Add quark script for CWE-23 #476
Merged
Merged
Conversation
Codecov ReportPatch and project coverage have no change.
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more Additional details and impacted files@@ Coverage Diff @@
## master #476 +/- ##
=======================================
Coverage 78.76% 78.76%
=======================================
Files 63 63
Lines 4850 4850
=======================================
Hits 3820 3820
Misses 1030 1030
Flags with carried forward coverage won't be shown. Click here to find out more. Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
pulorsok
approved these changes
Feb 28, 2023
Member
|
LGTM |
zinwang
reviewed
Feb 28, 2023
zinwang
reviewed
Feb 28, 2023
zinwang
reviewed
Mar 1, 2023
Contributor
|
LGTM! |
zinwang
approved these changes
Mar 1, 2023
Contributor
|
@LiangPPP Thanks for the work! |
This was referenced Mar 2, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CWE-23
Detect CWE-23 in Android Application (ovaa.apk and InsecureBankv2.apk )
This scenario aims to demonstrate the detection of the Relative Path Traversal vulnerability using ovaa.apk and InsecureBankv2.apk. See CWE-23 for more details.
To begin with, we will create a detection rule named
accessFileInExternalDir.jsonto identify behavior that accesses a file in an external directory.Next, we will use
methodInstance.getArguments()to retrieve the file path argument and check whether it belongs to the APK or not. If it does not belong to the APK, the argument is likely from external input.Finally, we will use the Quark API
quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)to search for any APIs in the caller method that match the string. If no matching API is found, the APK does not neutralize special elements within the argument, which may result in the CWE-23 vulnerability. If a matching API is found, we will verify whether it neutralizes the Relative Path string or not. If it does not neutralize it, the APK may still be vulnerable to CWE-23.Quark Script CWE-23.py
The Quark Script below uses ovaa.apk to demonstrate. You can change the
SAMPLE_PATHto the sample you want to detect. For example,SAMPLE_PATH = "InsecureBankv2.apk".Quark Rule: accessFileInExternalDir.json
{ "crime": "Access a file in an external directory", "permission": [], "api": [ { "class": "Landroid/os/Environment;", "method": "getExternalStorageDirectory", "descriptor": "()Ljava/io/File;" }, { "class": "Ljava/io/File;", "method": "<init>", "descriptor": "(Ljava/io/File;Ljava/lang/String;)V" } ], "score": 1, "label": [] }Quark Script Result