Prevent browser from caching samples (malware) (#721)

Author: middleware99

mwdb/model/file.py

@@ -4,6 +4,7 @@
 import shutil
 import tempfile
 
+import numpy as np
 import pyzipper
 from sqlalchemy import or_
 from sqlalchemy.dialects.postgresql.array import ARRAY
@@ -279,6 +280,37 @@ def iterate(self, chunk_size=1024 * 256):
         finally:
             File.close(fh)
 
+    def negate_bits(self, chunk):
+        """
+        xor data with key equal 255 of length of chunk; using numpy
+        https://stackoverflow.com/questions/23312571/fast-xoring-bytes-in-python-3
+        """
+        key = np.frombuffer(b"\xff" * len(chunk), dtype="uint8")
+        chunk = np.frombuffer(chunk, dtype="uint8")
+        return (key ^ chunk).tobytes()
+
+    def iterate_obfuscated(self, chunk_size=1024 * 256):
+        r"""
+        Iterates over bytes in the file contents with xor applied
+        The idea behind xoring before send is to prevent browsers
+        from caching original samples (malware). Unxoring is provided
+        in mwdb\web\src\components\ShowSample.js in SamplePreview
+        """
+        fh = self.open()
+        try:
+            if hasattr(fh, "stream"):
+                yield from map(self.negate_bits, fh.stream(chunk_size))
+            else:
+                while True:
+                    chunk = fh.read(chunk_size)
+                    chunk = self.negate_bits(chunk)
+                    if chunk:
+                        yield chunk
+                    else:
+                        return
+        finally:
+            File.close(fh)
+
     @staticmethod
     def close(fh):
         """

mwdb/resources/file.py

@@ -381,6 +381,13 @@ def get(self, identifier):
               description: |
                 File download token for direct link purpose
               required: false
+            - in: query
+              name: obfuscate
+              schema:
+                type: string
+              description: |
+                Obfuscated response flag to avoid AV detection on preview
+              required: false
         responses:
             200:
                 description: File contents
@@ -402,6 +409,7 @@ def get(self, identifier):
                     Request canceled due to database statement timeout.
         """
         access_token = request.args.get("token")
+        obfuscate = request.args.get("obfuscate")
 
         if access_token:
             file_obj = File.get_by_download_token(access_token)
@@ -424,11 +432,22 @@ def get(self, identifier):
             if file_obj is None:
                 raise NotFound("Object not found")
 
-        return Response(
-            file_obj.iterate(),
-            content_type="application/octet-stream",
-            headers={"Content-disposition": f"attachment; filename={file_obj.sha256}"},
-        )
+        if obfuscate == "1":
+            return Response(
+                file_obj.iterate_obfuscated(),
+                content_type="application/octet-stream",
+                headers={
+                    "Content-disposition": f"attachment; filename={file_obj.sha256}"
+                },
+            )
+        else:
+            return Response(
+                file_obj.iterate(),
+                content_type="application/octet-stream",
+                headers={
+                    "Content-disposition": f"attachment; filename={file_obj.sha256}"
+                },
+            )
 
     @requires_authorization
     def post(self, identifier):

mwdb/web/src/commons/api/index.js

@@ -411,8 +411,8 @@ function removeAttributePermission(key, group_name) {
     });
 }
 
-function downloadFile(id) {
-    return axios.get(`/file/${id}/download`, {
+function downloadFile(id, obfuscate = 0) {
+    return axios.get(`/file/${id}/download?obfuscate=${obfuscate}`, {
         responseType: "arraybuffer",
         responseEncoding: "binary",
     });

mwdb/web/src/components/ShowSample.js

@@ -234,6 +234,13 @@ function SampleDetails() {
     );
 }
 
+// negate the buffer contents (xor with key equal 0xff)
+function negateBuffer(buffer) {
+    const uint8View = new Uint8Array(buffer);
+    const xored = uint8View.map((item) => item ^ 0xff);
+    return xored.buffer;
+}
+
 function SamplePreview() {
     const [content, setContent] = useState("");
     const api = useContext(APIContext);
@@ -243,8 +250,15 @@ function SamplePreview() {
     async function updateSample() {
         try {
             const fileId = objectContext.object.id;
-            const fileContentResponse = await api.downloadFile(fileId);
-            setContent(fileContentResponse.data);
+            const obfuscate = 1;
+            const fileContentResponse = await api.downloadFile(
+                fileId,
+                obfuscate
+            );
+            const fileContentResponseData = negateBuffer(
+                fileContentResponse.data
+            );
+            setContent(fileContentResponseData);
         } catch (e) {
             objectContext.setObjectError(e);
         }

requirements.txt

@@ -28,3 +28,4 @@ pyJWT==2.4.0
 Flask-Limiter==2.1.3
 python-dateutil==2.8.2
 pyzipper==0.3.5
+numpy==1.23.5