Optimize the document of Quark Script CWE-89, 117, and 295

[JerryTasi]

Detect CWE-89 in Android Application

This scenario seeks to find SQL injection in the APK file.

CWE-89 Improper Neutralization of Special Elements used in an SQL Command

We analyze the definition of CWE-89 and identify its characteristics.

See CWE-89 for more details.

Code of CWE-89 in AndroGoat.apk

We use the AndroGoat.apk sample to explain the vulnerability code of CWE-89.

CWE-89 Detection Process Using Quark Script API

Let’s use the above APIs to show how the Quark script finds this vulnerability.

First, we design a detection rule executeSQLCommand.json to spot on behavior using SQL command Execution. Then, we use API behaviorInstance.isArgFromMethod(targetMethod) to check if append uses the value of getText as the argument. If yes, we confirmed that the SQL command string is built from user input, which will cause CWE-89 vulnerability.

Quark Script: CWE-89.py

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "AndroGoat.apk"
RULE_PATH = "executeSQLCommand.json"

targetMethod = [
    "Landroid/widget/EditText;", # class name
    "getText",                   # method name
    "()Landroid/text/Editable;", # descriptor
]

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for sqlCommandExecution in quarkResult.behaviorOccurList:
    if sqlCommandExecution.isArgFromMethod(
        targetMethod
    ):
        print(f"CWE-89 is detected in {SAMPLE_PATH}")

Quark Rule: executeSQLCommand.json

{
    "crime": "Execute SQL Command",
    "permission": [],
    "api": [
        {
            "class": "Ljava/lang/StringBuilder;",
            "method": "append",
            "descriptor": "(Ljava/lang/String;)Ljava/lang/StringBuilder;"
        },
        {
            "class": "Landroid/database/sqlite/SQLiteDatabase;",
            "method": "rawQuery",
            "descriptor": "(Ljava/lang/String; [Ljava/lang/String;)Landroid/database/Cursor;"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python3 CWE-89.py

CWE-89 is detected in AndroGoat.apk

Detect CWE-117 in Android Application

This scenario seeks to find Improper Output Neutralization for Logs.

CWE-117: Improper Output Neutralization for Logs

We analyze the definition of CWE-117 and identify its characteristics.

See CWE-117 for more details.

Code of CWE-117 in allsafe.apk

We use the allsafe.apk sample to explain the vulnerability code of CWE-117.

CWE-117 Detection Process Using Quark Script API

First, we design a detection rule writeContentToLog.json to spot on behavior using the method that writes contents to the log file.

Then, we use methodInstance.getArguments() to get all parameter values of this method. And we check if these parameters contain keywords of APIs for neutralization, such as escape, replace, format, and setFilter.

If the answer is YES, that may result in secret context leakage into the log file, or the attacker may perform log forging attacks.

Quark Script CWE-117.py

from quark.script import Rule, runQuarkAnalysis

SAMPLE_PATH = "allsafe.apk"
RULE_PATH = "writeContentToLog.json"
KEYWORDS_FOR_NEUTRALIZATION = ["escape", "replace", "format", "setFilter"]

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for logOutputBehavior in quarkResult.behaviorOccurList:

    secondAPIParam = logOutputBehavior.secondAPI.getArguments()

    isKeywordFound = False
    for keyword in KEYWORDS_FOR_NEUTRALIZATION:
        if keyword in secondAPIParam:
            isKeywordFound = True
            break

    if not isKeywordFound:
        caller = logOutputBehavior.methodCaller.fullName
        print(f"CWE-117 is detected in method, {caller}")

Quark Rule: writeContentToLog.json

{
    "crime": "Write contents to the log",
    "permission": [],
    "api": [
        {
            "descriptor": "()Landroid/text/Editable;",
            "class": "Lcom/google/android/material/textfield/TextInputEditText;",
            "method": "getText"
        },
        {
            "descriptor": "(Ljava/lang/String;Ljava/lang/String;)I",
            "class": "Landroid/util/Log;",
            "method": "d"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python CWE-117.py
CWE-117 is detected in method, Linfosecadventures/allsafe/challenges/InsecureLogging; lambda$onCreateView$0 (Lcom/google/android/material/textfield/TextInputEditText; Landroid/widget/TextView; I Landroid/view/KeyEvent;)Z

Detect CWE-295 in Android Application

This scenario seeks to find Improper Certificate Validation.

CWE-295: Improper Certificate Validation

We analyze the definition of CWE-295 and identify its characteristics.

See CWE-295 for more details.

Code of CWE-295 in InsecureShop.apk

We use the InsecureShop.apk sample to explain the vulnerability code of CWE-295.

CWE-295 Detection Process Using Quark Script API

To begin with, we use the API findMethodInAPK(samplePath, targetMethod) to locate all callers of method SslErrorHandler.proceed.

Next, we must verify whether the caller overrides the method WebViewClient.onReceivedSslError.

Therefore, we check if the caller has the same method name and descriptor as WebViewClient.onReceivedSslError, then use findSuperclassHierarchy() to see if its class extends Landroid/webkit/WebViewClient.

If both are YES, the APK will proceed with HTTPS connections without certificate validation when an SSL error occurs, which may cause CWE-295 vulnerability.

Quark Script CWE-295.py

from quark.script import findMethodInAPK

SAMPLE_PATH = "insecureShop.apk"
TARGET_METHOD = [
    "Landroid/webkit/SslErrorHandler;",  # class name
    "proceed",                           # method name
    "()V",                               # descriptor
]
OVERRIDDEN_METHOD = [
    "Landroid/webkit/WebViewClient;",    # class name
    "onReceivedSslError",                # method name
    "(Landroid/webkit/WebView;"
    + " Landroid/webkit/SslErrorHandler;"
    + " Landroid/net/http/SslError;)V",  # descriptor
]

for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
    if (
        sslProceedCaller.name == OVERRIDDEN_METHOD[1]
        and sslProceedCaller.descriptor == OVERRIDDEN_METHOD[2]
        and OVERRIDDEN_METHOD[0] in sslProceedCaller.findSuperclassHierarchy()
    ):
        print(f"CWE-295 is detected in method, {sslProceedCaller.fullName}")

Quark Script Result

$　python3 CWE-295.py
CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V

[zinwang]

LGTM!

[zinwang]

Refer to #64