From 67d628e102b55ea168c7d399e280990659e20c7c Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:08:51 +0800 Subject: [PATCH 01/10] Optimize the document of Quark Script CWE-312 --- CWE-312/README.md | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/CWE-312/README.md b/CWE-312/README.md index 534b7fa..36e00e2 100644 --- a/CWE-312/README.md +++ b/CWE-312/README.md @@ -1,37 +1,36 @@ # Detect CWE-312 in Android Application +This scenario seeks to find **cleartext storage of sensitive data** in the APK file. -This scenario seeks to find **cleartext storage of sensitive data** in -the APK file. - -## CWE-312 Cleartext Storage of Sensitive Information +## CWE-312: Cleartext Storage of Sensitive Information We analyze the definition of CWE-312 and identify its characteristics. -See [CWE-312](https://cwe.mitre.org/data/definitions/312.html) for more -details. +See [CWE-312](https://cwe.mitre.org/data/definitions/312.html) for more details. -![image](https://i.imgur.com/cy2EiZx.jpg) +![image](https://imgur.com/mD2uXUy.jpg) ## Code of CWE-312 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-312. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-312. + +![image](https://imgur.com/MfnYIYy.jpg) + +## CWE-312 Detection Process Using Quark Script API + +Let’s use the above APIs to show how the Quark script finds this vulnerability. -![image](https://i.imgur.com/KsFsxTu.jpg) +We have designed a [Frida](https://frida.re/) script ``agent.js`` to hook a specified method and get the arguments when the method is called. It can be found in [quark-engine/quark/script/frida](https://github.com/quark-engine/quark-engine/tree/master/quark/script/frida). + +To begin with, we hook the method ``putString`` to catch its arguments. Then, we check if sensitive information like email or password is passed. Finally, we use ``checkClearText`` imported from [Ares](https://github.com/bee-san/Ares) to check if the arguments are cleartext. If both **YES**, CWE-312 vulnerability might be caused. -## Quark Script CWE-312.py +![image](https://imgur.com/eNjm3ES.jpg) -Let\'s use the above APIs to show how the Quark script finds this -vulnerability. +## Quark Script: CWE-312.py -First, we designed a [Frida](https://frida.re) script `agent.js` to hook -the target method and get the arguments when the target method is -called. Then we hook the method `putString` to catch its arguments. -Finally, we use [Ares](https://github.com/bee-san/Ares) to check if -the arguments are encrypted. +![image](https://imgur.com/rxMPZX8.jpg) -``` python +```python from quark.script.frida import runFridaHook from quark.script.ares import checkClearText @@ -62,7 +61,7 @@ for putString in fridaResult.behaviorOccurList: ## Frida Script: agent.js -``` javascript +```javascript // -*- coding: utf-8 -*- // This file is part of Quark-Engine - https://github.com/quark-engine/quark-engine // See the file 'LICENSE' for copying permission. @@ -125,7 +124,7 @@ rpc.exports["watchMethodCall"] = (classAndMethodName, methodParamTypes) => watch ## Quark Script Result -``` TEXT +```TEXT $ python3 CWE-312.py The CWE-312 vulnerability is found. The cleartext is "test@email.com" The CWE-312 vulnerability is found. The cleartext is "password" From 41e67f5cc5b797533686a4f82e64fba4d7a2efa0 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:10:25 +0800 Subject: [PATCH 02/10] Optimize the document of Quark Script CWE-798 --- CWE-798/README.md | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/CWE-798/README.md b/CWE-798/README.md index f16abee..d227fca 100644 --- a/CWE-798/README.md +++ b/CWE-798/README.md @@ -1,36 +1,35 @@ # Detect CWE-798 in Android Application -This scenario seeks to find hard-coded credentials in the APK file. +This scenario seeks to find **hard-coded credentials** in the APK file. -## CWE-798 Use of Hard-coded Credentials +## CWE-798: Use of Hard-coded Credentials We analyze the definition of CWE-798 and identify its characteristics. -See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more -details. +See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more details. -![image](https://i.imgur.com/0G9APpf.jpg) +![image](https://imgur.com/rF8J8hE.png) ## Code of CWE-798 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-798. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-798. -![image](https://i.imgur.com/ikaJlDW.jpg) +![image](https://imgur.com/Cg7DacP.png) -## Quark Script: CWE-798.py -Let\'s use the above APIs to show how the Quark script finds this -vulnerability. +## CWE-798 Detection Process Using Quark Script API + +![image](https://imgur.com/R8CfDqD.png) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. + +First, we design a detection rule ``findSecretKeySpec.json`` to spot on behavior using the constructor ``SecretKeySpec``. Second, we get all the parameter values from this constructor. Then, we parse the AES key from the parameter values. Finally, we check if the AES key is hardcoded in the APK file. If the answer is **YES**, BINGO!!! We find hard-coded credentials in the APK file. -First, we design a detection rule `findSecretKeySpec.json` to spot on -behavior using the method `SecretKeySpec`. Then, we get all the -parameter values that are input to this method. And we parse the AES key -out of the parameter values. Finally, we check if the AES key is -hardcoded in the APK file. If the answer is YES, BINGO!!! We find -hard-coded credentials in the APK file. +## Quark Script: CWE-798.py + +![image](https://imgur.com/IOyrqDc.png) -``` python +```python import re from quark.script import runQuarkAnalysis, Rule @@ -54,7 +53,9 @@ for secretKeySpec in quarkResult.behaviorOccurList: ## Quark Rule: findSecretKeySpec.json -``` json +![image](https://imgur.com/2BYOE70.png) + +```json { "crime": "Detect APK using SecretKeySpec.", "permission": [], @@ -77,8 +78,7 @@ for secretKeySpec in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT -$ python3 findSecretKeySpec.py - +```TEXT +$ python3 CWE-798.py Found hard-coded AES key 49u5gh249gh24985ghf429gh4ch8f23f ``` From ab1c9ce140b6403a5d742da3eb2be70403293964 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:11:20 +0800 Subject: [PATCH 03/10] Optimize the document of Quark Script CWE-921 --- CWE-921/README.md | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/CWE-921/README.md b/CWE-921/README.md index 5315ce4..23bf563 100644 --- a/CWE-921/README.md +++ b/CWE-921/README.md @@ -1,36 +1,35 @@ # Detect CWE-921 in Android Application -This scenario seeks to find the **unsecured storage mechanism of -sensitive data** in the APK file. +This scenario seeks to find the **unsecured storage mechanism of sensitive data** in the APK file. -## CWE-921 Storage of Sensitive Data in a Mechanism without Access Control +## CWE-921: Storage of Sensitive Data in a Mechanism without Access Control We analyze the definition of CWE-921 and identify its characteristics. -See [CWE-921](https://cwe.mitre.org/data/definitions/921.html) for more -details. +See [CWE-921](https://cwe.mitre.org/data/definitions/921.html) for more details. + +![image](https://imgur.com/2zlPLHe.jpg) -![image](https://imgur.com/ihtjGAu.jpg) ## Code of CWE-921 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-921. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-921. -![image](https://imgur.com/ACzJct8.jpg) +![image](https://imgur.com/2u5iL1K.jpg) -## Quark Script: CWE-921.py +## CWE-921 Detection Process Using Quark Script API + +![image](https://imgur.com/qHOMqKy.jpg) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. -Let's use the above APIs to show how the Quark script finds this -vulnerability. +First, we design a detection rule ``checkFileExistence.json`` to spot on behavior that checks if a file exists on a given storage mechanism. Then, we use API ``methodInstance.getArguments()`` to get the file path. Finally, CWE-921 is found if the file path contains the keyword ``sdcard``. -First, we design a detection rule `checkFileExistence.json` to spot on -behavior that checks if a file exists on a given storage mechanism. -Then, we use API `methodInstance.getArguments()` to get the file path. -Finally, CWE-921 is found if the file path contains the keyword -`sdcard`. +## Quark Script: CWE-921.py + +![image](https://imgur.com/HULgyIy.jpg) -``` python +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "ovaa.apk" @@ -48,7 +47,9 @@ for existingFile in quarkResult.behaviorOccurList: ## Quark Rule: checkFileExistence.json -``` json +![image](https://imgur.com/zRiYLtS.jpg) + +```json { "crime": "Check file existence", "permission": [], @@ -71,7 +72,7 @@ for existingFile in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT +``` $ python3 CWE-921.py This file is stored inside the SDcard From 25da5626287cb2e5467a195c35161c4de30b8fa5 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:12:09 +0800 Subject: [PATCH 04/10] Optimize the document of Quark Script CWE-94 --- CWE-94/README.md | 56 ++++++++++++++++++++++++------------------------ 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/CWE-94/README.md b/CWE-94/README.md index b6d2640..78d0d99 100644 --- a/CWE-94/README.md +++ b/CWE-94/README.md @@ -1,46 +1,44 @@ # Detect CWE-94 in Android Application +This scenario seeks to find **code injection** in the APK file. -This scenario seeks to find **code injection** in the APK file. - -## CWE-94 Improper Control of Generation of Code +## CWE-94: Improper Control of Generation of Code We analyze the definition of CWE-94 and identify its characteristics. -See [CWE-94](https://cwe.mitre.org/data/definitions/94.html) for more -details. +See [CWE-94](https://cwe.mitre.org/data/definitions/94.html) for more details. -![image](https://imgur.com/faWwd3p.jpg) +![image](https://imgur.com/M9Jlgrn.png) ## Code of CWE-94 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-94. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-94. -![image](https://imgur.com/duobWF2.jpg) +![image](https://imgur.com/MdlAnvu.png) -## Quark Script: CWE-94.py +## CWE-94 Detection Process Using Quark Script API + +Let's use the above APIs to show how the Quark script finds this vulnerability. -Let\'s use the above APIs to show how the Quark script finds this -vulnerability. +First, we design a detection rule ``loadExternalCode.json`` to spot on behavior using the method ``createPackageContext``. Then, we find the caller method that calls the ``createPackageContext``. Finally, we check if the method ``checkSignatures`` is called in the caller method for verification. -First, we design a detection rule `loadExternalCode.json` to spot on -behavior using the method `createPackageContext`. Then, we find the -caller method that calls the `createPackageContext`. Finally, we check -if the method `checkSignatures` is called in the caller method for -verification. +![image](https://imgur.com/6cPBMWP.jpg) + +## Quark Script: CWE-94.py -``` python +![image](https://imgur.com/Aw26Lv2.jpg) + +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "ovaa.apk" RULE_PATH = "loadExternalCode.json" targetMethod = [ - "Landroid/content/pm/PackageManager;", - "checkSignatures", - "(Ljava/lang/String;Ljava/lang/String;)I" - ] + "Landroid/content/pm/PackageManager;", + "checkSignatures", + "(Ljava/lang/String;Ljava/lang/String;)I" + ] ruleInstance = Rule(RULE_PATH) quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) @@ -48,10 +46,10 @@ quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) for ldExternalCode in quarkResult.behaviorOccurList: callerMethod = [ - ldExternalCode.methodCaller.className, - ldExternalCode.methodCaller.methodName, - ldExternalCode.methodCaller.descriptor - ] + ldExternalCode.methodCaller.className, + ldExternalCode.methodCaller.methodName, + ldExternalCode.methodCaller.descriptor + ] if not quarkResult.findMethodInCaller(callerMethod, targetMethod): print(f"Method: {targetMethod[1]} not found!") @@ -60,7 +58,9 @@ for ldExternalCode in quarkResult.behaviorOccurList: ## Quark Rule: loadExternalCode.json -``` json +![image](https://imgur.com/IHENeJx.jpg) + +```json { "crime": "Load external code from other APK.", "permission": [], @@ -83,7 +83,7 @@ for ldExternalCode in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT +```TEXT $ python3 CWE-94.py Method: checkSignatures not found! CWE-94 is detected in ovaa.apk From f18588b704fcb484081a43b8dd3668ad0f1480b7 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:13:04 +0800 Subject: [PATCH 05/10] Optimize the document of Quark Script CWE-20 --- CWE-20/README.md | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/CWE-20/README.md b/CWE-20/README.md index 9d9e8f4..a12e676 100644 --- a/CWE-20/README.md +++ b/CWE-20/README.md @@ -1,38 +1,34 @@ # Detect CWE-20 in Android Application +This scenario seeks to find **Improper Input Validation** in the APK file. -This scenario seeks to find **Improper Input Validation** in the APK -file. - -## CWE-20 Improper Input Validation +## CWE-20: Improper Input Validation We analyze the definition of CWE-20 and identify its characteristics. -See [CWE-20](https://cwe.mitre.org/data/definitions/20.html) for more -details. +See [CWE-20](https://cwe.mitre.org/data/definitions/20.html) for more details. -![image](https://imgur.com/21CzFUq.jpg) +![image](https://imgur.com/eO8fepu.jpg) ## Code of CWE-20 in diva.apk -We use the [diva.apk](https://github.com/payatu/diva-android) sample to -explain the vulnerability code of CWE-20. +We use the [diva.apk](https://github.com/payatu/diva-android) sample to explain the vulnerability code of CWE-20. -![image](https://imgur.com/kRIuEHd.jpg) +![image](https://imgur.com/nsuXYGU.jpg) -## Quark Script CWE-20.py +## CWE-20 Detection Process Using Quark Script API + +![image](https://imgur.com/C7zmwLm.jpg) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. -Let's use the above APIs to show how the Quark script finds this -vulnerability. +First, we design a detection rule ``openUrlThatUserInput.json``, to spot the behavior of opening the URL that the user inputs. Then, we use API ``behaviorInstance.getMethodsInArgs()`` to get a list of methods that the URL in ``loadUrl`` passes through. Finally, we check if any validation method is in the list. If No, the APK does not validate user input. That causes CWE-20 vulnerability. -First, we design a detection rule `openUrlThatUserInput.json`, to spot -the behavior of opening the URL that the user inputs. Then, we use API -`behaviorInstance.getMethodsInArgs()` to get a list of methods that the -URL in `loadUrl` passes through. Finally, we check if any validation -method is in the list. If No, the APK does not validate user input. That -causes CWE-20 vulnerability. +## Quark Script CWE-20.py + +![image](https://imgur.com/bwPqc4K.jpg) -``` python +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "diva.apk" @@ -54,7 +50,9 @@ for openUrl in result.behaviorOccurList: ## Quark Rule: openUrlThatUserInput.json -``` json +![image](https://imgur.com/k4WT8Fb.jpg) + +```json { "crime": "Open the Url that user input", "permission": [], @@ -77,7 +75,7 @@ for openUrl in result.behaviorOccurList: ## Quark Script Result -``` TEXT +``` $ python CWE-20.py CWE-20 is detected in method, Ljakhar/aseem/diva/InputValidation2URISchemeActivity; get (Landroid/view/View;)V ``` From 2f5d2ac18344215bc39b3de71c9b1a7eeb4caae2 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:16:24 +0800 Subject: [PATCH 06/10] Set Ubuntu version in testQuarkScript.yml to 22.04 change runs-on: ubuntu-latest to runs-on: ubuntu-22.04 --- .github/workflows/testQuarkScript.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/testQuarkScript.yml b/.github/workflows/testQuarkScript.yml index c97a567..605aaab 100644 --- a/.github/workflows/testQuarkScript.yml +++ b/.github/workflows/testQuarkScript.yml @@ -9,7 +9,7 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: From 0718ea2b55aa6165b0e119a03be1fb6da0ee51d3 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:37:22 +0800 Subject: [PATCH 07/10] Delete CWE-312/agent.js --- CWE-312/agent.js | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 CWE-312/agent.js diff --git a/CWE-312/agent.js b/CWE-312/agent.js deleted file mode 100644 index e69de29..0000000 From 08477deb817c6c4d02aefe178f3ab825ff233958 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:42:54 +0800 Subject: [PATCH 08/10] Update testQuarkScript.yml Set line to comment mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ --- .github/workflows/testQuarkScript.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/testQuarkScript.yml b/.github/workflows/testQuarkScript.yml index 605aaab..ee80972 100644 --- a/.github/workflows/testQuarkScript.yml +++ b/.github/workflows/testQuarkScript.yml @@ -57,7 +57,7 @@ jobs: git clone "https://github.com/quark-engine/apk-samples.git" mv -vn $GITHUB_WORKSPACE/CWE-*/CWE-*.py test_ground/ mv -vn $GITHUB_WORKSPACE/CWE-*/*.json test_ground/ - mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ + # mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ mv -vn ./apk-samples/vulnerable-samples/*.apk test_ground/ From 12767bd8a7fe7a1ea169d1aa7c7bb17911235d40 Mon Sep 17 00:00:00 2001 From: ZhiH Date: Tue, 21 Jan 2025 13:27:54 +0800 Subject: [PATCH 09/10] Revert "Optimize the document of Quark Script CWE-312" This reverts commit 67d628e102b55ea168c7d399e280990659e20c7c. --- CWE-312/README.md | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/CWE-312/README.md b/CWE-312/README.md index 36e00e2..534b7fa 100644 --- a/CWE-312/README.md +++ b/CWE-312/README.md @@ -1,36 +1,37 @@ # Detect CWE-312 in Android Application -This scenario seeks to find **cleartext storage of sensitive data** in the APK file. -## CWE-312: Cleartext Storage of Sensitive Information +This scenario seeks to find **cleartext storage of sensitive data** in +the APK file. + +## CWE-312 Cleartext Storage of Sensitive Information We analyze the definition of CWE-312 and identify its characteristics. -See [CWE-312](https://cwe.mitre.org/data/definitions/312.html) for more details. +See [CWE-312](https://cwe.mitre.org/data/definitions/312.html) for more +details. -![image](https://imgur.com/mD2uXUy.jpg) +![image](https://i.imgur.com/cy2EiZx.jpg) ## Code of CWE-312 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-312. - -![image](https://imgur.com/MfnYIYy.jpg) - -## CWE-312 Detection Process Using Quark Script API - -Let’s use the above APIs to show how the Quark script finds this vulnerability. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to +explain the vulnerability code of CWE-312. -We have designed a [Frida](https://frida.re/) script ``agent.js`` to hook a specified method and get the arguments when the method is called. It can be found in [quark-engine/quark/script/frida](https://github.com/quark-engine/quark-engine/tree/master/quark/script/frida). - -To begin with, we hook the method ``putString`` to catch its arguments. Then, we check if sensitive information like email or password is passed. Finally, we use ``checkClearText`` imported from [Ares](https://github.com/bee-san/Ares) to check if the arguments are cleartext. If both **YES**, CWE-312 vulnerability might be caused. +![image](https://i.imgur.com/KsFsxTu.jpg) -![image](https://imgur.com/eNjm3ES.jpg) +## Quark Script CWE-312.py -## Quark Script: CWE-312.py +Let\'s use the above APIs to show how the Quark script finds this +vulnerability. -![image](https://imgur.com/rxMPZX8.jpg) +First, we designed a [Frida](https://frida.re) script `agent.js` to hook +the target method and get the arguments when the target method is +called. Then we hook the method `putString` to catch its arguments. +Finally, we use [Ares](https://github.com/bee-san/Ares) to check if +the arguments are encrypted. -```python +``` python from quark.script.frida import runFridaHook from quark.script.ares import checkClearText @@ -61,7 +62,7 @@ for putString in fridaResult.behaviorOccurList: ## Frida Script: agent.js -```javascript +``` javascript // -*- coding: utf-8 -*- // This file is part of Quark-Engine - https://github.com/quark-engine/quark-engine // See the file 'LICENSE' for copying permission. @@ -124,7 +125,7 @@ rpc.exports["watchMethodCall"] = (classAndMethodName, methodParamTypes) => watch ## Quark Script Result -```TEXT +``` TEXT $ python3 CWE-312.py The CWE-312 vulnerability is found. The cleartext is "test@email.com" The CWE-312 vulnerability is found. The cleartext is "password" From eba7e841e1cbc2689e52d265178dbea13377207b Mon Sep 17 00:00:00 2001 From: ZhiH Date: Tue, 21 Jan 2025 13:28:05 +0800 Subject: [PATCH 10/10] Revert "Optimize the document of Quark Script CWE-798" This reverts commit 41e67f5cc5b797533686a4f82e64fba4d7a2efa0. --- CWE-798/README.md | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/CWE-798/README.md b/CWE-798/README.md index d227fca..f16abee 100644 --- a/CWE-798/README.md +++ b/CWE-798/README.md @@ -1,35 +1,36 @@ # Detect CWE-798 in Android Application -This scenario seeks to find **hard-coded credentials** in the APK file. +This scenario seeks to find hard-coded credentials in the APK file. -## CWE-798: Use of Hard-coded Credentials +## CWE-798 Use of Hard-coded Credentials We analyze the definition of CWE-798 and identify its characteristics. -See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more details. +See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more +details. -![image](https://imgur.com/rF8J8hE.png) +![image](https://i.imgur.com/0G9APpf.jpg) ## Code of CWE-798 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-798. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to +explain the vulnerability code of CWE-798. -![image](https://imgur.com/Cg7DacP.png) - - -## CWE-798 Detection Process Using Quark Script API - -![image](https://imgur.com/R8CfDqD.png) - -Let’s use the above APIs to show how the Quark script finds this vulnerability. - -First, we design a detection rule ``findSecretKeySpec.json`` to spot on behavior using the constructor ``SecretKeySpec``. Second, we get all the parameter values from this constructor. Then, we parse the AES key from the parameter values. Finally, we check if the AES key is hardcoded in the APK file. If the answer is **YES**, BINGO!!! We find hard-coded credentials in the APK file. +![image](https://i.imgur.com/ikaJlDW.jpg) ## Quark Script: CWE-798.py -![image](https://imgur.com/IOyrqDc.png) +Let\'s use the above APIs to show how the Quark script finds this +vulnerability. + +First, we design a detection rule `findSecretKeySpec.json` to spot on +behavior using the method `SecretKeySpec`. Then, we get all the +parameter values that are input to this method. And we parse the AES key +out of the parameter values. Finally, we check if the AES key is +hardcoded in the APK file. If the answer is YES, BINGO!!! We find +hard-coded credentials in the APK file. -```python +``` python import re from quark.script import runQuarkAnalysis, Rule @@ -53,9 +54,7 @@ for secretKeySpec in quarkResult.behaviorOccurList: ## Quark Rule: findSecretKeySpec.json -![image](https://imgur.com/2BYOE70.png) - -```json +``` json { "crime": "Detect APK using SecretKeySpec.", "permission": [], @@ -78,7 +77,8 @@ for secretKeySpec in quarkResult.behaviorOccurList: ## Quark Script Result -```TEXT -$ python3 CWE-798.py +``` TEXT +$ python3 findSecretKeySpec.py + Found hard-coded AES key 49u5gh249gh24985ghf429gh4ch8f23f ```