]

Hi @wiliansilvazup, I have added some changes but I am not sure if that PR is correct, the validation implemented in the Run method https://github.com/ZupIT/horusec-engine/blob/421af642c0468e1f641cd714e795a3ec6c27dc20/text/rule.go#L71 because I can access the metadata information inside or am I misunderstanding this somehow?

[wiliansilvazup]

@ne0z for check if this changes are be ok you can create unit tests for validate. By exemple "Temporarily create files in json, yaml, go, javascript, etc.", but looking your updates i think this can works fine :)

[ne0z]

Hi @wiliansilvazup, I have added the unit test and fixed the linter on the ZupIT/horusec-engine#120. Any other suggestions? :)