diff --git a/CWE-117/CWE-117.py b/CWE-117/CWE-117.py index a73a5a6..7773a95 100644 --- a/CWE-117/CWE-117.py +++ b/CWE-117/CWE-117.py @@ -19,4 +19,4 @@ if not isKeywordFound: caller = logOutputBehavior.methodCaller.fullName - print(f"CWE-117 is detected in method, {caller}") \ No newline at end of file + print(f"CWE-117 is detected in method, {caller}") diff --git a/CWE-117/README.md b/CWE-117/README.md index ed4f27f..78ac0bf 100644 --- a/CWE-117/README.md +++ b/CWE-117/README.md @@ -8,15 +8,17 @@ We analyze the definition of CWE-117 and identify its characteristics. See [CWE-117](https://cwe.mitre.org/data/definitions/117.html) for more details. -![image](https://imgur.com/poFP2Py.jpg) +![image](https://imgur.com/JEAyEsU.jpg) ## Code of CWE-117 in allsafe.apk We use the [allsafe.apk](https://github.com/t0thkr1s/allsafe) sample to explain the vulnerability code of CWE-117. -![image](https://imgur.com/AgCpFzr.jpg) +![image](https://imgur.com/ueePFNu.jpg) -## Quark Script CWE-117.py +## CWE-117 Detection Process Using Quark Script API + +![image](https://imgur.com/Y5hd4Uc.jpg) First, we design a detection rule ``writeContentToLog.json`` to spot on behavior using the method that writes contents to the log file. @@ -24,6 +26,10 @@ Then, we use ``methodInstance.getArguments()`` to get all parameter values of th If the answer is **YES**, that may result in secret context leakage into the log file, or the attacker may perform log forging attacks. +## Quark Script CWE-117.py + +![image](https://imgur.com/F1X3qg3.jpg) + ```python from quark.script import Rule, runQuarkAnalysis @@ -51,9 +57,11 @@ for logOutputBehavior in quarkResult.behaviorOccurList: ## Quark Rule: writeContentToLog.json +![image](https://imgur.com/hC4zGgT.jpg) + ```json { - "crime": "Write contents to the log.", + "crime": "Write contents to the log", "permission": [], "api": [ { @@ -77,4 +85,4 @@ for logOutputBehavior in quarkResult.behaviorOccurList: ```TEXT $ python CWE-117.py CWE-117 is detected in method, Linfosecadventures/allsafe/challenges/InsecureLogging; lambda$onCreateView$0 (Lcom/google/android/material/textfield/TextInputEditText; Landroid/widget/TextView; I Landroid/view/KeyEvent;)Z -``` +``` \ No newline at end of file diff --git a/CWE-117/writeContentToLog.json b/CWE-117/writeContentToLog.json index 30c8d54..22415e7 100644 --- a/CWE-117/writeContentToLog.json +++ b/CWE-117/writeContentToLog.json @@ -1,5 +1,5 @@ { - "crime": "Write contents to the log.", + "crime": "Write contents to the log", "permission": [], "api": [ { diff --git a/CWE-295/CWE-295.py b/CWE-295/CWE-295.py index ec569d3..be5e3e1 100644 --- a/CWE-295/CWE-295.py +++ b/CWE-295/CWE-295.py @@ -4,13 +4,14 @@ TARGET_METHOD = [ "Landroid/webkit/SslErrorHandler;", # class name "proceed", # method name - "()V" # descriptor + "()V", # descriptor ] OVERRIDDEN_METHOD = [ "Landroid/webkit/WebViewClient;", # class name "onReceivedSslError", # method name - "(Landroid/webkit/WebView;" + " Landroid/webkit/SslErrorHandler;" + \ - " Landroid/net/http/SslError;)V" # descriptor + "(Landroid/webkit/WebView;" + + " Landroid/webkit/SslErrorHandler;" + + " Landroid/net/http/SslError;)V", # descriptor ] for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD): diff --git a/CWE-295/README.md b/CWE-295/README.md index 9f19eab..43cb3cc 100644 --- a/CWE-295/README.md +++ b/CWE-295/README.md @@ -8,23 +8,29 @@ We analyze the definition of CWE-295 and identify its characteristics. See [CWE-295](https://cwe.mitre.org/data/definitions/295.html) for more details. -![image](https://imgur.com/cuZ5qPp.jpg) +![image](https://imgur.com/w6yx17J.jpg) ## Code of CWE-295 in InsecureShop.apk We use the [InsecureShop.apk](https://github.com/hax0rgb/InsecureShop) sample to explain the vulnerability code of CWE-295. -![image](https://imgur.com/t7Y5clb.jpg) +![image](https://imgur.com/iBt3mzh.jpg) -## Quark Script CWE-295.py +## CWE-295 Detection Process Using Quark Script API + +![image](https://imgur.com/HBBurwx.jpg) To begin with, we use the API ``findMethodInAPK(samplePath, targetMethod)`` to locate all callers of method ``SslErrorHandler.proceed``. -Next, we must verify whether the caller overrides the method ``WebViewClient.onReceivedSslErroris``. +Next, we must verify whether the caller overrides the method ``WebViewClient.onReceivedSslError``. + +Therefore, we check if the caller has the same method name and descriptor as ``WebViewClient.onReceivedSslError``, then use ``findSuperclassHierarchy()`` to see if its class extends ``Landroid/webkit/WebViewClient``. -Therefore, we check if the method name and descriptor of the caller match those of ``WebViewClient.onReceivedSslErroris``. After that, we use the API ``methodInstance.findSuperclassHierarchy()`` to check if the superclasses of the caller include ``Landroid/webkit/WebViewClient``. +If both are **YES**, the APK will proceed with HTTPS connections without certificate validation when an SSL error occurs, which may cause CWE-295 vulnerability. -If both are **YES**, the APK will call ``SslErrorHandler.procees`` without certificate validation when an SSL error occurs, which may cause CWE-295 vulnerability. +## Quark Script CWE-295.py + +![image](https://imgur.com/h9ydW0Y.jpg) ```python from quark.script import findMethodInAPK @@ -33,13 +39,14 @@ SAMPLE_PATH = "insecureShop.apk" TARGET_METHOD = [ "Landroid/webkit/SslErrorHandler;", # class name "proceed", # method name - "()V" # descriptor + "()V", # descriptor ] OVERRIDDEN_METHOD = [ "Landroid/webkit/WebViewClient;", # class name "onReceivedSslError", # method name - "(Landroid/webkit/WebView;" + " Landroid/webkit/SslErrorHandler;" + \ - " Landroid/net/http/SslError;)V" # descriptor + "(Landroid/webkit/WebView;" + + " Landroid/webkit/SslErrorHandler;" + + " Landroid/net/http/SslError;)V", # descriptor ] for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD): @@ -56,4 +63,4 @@ for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD): ```TEXT $ python3 CWE-295.py CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V -``` +``` \ No newline at end of file diff --git a/CWE-89/CWE-89.py b/CWE-89/CWE-89.py index bafd9a5..ae66073 100644 --- a/CWE-89/CWE-89.py +++ b/CWE-89/CWE-89.py @@ -14,6 +14,6 @@ for sqlCommandExecution in quarkResult.behaviorOccurList: if sqlCommandExecution.isArgFromMethod( - targetMethod + targetMethod ): - print(f"CWE-89 is detected in {SAMPLE_PATH}") \ No newline at end of file + print(f"CWE-89 is detected in {SAMPLE_PATH}") diff --git a/CWE-89/README.md b/CWE-89/README.md index e7e7860..386fd88 100644 --- a/CWE-89/README.md +++ b/CWE-89/README.md @@ -6,31 +6,29 @@ This scenario seeks to find **SQL injection** in the APK file. We analyze the definition of CWE-89 and identify its characteristics. -See [CWE-89](https://cwe.mitre.org/data/definitions/89.html) for more -details. +See [CWE-89](https://cwe.mitre.org/data/definitions/89.html) for more details. -![image](https://i.imgur.com/iJ1yIBb.jpg) +![image](https://imgur.com/Yx9vIS2.jpg) -## Code of CWE-89 in androgoat.apk +## Code of CWE-89 in AndroGoat.apk -We use the [androgoat.apk](https://github.com/satishpatnayak/AndroGoat) -sample to explain the vulnerability code of CWE-89. +We use the [AndroGoat.apk](https://github.com/satishpatnayak/AndroGoat) sample to explain the vulnerability code of CWE-89. -![image](https://i.imgur.com/bdQqWFb.jpg) +![image](https://imgur.com/QWvu8te.jpg) -## Quark Script: CWE-89.py +## CWE-89 Detection Process Using Quark Script API + +![image](https://imgur.com/gvPBB3v.jpg) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. -Let\'s use the above APIs to show how the Quark script finds this -vulnerability. +First, we design a detection rule `executeSQLCommand.json` to spot on behavior using SQL command Execution. Then, we use API `behaviorInstance.isArgFromMethod(targetMethod)` to check if `append` uses the value of `getText` as the argument. If yes, we confirmed that the SQL command string is built from user input, which will cause CWE-89 vulnerability. -First, we design a detection rule `executeSQLCommand.json` to spot on -behavior using SQL command Execution. Then, we use API -`behaviorInstance.isArgFromMethod(targetMethod)` to check if `append` -uses the value of `getText` as the argument. If yes, we confirmed that -the SQL command string is built from user input, which will cause CWE-89 -vulnerability. +## Quark Script: CWE-89.py + +![image](https://imgur.com/B6Mfp2L.jpg) -``` python +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "AndroGoat.apk" @@ -54,7 +52,9 @@ for sqlCommandExecution in quarkResult.behaviorOccurList: ## Quark Rule: executeSQLCommand.json -``` json +![image](https://imgur.com/aYnt5oq.jpg) + +```json { "crime": "Execute SQL Command", "permission": [], @@ -77,7 +77,7 @@ for sqlCommandExecution in quarkResult.behaviorOccurList: ## Quark Script Result -``` text +```TEXT $ python3 CWE-89.py CWE-89 is detected in AndroGoat.apk diff --git a/CWE-89/executeSQLCommand.json b/CWE-89/executeSQLCommand.json index ac8fe4d..190272d 100644 --- a/CWE-89/executeSQLCommand.json +++ b/CWE-89/executeSQLCommand.json @@ -15,4 +15,4 @@ ], "score": 1, "label": [] -} \ No newline at end of file +}