Optimize the CWE-921 and CWE-89 document (#617)

* Update quark_script.rst * Update quark_script.rst * Update quark_script.rst * Update quark_script.rst * Update quark_script.rst * Update quark_script.rst * Update quark_script.rst * Update quark_script.rst * Update quark_script.rst * Update quark_script.rst
quark-engine · Mar 14, 2024 · 7f44023 · 7f44023
1 parent 39a6cb0
commit 7f44023
Showing 1 changed file with 60 additions and 22 deletions.
diff --git a/docs/source/quark_script.rst b/docs/source/quark_script.rst
@@ -564,17 +564,33 @@ Quark Script Result
     CWE-94 is detected in ovaa.apk
 
 
-Detect CWE-921 in Android Application (ovaa.apk)
-------------------------------------------------
 
-This scenario seeks to find unsecure storage mechanism of data in the APK file. See `CWE-921 <https://cwe.mitre.org/data/definitions/921.html>`_ for more details.
+Detect CWE-921 in Android Application
+----------------------------------------------------
 
-Let's use this `APK <https://github.com/oversecured/ovaa>`_ and the above APIs to show how Quark script find this vulnerability.
+This scenario seeks to find the **unsecured storage mechanism of sensitive data** in the APK file.
 
-First, we design a detection rule ``checkFileExistence.json`` to spot on behavior that checks if a file exist on given storage mechanism. Then, we use API ``behaviorInstance.getParamValues()`` to get the file path. Finally, CWE-921 is found if the file path contains keyword ``sdcard``.
+CWE-921 Storage of Sensitive Data in a Mechanism without Access Control
+========================================================================
 
-Quark Script CWE-921.py
-========================
+We analyze the definition of CWE-921 and identify its characteristics.
+
+See `CWE-921 <https://cwe.mitre.org/data/definitions/921.html>`_ for more details.
+
+.. image:: https://imgur.com/ihtjGAu.jpg
+
+Code of CWE-921 in ovaa.apk
+=========================================
+We use the `ovaa.apk <https://github.com/oversecured/ovaa>`_ sample to explain the vulnerability code of CWE-921.
+
+.. image:: https://imgur.com/ACzJct8.jpg
+
+Quark Scipt: CWE-921.py
+=========================
+
+Let’s use the above APIs to show how the Quark script finds this vulnerability.
+
+First, we design a detection rule ``checkFileExistence.json`` to spot on behavior that checks if a file exists on a given storage mechanism. Then, we use API ``behaviorInstance.getParamValues()`` to get the file path. Finally, CWE-921 is found if the file path contains the keyword ``sdcard``.
 
 .. code-block:: python
 
@@ -592,9 +608,9 @@ Quark Script CWE-921.py
             print(f"This file is stored inside the SDcard\n")
             print(f"CWE-921 is detected in {SAMPLE_PATH}.")
 
-Quark Rule: checkFileExistence.json
-===================================
 
+Quark Rule: checkFileExistence.json
+======================================
 .. code-block:: json
 
     {
@@ -617,16 +633,16 @@ Quark Rule: checkFileExistence.json
     }
 
 Quark Script Result
-====================
-
+=====================
 .. code-block:: TEXT
 
-    $ python3 CWE-921.py 
+    $ python3 CWE-921.py
     This file is stored inside the SDcard
 
     CWE-921 is detected in ovaa.apk.
 
 
+
 Detect CWE-312 in Android Application
 ----------------------------------------------------
 
@@ -760,17 +776,37 @@ Quark Script Result
     The CWE-312 vulnerability is found. The cleartext is "password"
 
 
-Detect CWE-89 in Android Application (AndroGoat.apk)
-----------------------------------------------------
+Detect CWE-89 in Android Application 
+----------------------------------------
 
-This scenario seeks to find SQL injection in the APK file. See `CWE-89 <https://cwe.mitre.org/data/definitions/89.html>`_ for more details.
+This scenario seeks to find **SQL injection** in the APK file.
 
-Let's use this `APK <https://github.com/satishpatnayak/AndroGoat>`_ and the above APIs to show how Quark script find this vulnerability.
+CWE-89 Improper Neutralization of Special Elements used in an SQL Command
+============================================================================
 
-First, we design a detection rule ``executeSQLCommand.json`` to spot on behavior using SQL command Execution. Then, we use API ``behaviorInstance.isArgFromMethod(targetMethod)`` to check if ``append`` use the value of ``getText`` as the argument. If yes, we confirmed that the SQL command string is built from user input, which will cause CWE-89 vulnerability.
 
-Quark Script CWE-89.py
-======================
+We analyze the definition of CWE-89 and identify its characteristics.
+
+See `CWE-89 <https://cwe.mitre.org/data/definitions/89.html>`_ for more details.
+
+.. image:: https://i.imgur.com/iJ1yIBb.jpg
+
+
+Code of CWE-89 in androgoat.apk
+=========================================
+
+We use the `androgoat.apk <https://github.com/satishpatnayak/AndroGoat>`_ sample to explain the vulnerability code of CWE-89.
+
+.. image:: https://i.imgur.com/bdQqWFb.jpg
+
+
+
+Quark Scipt: CWE-89.py
+========================
+
+Let's use the above APIs to show how the Quark script finds this vulnerability.
+
+First, we design a detection rule ``executeSQLCommand.json`` to spot on behavior using SQL command Execution. Then, we use API ``behaviorInstance.isArgFromMethod(targetMethod)`` to check if ``append`` uses the value of ``getText`` as the argument. If yes, we confirmed that the SQL command string is built from user input, which will cause CWE-89 vulnerability. 
 
 .. code-block:: python
 
@@ -794,8 +830,9 @@ Quark Script CWE-89.py
         ):
             print(f"CWE-89 is detected in {SAMPLE_PATH}")
 
+
 Quark Rule: executeSQLCommand.json
-==================================
+====================================
 
 .. code-block:: json
 
@@ -818,10 +855,11 @@ Quark Rule: executeSQLCommand.json
         "label": []
     }
 
+
 Quark Script Result
-====================
+=====================
 
-.. code-block:: TEXT
+.. code-block:: text
 
     $ python3 CWE-89.py