Convert Figma logo to code with AI

nccgroup logohouse

A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.

1,379
223
1,379
16
View on GitHub

Top Related Projects

OWASP's avatar

ASVS

2,678

Application Security Verification Standard

OWASP's avatar

CheatSheetSeries

27,554

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

OWASP's avatar

wstg

7,099

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.

OWASP's avatar

www-project-top-ten

1,087

OWASP Foundation Web Respository

Quick Overview

HOUSE (Heuristic Oracle Understanding through Static Exploration) is a static analysis tool designed to identify potential oracle issues in smart contracts. It focuses on detecting discrepancies between on-chain and off-chain computations, which can lead to vulnerabilities in decentralized applications (dApps).

Pros

  • Specialized in identifying oracle-related vulnerabilities in smart contracts
  • Utilizes static analysis techniques for efficient and thorough code examination
  • Helps developers and auditors improve the security of dApps
  • Open-source project with potential for community contributions and improvements

Cons

  • Limited to Solidity smart contracts, not applicable to other blockchain platforms
  • May produce false positives or miss complex vulnerabilities due to the nature of static analysis
  • Requires understanding of smart contract development and oracle concepts for effective use
  • Documentation could be more comprehensive for easier adoption by new users

Code Examples

// Example of a vulnerable smart contract that HOUSE might flag
contract VulnerableOracle {
    uint256 public price;
    address public oracle;

    function updatePrice(uint256 _newPrice) external {
        require(msg.sender == oracle, "Not authorized");
        price = _newPrice;
    }
}

// Example of a more secure implementation
contract SecureOracle {
    uint256 public price;
    address public oracle;
    uint256 public lastUpdateTime;

    function updatePrice(uint256 _newPrice) external {
        require(msg.sender == oracle, "Not authorized");
        require(block.timestamp >= lastUpdateTime + 1 hours, "Update too frequent");
        price = _newPrice;
        lastUpdateTime = block.timestamp;
    }
}

// Example of using multiple data sources for increased security
contract MultiSourceOracle {
    uint256 public price;
    mapping(address => bool) public authorizedOracles;
    uint256 public constant MIN_REPORTS = 3;

    struct PriceReport {
        uint256 price;
        uint256 timestamp;
    }

    mapping(address => PriceReport) public oracleReports;

    function reportPrice(uint256 _price) external {
        require(authorizedOracles[msg.sender], "Not authorized");
        oracleReports[msg.sender] = PriceReport(_price, block.timestamp);
    }

    function updatePrice() external {
        uint256 totalPrice;
        uint256 validReports;

        for (address oracle in authorizedOracles) {
            if (block.timestamp - oracleReports[oracle].timestamp <= 1 hours) {
                totalPrice += oracleReports[oracle].price;
                validReports++;
            }
        }

        require(validReports >= MIN_REPORTS, "Insufficient valid reports");
        price = totalPrice / validReports;
    }
}

Getting Started

To use HOUSE for analyzing your smart contracts:

  1. Clone the repository: git clone https://github.com/nccgroup/house.git
  2. Install dependencies: pip install -r requirements.txt
  3. Run HOUSE on your Solidity file: python3 house.py path/to/your/contract.sol
  4. Review the output for potential oracle-related vulnerabilities

Note: Ensure you have Python 3.7+ installed on your system before running HOUSE.

Competitor Comparisons

OWASP logo

ASVS

2,678

Application Security Verification Standard

Pros of ASVS

  • Comprehensive security verification standard with detailed requirements
  • Widely adopted and recognized in the industry
  • Regular updates and community-driven improvements

Cons of ASVS

  • More complex and time-consuming to implement fully
  • Requires significant expertise to interpret and apply effectively

Code Comparison

ASVS doesn't contain code samples, as it's a standard document. House, on the other hand, provides code examples for security checks. Here's a sample from House:

def check_cors(self):
    cors = self.get_header('Access-Control-Allow-Origin')
    if cors == '*':
        return self.failure('CORS allows all origins')
    return self.success('CORS is not overly permissive')

Summary

ASVS is a comprehensive security standard, while House is a practical tool for security testing. ASVS offers a thorough approach to application security but requires more effort to implement. House provides ready-to-use security checks but may not cover all aspects of ASVS. The choice between them depends on the specific needs of the project and the available resources for security implementation and testing.

OWASP logo

CheatSheetSeries

27,554

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

Pros of CheatSheetSeries

  • Comprehensive collection of security-focused cheat sheets
  • Regularly updated with community contributions
  • Covers a wide range of security topics and best practices

Cons of CheatSheetSeries

  • Less focused on specific tooling or implementation
  • May require more interpretation to apply in practical scenarios
  • Not tailored for a specific programming language or framework

Code Comparison

While a direct code comparison isn't relevant due to the nature of these repositories, we can compare their content structure:

CheatSheetSeries:

# Topic Name Cheat Sheet

## Introduction
...

## Best Practices
1. Practice 1
2. Practice 2
...

house:

def check_something(param):
    # Implementation of security check
    ...
    return result

CheatSheetSeries provides markdown-based guidance, while house offers Python-based security checks and utilities.

Summary

CheatSheetSeries is a comprehensive resource for security best practices across various domains. house, on the other hand, is a more focused tool for automated security checks in Python applications. CheatSheetSeries offers broader knowledge, while house provides practical implementation for specific use cases.

OWASP logo

wstg

7,099

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.

Pros of wstg

  • Comprehensive web security testing guide with detailed methodologies
  • Regularly updated and maintained by a large community of security experts
  • Extensive documentation and examples for various testing scenarios

Cons of wstg

  • Primarily focused on web application security, less coverage for other areas
  • Can be overwhelming for beginners due to its extensive content
  • Requires more time to implement and follow the complete testing process

Code Comparison

wstg:

# 4.1 Information Gathering

## 4.1.1 Conduct Search Engine Discovery Reconnaissance for Information Leakage

|ID          |
|------------|
|WSTG-INFO-01|

house:

def run(self):
    self.logger.info("Starting House scan")
    for module in self.modules:
        self.logger.info(f"Running module: {module.__name__}")
        module.run()
    self.logger.info("House scan complete")

The wstg repository provides a structured markdown-based guide for web security testing, while house offers a Python-based framework for running security modules. wstg focuses on documentation and methodologies, whereas house emphasizes practical implementation and automation of security scans.

OWASP logo

www-project-top-ten

1,087

OWASP Foundation Web Respository

Pros of www-project-top-ten

  • Widely recognized and adopted security standard in the industry
  • Regularly updated to reflect current security threats and vulnerabilities
  • Provides comprehensive guidance for developers and security professionals

Cons of www-project-top-ten

  • More focused on general web application security rather than specific implementation
  • May require additional resources to implement effectively
  • Less hands-on approach compared to house

Code Comparison

www-project-top-ten (OWASP Top 10 example):

<form action="/login" method="POST">
  <input type="text" name="username" />
  <input type="password" name="password" />
  <input type="submit" value="Login" />
</form>

house (NCC Group's house example):

@app.route('/login', methods=['POST'])
def login():
    username = request.form['username']
    password = request.form['password']
    if check_credentials(username, password):
        return redirect('/dashboard')
    return render_template('login.html', error='Invalid credentials')

The www-project-top-ten focuses on identifying security risks, while house provides practical implementation examples. www-project-top-ten offers broader security guidelines, whereas house demonstrates specific secure coding practices in a functional application.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

                  ___ ___
                 /   |   \  ____  __ __  ______ ____
                /    ~    \/  _ \|  |  \/  ___// __ \
                \    Y    (  <_> )  |  /\___ \  ___/
                 \___|_  / \____/|____//____  >\___  >
                       \/      House        \/     \/
                
                    Dynamic Mobile Analysis Tool
                    Contact: hao.ke@nccgroup.com

House: A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python. It is designed for helping assess mobile applications by implementing dynamic function hooking and intercepting and intended to make Frida script writing as simple as possible.

TL;DR

git clone https://github.com/nccgroup/house
cd house
pip3 install -r requirements.txt
pip3 install pipenv
pipenv --python=/usr/bin/python3 install
pipenv --python=/usr/bin/python3 shell
python3 app.py <PORT>

# or:
mkvirtualenv --python=/usr/local/bin/python3 house
workon house
pip install -r requirements.txt
python app.py <PORT>

# or: (only for Mac OS)
git clone https://github.com/nccgroup/house
cd house
pip3 install -r requirements.txt
pip3 install pipenv
pipenv --python=/usr/local/bin/python3 install
pipenv --python=/usr/local/bin/python3 shell
python3 app.py <PORT>

By default, House binds to http://127.0.0.1:8000.

To get an overview of House capabilities, you can visit user's manual for details.

News

  • Added dynamic dex/jar hooking, House now can hook functions in dynamically loaded dex/jar files hook.gif
  • Added Mini Script option for Hooks hook.gif
  • ClassLoader Enum

Note: Make sure to update your Frida version to >= 12.8.3 for /dex/jar function hooking

Example Usage

In this section, a small example is provided to illustrate basic usage of House. The demo case is performed against a small testing android application: com.ha0k3.overloads.

Start

  • Make sure an Android device is plugged in over USB and Frida server is running on the device. Check the Frida server is successfully spawned using the following command: frida-ps -U.

  • Start the House application by running app.py : python app.py <PORT>.

  • Open a browser and navigate to http://127.0.0.1:PORT.

  • Observe the device information is displayed on the page, if not, click the Refresh button or restart the application and Frida server. start.gif

Monitor

  • Dynamically generating hook script from templates based on the config file, monitor key operations including FILEIO, IPC, etc.

monitor.png

  • It is experimental at this point, If you find more functions needed to be hooked, feel free to let me know or file a PR.

Preload & Sideload

  • House now support sideload. It supports stetho side loading at this point; which makes it easier for us to examine the UI; storage; etc. sideload_stetho.png
  • It is experimental at this point, but more functionalities such as SSLStrip will be added under this tab.

Enumeration

  • Enumerate all loaded classes: enum_load.gif
  • Enumerate all classes in the Dex file: enum_dex.gif
  • Enumerates all methods within a given class enum_method1.gif enum_method2.gif
  • History Scripts management enum_history_script.gif

Multiple Function Tracing

  • Scripts rendering and Function Tracing hook.gif

  • Hooks for functions in dynamically loaded dex/jar files hook.gif

  • Mini Script option hook.gif

  • History Scripts management hook_history_script.gif

Function intercepting

  • Via House, researchers can dynamically change the arguments being passed to the target functions and forward it. int1.gif

  • Sometimes House cannot perfectly parse argument informations. For example, an arguments can be with special type. In the example app, it implemented isLit function that takes customized object as its argument. To tackle those situations, a simple "REPL" is provided by House. Security researchers can dynamically type in Frida script in the REPL and modify the function behaviors. int2.gif

  • Several REPL functions were provided by House to make the testing easier:

    • inspectObject(obj) uses java.lang.reflect to inspect fields information within an object.
    • setRetval(ret) takes a parameter and will try to cast it to the correct return type using the original return value's constructor.
    • getStackTrace() will print the stack trace.
    • More REPL functions will be added in the future.

    int3.gif

Note: For constructor method hooking/intercept, input $init as method name.

FAQ

Prerequisite:

To make House work; you would need:

  1. A rooted android device with frida-server running plugged in your computer, use only one USB device is recommended.
  2. Local frida-python version matches frida-server's.

Cannot get device? Does not work?

Also please try to restart both the frida server and House, if still not working, please file an issue.

Time out error?

Often occues when there are multiple USB devices connected, try to restart the target application.

Frida error?

House has been tested using Frida version 12.8.6; there might be some issues with some other versions, also make sure frida-python matches frida-server's version. If still not working, try to run the generated frida scripts manually to see if it works.

Acknowledgements

Special thanks to following open-source projects for inspirations on House:

  1. Frida, the great instrumentation toolkit that making all of these possible.
  2. Objection, an inspiration and guide in building part of the Frida templating scripts of House.
  3. Inspeckage, an inspiration on the Monitor functionality of House.
  4. 0xdea/frida-scripts - a great Frida scripts arsenal.

Contact

If you have more questions about House, or want to help extending it, feel free to contact:

@haoOnBeat

Or send an email to: Hao Ke