Optimize the document of Quark Script CWE-295

[JerryTasi]

Detect CWE-295 in Android Application

This scenario seeks to find Improper Certificate Validation.

CWE-295: Improper Certificate Validation

We analyze the definition of CWE-295 and identify its characteristics.

See CWE-295 for more details.

Code of CWE-295 in InsecureShop.apk

We use the InsecureShop.apk sample to explain the vulnerability code of CWE-295.

Quark Script CWE-295.py

To begin with, we use the API findMethodInAPK(samplePath, targetMethod) to locate all callers of method SslErrorHandler.proceed.

Next, we must verify whether the caller overrides the method WebViewClient.onReceivedSslErroris.

Therefore, we check if the method name and descriptor of the caller match those of WebViewClient.onReceivedSslErroris. After that, we use the API methodInstance.findSuperclassHierarchy() to check if the superclasses of the caller include Landroid/webkit/WebViewClient.

If both are YES, the APK will call SslErrorHandler.procees without certificate validation when an SSL error occurs, which may cause CWE-295 vulnerability.

from quark.script import findMethodInAPK

SAMPLE_PATH = "insecureShop.apk"
TARGET_METHOD = [
    "Landroid/webkit/SslErrorHandler;",  # class name
    "proceed",                           # method name
    "()V"                                # descriptor
]
OVERRIDDEN_METHOD = [
    "Landroid/webkit/WebViewClient;",    # class name
    "onReceivedSslError",                # method name
    "(Landroid/webkit/WebView;" + " Landroid/webkit/SslErrorHandler;" + \
    " Landroid/net/http/SslError;)V"     # descriptor
]

for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
    if (
        sslProceedCaller.name == OVERRIDDEN_METHOD[1]
        and sslProceedCaller.descriptor == OVERRIDDEN_METHOD[2]
        and OVERRIDDEN_METHOD[0] in sslProceedCaller.findSuperclassHierarchy()
    ):
        print(f"CWE-295 is detected in method, {sslProceedCaller.fullName}")

Quark Script Result

$　python3 CWE-295.py
CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.22%. Comparing base (046ed6b) to head (b17d00f).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #716   +/-   ##
=======================================
  Coverage   79.22%   79.22%           
=======================================
  Files          73       73           
  Lines        5732     5732           
=======================================
  Hits         4541     4541           
  Misses       1191     1191           

Flag	Coverage Δ
unittests	79.22% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

---

🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests
• JS Bundle Analysis - Avoid shipping oversized bundles

[zinwang]

LGTM!