From e9e7e00e1763b625388439feffeaf3c02343bec6 Mon Sep 17 00:00:00 2001 From: ZhiH Date: Mon, 11 Aug 2025 11:08:55 +0800 Subject: [PATCH 1/2] Optimize the document of Quark Script CWE-73, 79, and 88 --- CWE-73/CWE-73.py | 4 +- CWE-73/README.md | 60 ++++++++++---------- CWE-73/accessFileInExternalDir.json | 9 ++- CWE-79/CWE-79.py | 2 +- CWE-79/README.md | 45 ++++++++------- CWE-88/CWE-88.py | 3 +- CWE-88/README.md | 87 +++++++++++++++-------------- 7 files changed, 103 insertions(+), 107 deletions(-) diff --git a/CWE-73/CWE-73.py b/CWE-73/CWE-73.py index c245da7..20c7473 100644 --- a/CWE-73/CWE-73.py +++ b/CWE-73/CWE-73.py @@ -1,7 +1,7 @@ from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "ovaa.apk" -RULE_PATH = "accessFileInExternalDir.json" +RULE_PATH = "useLastPathSegmentAsFileName.json" OPEN_FILE_API = [ "Landroid/os/ParcelFileDescriptor;", # Class name @@ -22,4 +22,4 @@ result = quarkResult.findMethodInCaller(caller, OPEN_FILE_API) if result: - print("CWE-73 is detected in method, ", caller.fullName) \ No newline at end of file + print("CWE-73 is detected in method, ", caller.fullName) diff --git a/CWE-73/README.md b/CWE-73/README.md index 7aa6052..22beb2e 100644 --- a/CWE-73/README.md +++ b/CWE-73/README.md @@ -1,48 +1,42 @@ -# Detect CWE-73 in Android Application +# Detect CWE-73 in Android Application -This scenario seeks to find **External Control of File Name or Path** in -the APK file. +This scenario seeks to find **External Control of File Name or Path** in the APK file. ## CWE-73 External Control of File Name or Path We analyze the definition of CWE-73 and identify its characteristics. -See [CWE-73](https://cwe.mitre.org/data/definitions/73.html) for more -details. +See [CWE-73](https://cwe.mitre.org/data/definitions/73.html) for more details. -![image](https://imgur.com/ES7xg5X.png) +![image](https://imgur.com/I1C5yku.png) ## Code of CWE-73 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-73. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-73. -![image](https://imgur.com/9oa1HIC.png) +![image](https://imgur.com/gLJ6zWr.png) -## Quark Script: CWE-73.py +## CWE-73 Detection Process Using Quark Script API + +![image](https://imgur.com/zGjZHA1.png) -Let's use the above APIs to show how Quark script find this -vulnerability. +Let’s use the above APIs to show how Quark script finds this vulnerability. -First, we design a detection rule `accessFileInExternalDir.json` to spot -behavior accessing a file in an external directory. +First, we design a detection rule ``useLastPathSegmentAsFileName.json`` to spot behavior that uses the last path segment as the file name. -Second, we use API `methodInstance.getArguments()` to get the argument -for the file path and use `quarkResultInstance.isHardcoded(argument)` to -check if the argument is hardcoded into the APK. If **No**, the argument -is from external input. +Second, we use the API ``methodInstance.getArguments()`` to get the argument for the file path and use ``quarkResultInstance.isHardcoded(argument)`` to check if the argument is hardcoded into the APK. If **No**, the argument is from external input. -Finally, we use Quark API -`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to -check if any APIs in the caller method for opening files. If **YES**, -the APK performs file operations using external input as a path, which -may cause CWE-73 vulnerability. +Finally, we use Quark API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` to check if there are any APIs in the caller method for opening files. If **YES**, the APK performs file operations using external input as a path, which may cause CWE-73 vulnerability. + +## Quark Script: CWE-73.py -``` python +![image](https://imgur.com/EHrcCPg.png) + +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "ovaa.apk" -RULE_PATH = "accessFileInExternalDir.json" +RULE_PATH = "useLastPathSegmentAsFileName.json" OPEN_FILE_API = [ "Landroid/os/ParcelFileDescriptor;", # Class name @@ -66,17 +60,19 @@ for accessExternalDir in quarkResult.behaviorOccurList: print("CWE-73 is detected in method, ", caller.fullName) ``` -## Quark Rule: accessFileInExternalDir.json +## Quark Rule: useLastPathSegmentAsFileName.json + +![image](https://imgur.com/JxBdde0.png) -``` json +```json { - "crime": "Access a file in an external directory", + "crime": "Use the last path segment as the file name", "permission": [], "api": [ { - "class": "Landroid/os/Environment;", - "method": "getExternalStorageDirectory", - "descriptor": "()Ljava/io/File;" + "class": "Landroid/net/Uri;", + "method": "getLastPathSegment", + "descriptor": "()Ljava/lang/String;" }, { "class": "Ljava/io/File;", @@ -91,7 +87,7 @@ for accessExternalDir in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT +``` $ python CWE-73.py CWE-73 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor; ``` diff --git a/CWE-73/accessFileInExternalDir.json b/CWE-73/accessFileInExternalDir.json index 5466aa3..f771799 100644 --- a/CWE-73/accessFileInExternalDir.json +++ b/CWE-73/accessFileInExternalDir.json @@ -1,11 +1,11 @@ { - "crime": "Access a file in an external directory", + "crime": "Use the last path segment as the file name", "permission": [], "api": [ { - "class": "Landroid/os/Environment;", - "method": "getExternalStorageDirectory", - "descriptor": "()Ljava/io/File;" + "class": "Landroid/net/Uri;", + "method": "getLastPathSegment", + "descriptor": "()Ljava/lang/String;" }, { "class": "Ljava/io/File;", @@ -16,4 +16,3 @@ "score": 1, "label": [] } - diff --git a/CWE-79/CWE-79.py b/CWE-79/CWE-79.py index cfa1381..1fdc3f5 100644 --- a/CWE-79/CWE-79.py +++ b/CWE-79/CWE-79.py @@ -47,4 +47,4 @@ ] if not XSSFiltersInCaller: - print(f"CWE-79 is detected in method, {caller.fullName}") \ No newline at end of file + print(f"CWE-79 is detected in method, {caller.fullName}") diff --git a/CWE-79/README.md b/CWE-79/README.md index ed35b3a..2893e35 100644 --- a/CWE-79/README.md +++ b/CWE-79/README.md @@ -1,39 +1,36 @@ # Detect CWE-79 in Android Application -This scenario seeks to find **Improper Neutralization of Input During -Web Page Generation ('Cross-site Scripting')** in the APK file. +This scenario seeks to find **Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)** in the APK file. -## CWE-79 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') +## CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') We analyze the definition of CWE-79 and identify its characteristics. -See [CWE-79](https://cwe.mitre.org/data/definitions/79.html) for more -details. +See [CWE-79](https://cwe.mitre.org/data/definitions/79.html) for more details. -![image](https://imgur.com/jAwgD0x.png) +![image](https://imgur.com/3W1QpU1.png) ## Code of CWE-79 in Vuldroid.apk -We use the [Vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid) -sample to explain the vulnerability code of CWE-79. +We use the [Vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid) sample to explain the vulnerability code of CWE-79. -![image](https://imgur.com/lC6EKun.png) +![image](https://imgur.com/iv3Guwi.png) -## Quark Script CWE-79.py +## CWE-79 Detection Process Using Quark Script API + +![image](https://imgur.com/MpUjFP0.png) -Let's use the above APIs to show how the Quark script finds this -vulnerability. +Let’s use the above APIs to show how the Quark script finds this vulnerability. -First, we design a detection rule `loadUrlFromIntent.json` to spot the -behavior loading URL from intent data to the WebView instance. +First, we design a detection rule ``loadUrlFromIntent.json`` to spot the behavior loading URL from intent data to the WebView instance. -Next, we use API -`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` and -`methodInstance.getArguments()` to check if the Javascript execution is -enabled in the WebView. Finally, we check if there are any famous XSS -filters. If NO, that may cause CWE-79 vulnerability. +Next, we use API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` and ``methodInstance.getArguments()`` to check if the Javascript execution is enabled in the WebView. Finally, we check if there are any famous XSS filters. If **NO**, that may cause CWE-79 vulnerability. + +## Quark Script CWE-79.py -``` python +![image](https://imgur.com/NyMpLZW.png) + +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "Vuldroid.apk" @@ -88,7 +85,9 @@ for loadUrl in quarkResult.behaviorOccurList: ## Quark Rule: loadUrlFromIntent.json -``` json +![image](https://imgur.com/m4aa4Jk.png) + +```json { "crime": "Load URL from intent to WebView", "permission": [], @@ -111,7 +110,7 @@ for loadUrl in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT +```TEXT $ python CWE-79.py CWE-79 is detected in method, Lcom/vuldroid/application/ForgetPassword; onCreate (Landroid/os/Bundle;)V -``` +``` \ No newline at end of file diff --git a/CWE-88/CWE-88.py b/CWE-88/CWE-88.py index a1ab9f5..6cd08c5 100644 --- a/CWE-88/CWE-88.py +++ b/CWE-88/CWE-88.py @@ -28,4 +28,5 @@ if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(delimeter): continue else: - print(f"CWE-88 is detected in method, {caller.fullName}") \ No newline at end of file + print(f"CWE-88 is detected in method, {caller.fullName}") + diff --git a/CWE-88/README.md b/CWE-88/README.md index 2331f19..8e63477 100644 --- a/CWE-88/README.md +++ b/CWE-88/README.md @@ -1,5 +1,4 @@ -# Detect CWE-88 in Android Application - +# Detect CWE-88 in Android Application This scenario seeks to find **Argument Injection** in the APK file. @@ -7,72 +6,74 @@ This scenario seeks to find **Argument Injection** in the APK file. We analyze the definition of CWE-88 and identify its characteristics. -See [CWE-88](https://cwe.mitre.org/data/definitions/88.html) for more -details. +See [CWE-88](https://cwe.mitre.org/data/definitions/88.html) for more details. -![image](https://imgur.com/7EBPGUT.png) +![image](https://imgur.com/5vfXkIE.png) ## Code of CWE-88 in vuldroid.apk -We use the [vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid) -sample to explain the vulnerability code of CWE-88. +We use the [vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid) sample to explain the vulnerability code of CWE-88. -![image](https://imgur.com/emnvGcE.png) +![image](https://imgur.com/recX0t5.png) -## Quark Script: CWE-88.py +## CWE-88 Detection Process Using Quark Script API + +![image](https://imgur.com/s7Ajr6M.png) -Let's use the above APIs to show how the Quark script finds this -vulnerability. +Let‘s use the above APIs to show how the Quark script finds this vulnerability. -First, we design a detection rule `ExternalStringsCommands.json` to spot -on behavior using external strings as commands. +First, we design a detection rule ``ExternalStringsCommands.json`` to spot on behavior using external strings as commands. -Next, we use Quark API `behaviorInstance.getMethodsInArgs()` to get the -methods that passed the external command. +Next, we use Quark API ``behaviorInstance.getMethodsInArgs()`` to get the methods that passed the external command. -Then we check if the method neutralizes any special elements in the -argument. +Then we check if the method neutralizes any special elements in the argument. -If the neutralization is not complete, then it may cause CWE-88 -vulnerability. +If the neutralization is not complete, then it may cause CWE-88 vulnerability. + +## Quark Script: CWE-88.py -``` python +![image](https://imgur.com/f8Yee3P.png) + +```python from quark.script import runQuarkAnalysis, Rule, findMethodInAPK -SAMPLE_PATH = "Vuldroid.apk" -RULE_PATH = "ExternalStringCommand.json" + SAMPLE_PATH = "Vuldroid.apk" + RULE_PATH = "ExternalStringCommand.json" + + STRING_MATCHING_API = set([ + ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"), + ("Ljava/lang/String;", "indexOf", "(I)I"), + ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"), + ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"), + ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;") + ]) -STRING_MATCHING_API = set([ - ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"), - ("Ljava/lang/String;", "indexOf", "(I)I"), - ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"), - ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"), - ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;") -]) + delimeter = "-" -delimeter = "-" + ruleInstance = Rule(RULE_PATH) + quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) -ruleInstance = Rule(RULE_PATH) -quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) + for ExternalStringCommand in quarkResult.behaviorOccurList: -for ExternalStringCommand in quarkResult.behaviorOccurList: + methodCalled = set() + caller = ExternalStringCommand.methodCaller - methodCalled = set() - caller = ExternalStringCommand.methodCaller + for method in ExternalStringCommand.getMethodsInArgs(): + methodCalled.add(method.fullName) - for method in ExternalStringCommand.getMethodsInArgs(): - methodCalled.add(method.fullName) + if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(delimeter): + continue + else: + print(f"CWE-88 is detected in method, {caller.fullName}") - if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(delimeter): - continue - else: - print(f"CWE-88 is detected in method, {caller.fullName}") ``` ## Quark Rule: ExternalStringCommand.json -``` json +![image](https://imgur.com/s9QNF19.png) + +```json { "crime": "Using external strings as commands", "permission": [], @@ -95,7 +96,7 @@ for ExternalStringCommand in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT +``` $ python3 CWE-88.py CWE-88 is detected in method, Lcom/vuldroid/application/RootDetection; onCreate (Landroid/os/Bundle;)V ``` From 6062182d735c0d93596aa0989f0f9a1eb2c32516 Mon Sep 17 00:00:00 2001 From: ZhiH Date: Mon, 11 Aug 2025 11:25:10 +0800 Subject: [PATCH 2/2] Optimize the document of Quark Script CWE-73, 79, and 88 --- ...ssFileInExternalDir.json => useLastPathSegmentAsFileName.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename CWE-73/{accessFileInExternalDir.json => useLastPathSegmentAsFileName.json} (100%) diff --git a/CWE-73/accessFileInExternalDir.json b/CWE-73/useLastPathSegmentAsFileName.json similarity index 100% rename from CWE-73/accessFileInExternalDir.json rename to CWE-73/useLastPathSegmentAsFileName.json