Skip to content

Commit d9ad85e

Browse files
JerryTasiJerryTasi
authored
Optimize the document of Quark Script CWE-921 (#723)
1 parent e36feec commit d9ad85e

File tree

1 file changed

+23
-10
lines changed

1 file changed

+23
-10
lines changed

docs/source/quark_script.rst

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -584,32 +584,41 @@ Quark Script Result
584584
585585
586586
Detect CWE-921 in Android Application
587-
----------------------------------------------------
587+
--------------------------------------
588588

589589
This scenario seeks to find the **unsecured storage mechanism of sensitive data** in the APK file.
590590

591-
CWE-921 Storage of Sensitive Data in a Mechanism without Access Control
591+
CWE-921: Storage of Sensitive Data in a Mechanism without Access Control
592592
========================================================================
593593

594594
We analyze the definition of CWE-921 and identify its characteristics.
595595

596596
See `CWE-921 <https://cwe.mitre.org/data/definitions/921.html>`_ for more details.
597597

598-
.. image:: https://imgur.com/ihtjGAu.jpg
598+
.. image:: https://imgur.com/2zlPLHe.jpg
599+
599600

600601
Code of CWE-921 in ovaa.apk
601-
=========================================
602+
============================
603+
602604
We use the `ovaa.apk <https://github.com/oversecured/ovaa>`_ sample to explain the vulnerability code of CWE-921.
603605

604-
.. image:: https://imgur.com/ACzJct8.jpg
606+
.. image:: https://imgur.com/2u5iL1K.jpg
605607

606-
Quark Script: CWE-921.py
607-
=========================
608+
CWE-921 Detection Process Using Quark Script API
609+
=================================================
610+
611+
.. image:: https://imgur.com/qHOMqKy.jpg
608612

609613
Let’s use the above APIs to show how the Quark script finds this vulnerability.
610614

611615
First, we design a detection rule ``checkFileExistence.json`` to spot on behavior that checks if a file exists on a given storage mechanism. Then, we use API ``methodInstance.getArguments()`` to get the file path. Finally, CWE-921 is found if the file path contains the keyword ``sdcard``.
612616

617+
Quark Script: CWE-921.py
618+
========================
619+
620+
.. image:: https://imgur.com/HULgyIy.jpg
621+
613622
.. code-block:: python
614623
615624
from quark.script import runQuarkAnalysis, Rule
@@ -626,9 +635,11 @@ First, we design a detection rule ``checkFileExistence.json`` to spot on behavio
626635
print(f"This file is stored inside the SDcard\n")
627636
print(f"CWE-921 is detected in {SAMPLE_PATH}.")
628637
629-
630638
Quark Rule: checkFileExistence.json
631-
======================================
639+
====================================
640+
641+
.. image:: https://imgur.com/zRiYLtS.jpg
642+
632643
.. code-block:: json
633644
634645
{
@@ -651,7 +662,8 @@ Quark Rule: checkFileExistence.json
651662
}
652663
653664
Quark Script Result
654-
=====================
665+
====================
666+
655667
.. code-block:: TEXT
656668
657669
$ python3 CWE-921.py
@@ -661,6 +673,7 @@ Quark Script Result
661673
662674
663675
676+
664677
Detect CWE-312 in Android Application
665678
--------------------------------------
666679

0 commit comments

Comments
 (0)