Optimize the document of Quark Script CWE-328

[JerryTasi]

Detect CWE-328 in Android Application

This scenario seeks to find the Use of Weak Hash.

CWE-328 Use of Weak Hash

We analyze the definition of CWE-328 and identify its characteristics.

See CWE-328 for more details.

Code of CWE-328 in allsafe.apk

We use the allsafe.apk sample to explain the vulnerability code of CWE-328.

CWE-328 Detection Process Using Quark Script API

Let's use the above APIs to show how the Quark script finds this vulnerability.

First, we use API findMethodInAPK(samplePath, targetMethod) to find the method MessageDigest.getInstance() or SecretKeyFactory.getInstance(). Next, we use API methodInstance.getArguments() with a list to check if the method uses weak hashing algorithms. If YES, that causes CWE-328 vulnerability.

Quark Script: CWE-328.py

from quark.script import findMethodInAPK

SAMPLE_PATH = "./allsafe.apk"

TARGET_METHODS = [
    [
        "Ljava/security/MessageDigest;",
        "getInstance",
        "(Ljava/lang/String;)Ljava/security/MessageDigest;",
    ],
    [
        "Ljavax/crypto/SecretKeyFactory;",
        "getInstance",
        "(Ljava/lang/String;)Ljavax/crypto/SecretKeyFactory;",
    ],
]

HASH_KEYWORDS = [
    "MD2",
    "MD4",
    "MD5",
    "PANAMA",
    "SHA0",
    "SHA1",
    "HAVAL128",
    "RIPEMD128",
]

methodsFound = []
for target in TARGET_METHODS:
    methodsFound += findMethodInAPK(SAMPLE_PATH, target)

for setHashAlgo in methodsFound:
    algoName = setHashAlgo.getArguments()[0].replace("-", "")

    if any(keyword in algoName for keyword in HASH_KEYWORDS):
        print(
            f"CWE-328 is detected in {SAMPLE_PATH},\n\t"
            f"and it occurs in method, {setHashAlgo.fullName}"
        )

Quark Script Result

$ python3 CWE-328.py
CWE-328 is detected in ./allsafe.apk,
        and it occurs in method, Linfosecadventures/allsafe/challenges/SQLInjection; md5 (Ljava/lang/String;)Ljava/lang/String;
CWE-328 is detected in ./allsafe.apk,
        and it occurs in method, Linfosecadventures/allsafe/challenges/WeakCryptography; md5Hash (Ljava/lang/String;)Ljava/lang/String;
CWE-328 is detected in ./allsafe.apk,
        and it occurs in method, Lcom/google/firebase/database/core/utilities/Utilities; sha1HexDigest (Ljava/lang/String;)Ljava/lang/String;

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.68%. Comparing base (075ff8a) to head (7dbaa78).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #754   +/-   ##
=======================================
  Coverage   80.68%   80.68%           
=======================================
  Files          75       75           
  Lines        6253     6253           
=======================================
  Hits         5045     5045           
  Misses       1208     1208           

Flag	Coverage Δ
unittests	80.68% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sidra-asa]

LGTM