Add quark script case for CWE 328

[zinwang]

Detect CWE-328 in Android Application (allsafe.apk)

This scenario seeks to find the use of weak Hash. See CWE-328 for more details.

Let’s use allsafe.apk, ovaa.apk, AndroGoat.apk, MSTG-Android-Java.apk, and the above APIs to show how the Quark script finds this vulnerability.

First, we use API findMethodInAPK(samplePath, targetMethod) to find the method MessageDigest.getInstance() or SecretKeyFactory.getInstance(). Next, we use API methodInstance.getArguments() with a list to check if the method uses weak hashing algorithms. If YES, that causes CWE-328 vulnerability.

Quark Script CWE-328.py

from quark.script import findMethodInAPK

SAMPLE_PATHS = [
        "./allsafe.apk",   "./ovaa.apk",
        "./AndroGoat.apk", "./MSTG-Android-Java.apk"
]

TARGET_METHODS = [
    [
        "Ljava/security/MessageDigest;", "getInstance",
        "(Ljava/lang/String;)Ljava/security/MessageDigest;"
    ],
    [
        "Ljavax/crypto/SecretKeyFactory;", "getInstance",
        "(Ljava/lang/String;)Ljavax/crypto/SecretKeyFactory;"
    ]
]

HASH_KEYWORDS = [
    "MD2",  "MD4",  "MD5",      "PANAMA",
    "SHA0", "SHA1", "HAVAL128", "RIPEMD128"
]

for samplePath in SAMPLE_PATHS:

    methodsFound = []
    for target in TARGET_METHODS:
        methodsFound += findMethodInAPK(samplePath, target)

    for setHashAlgo in methodsFound:
        algoName = setHashAlgo.getArguments()[0].replace("-", "")

        if any(keyword in algoName for keyword in HASH_KEYWORDS):
            print(f"CWE-328 is detected in {samplePath},\n\t"
                  f"and it occurs in method, {setHashAlgo.fullName}")

Quark Script Result

$ python CWE-328.py
CWE-328 is detected in ./allsafe.apk,
        and it occurs in method, Linfosecadventures/allsafe/challenges/SQLInjection; md5 (Ljava/lang/String;)Ljava/lang/String;
CWE-328 is detected in ./allsafe.apk,
        and it occurs in method, Lcom/google/firebase/database/core/utilities/Utilities; sha1HexDigest (Ljava/lang/String;)Ljava/lang/String;
CWE-328 is detected in ./allsafe.apk,
        and it occurs in method, Linfosecadventures/allsafe/challenges/WeakCryptography; md5Hash (Ljava/lang/String;)Ljava/lang/String;
CWE-328 is detected in ./ovaa.apk,
        and it occurs in method, Lorg/apache/commons/io/input/MessageDigestCalculatingInputStream; <init> (Ljava/io/InputStream;)V
CWE-328 is detected in ./AndroGoat.apk,
        and it occurs in method, Lowasp/sat/agoat/AccessControlIssue1Activity; hashPIN (Ljava/lang/String;)Ljava/lang/String;
CWE-328 is detected in ./MSTG-Android-Java.apk,
    and it occurs in method, Lcom/tozny/crypto/android/AesCbcWithIntegrity; generateKeyFromPassword (Ljava/lang/String; [B)Lcom/tozny/crypto/android/AesCbcWithIntegrity$SecretKeys;

[codecov-commenter]

Codecov Report

Base: 78.52% // Head: 78.51% // Decreases project coverage by -0.01% ⚠️

Coverage data is based on head (335ff38) compared to base (6105d62).
Patch coverage: 66.66% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #448      +/-   ##
==========================================
- Coverage   78.52%   78.51%   -0.02%     
==========================================
  Files          63       63              
  Lines        4778     4780       +2     
==========================================
+ Hits         3752     3753       +1     
- Misses       1026     1027       +1     

Flag	Coverage Δ
unittests	78.51% <66.66%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
quark/script/__init__.py	95.33% <66.66%> (-0.48%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[haeter525]

LGTM! I have no comment on the code change.

@18z Please help review the document when available. Thanks!