Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add quark script case for CWE-295 #446

Closed
PoJenC opened this issue Dec 30, 2022 · 0 comments · Fixed by #447
Closed

Add quark script case for CWE-295 #446

PoJenC opened this issue Dec 30, 2022 · 0 comments · Fixed by #447
Assignees
@sidra-asa
Labels
issue-processing-state-03

Comments

@PoJenC
Copy link
Contributor

PoJenC commented Dec 30, 2022
edited

Detect CWE-295 in Android Application (InsecureShop.apk)

This scenario seeks to find Improper Certificate Validation. See CWE-295 for more details.

Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

We use the API findMethodInAPK to locate all SslErrorHandler.proceed methods. Then we need to identify whether the method WebViewClient.onReceivedSslError is overridden by its subclass.

First, we check and make sure that the MethodInstance.name is onReceivedSslError, and the MethodInstance.descriptor is (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V.

Then we use the method API MethodInstance.findSuperclassHierarchyto get the supclass list of the method's caller class.

Finally, we check the Landroid/webkit/WebViewClient; is on the supclass list. If YES , that may cause CWE-295 vulnerability.

API Spec

MethodInstance.findSuperclassHierarchy()

  • Description: Find all superclass hierarchy of this method object.
  • params: None
  • Return: Python list contains all superclas's name of the this method.

Quark Script CWE-295.py

from quark.script import findMethodInAPK

SAMPLE_PATH = "insecureShop.apk"
TARGET_METHOD = [
    "Landroid/webkit/SslErrorHandler;",  # class name
    "proceed",                          # method name
    "()V"                               # descriptor
]
OVERRIDE_METHOD = [
    "Landroid/webkit/WebViewClient;",  # class name
    "onReceivedSslError",              # method name
    # descriptor
    "(Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V"
]

for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
    if (sslProceedCaller.name == OVERRIDE_METHOD[1] and
       sslProceedCaller.descriptor == OVERRIDE_METHOD[2] and
       OVERRIDE_METHOD[0] in sslProceedCaller.findSuperclassHierarchy()):
        print(f"CWE-295 is detected in method, {sslProceedCaller.fullName}")

Quark Script Result

$python3 CWE-295.py
Requested API level 29 is larger than maximum we have, returning API level 28 instead.
CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sidra-asa sidra-asa

Labels
issue-processing-state-03
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Quark#446] Add quark script case for CWE-295 PoJenC/quark-engine
2 participants
@sidra-asa @PoJenC