Optimize the document of Quark Script CWE-798 (#722)

JerryTasi · web-flow · commit e36feec00c58 · 2024-12-11T19:17:18.000+08:00
* Optimize the document of Quark Script CWE-798

* Optimize the document of Quark Script CWE-798

* Optimize the document of Quark Script CWE-798

* Optimize the document of Quark Script CWE-798

* Optimize the document of Quark Script CWE-798
diff --git a/docs/source/quark_script.rst b/docs/source/quark_script.rst
@@ -399,33 +399,39 @@ Method (callComponentMethod) with urls is detected triggered!
 
 
 Detect CWE-798 in Android Application
-------------------------------------------------
+-------------------------------------------------
 
-This scenario seeks to find hard-coded credentials in the APK file. 
+This scenario seeks to find **hard-coded credentials** in the APK file.
 
-CWE-798 Use of Hard-coded Credentials
-============================================
+CWE-798: Use of Hard-coded Credentials
+======================================
 
 We analyze the definition of CWE-798 and identify its characteristics.
 
-See `CWE-798 <https://cwe.mitre.org/data/definitions/798.html>`_  for more details.
+See `CWE-798 <https://cwe.mitre.org/data/definitions/798.html>`_ for more details.
 
-.. image:: https://i.imgur.com/0G9APpf.jpg
+.. image:: https://imgur.com/rF8J8hE.png
 
 Code of CWE-798 in ovaa.apk
-=========================================
+============================
 
 We use the `ovaa.apk <https://github.com/oversecured/ovaa>`_ sample to explain the vulnerability code of CWE-798.
 
-.. image:: https://i.imgur.com/ikaJlDW.jpg
+.. image:: https://imgur.com/Cg7DacP.png
 
+CWE-798 Detection Process Using Quark Script API
+=================================================
+
+.. image:: https://imgur.com/R8CfDqD.png
+
+Let’s use the above APIs to show how the Quark script finds this vulnerability.
+
+First, we design a detection rule ``findSecretKeySpec.json`` to spot on behavior using the constructor ``SecretKeySpec``. Second, we get all the parameter values from this constructor. Then, we parse the AES key from the parameter values. Finally, we check if the AES key is hardcoded in the APK file. If the answer is **YES**, BINGO!!! We find hard-coded credentials in the APK file.
 
 Quark Script: CWE-798.py
 ========================
 
-Let's use the above APIs to show how the Quark script finds this vulnerability.
-
-First, we design a detection rule ``findSecretKeySpec.json`` to spot on behavior using the method ``SecretKeySpec``. Then, we get all the parameter values that are input to this method. And we parse the AES key out of the parameter values. Finally, we check if the AES key is hardcoded in the APK file. If the answer is YES, BINGO!!! We find hard-coded credentials in the APK file.
+.. image:: https://imgur.com/IOyrqDc.png
 
 .. code-block:: python
 
@@ -449,9 +455,10 @@ First, we design a detection rule ``findSecretKeySpec.json`` to spot on behavior
             if quarkResult.isHardcoded(AESKey):
                 print(f"Found hard-coded {secondParam} key {AESKey}")
 
-
 Quark Rule: findSecretKeySpec.json
-==================================
+===================================
+
+.. image:: https://imgur.com/2BYOE70.png
 
 .. code-block:: json
 
@@ -474,17 +481,16 @@ Quark Rule: findSecretKeySpec.json
         "label": []
     }
 
-
 Quark Script Result
-=====================
+====================
 
 .. code-block:: TEXT
 
-    $ python3 findSecretKeySpec.py 
-
+    $ python3 CWE-798.py
     Found hard-coded AES key 49u5gh249gh24985ghf429gh4ch8f23f
 
 
+
 Detect CWE-94 in Android Application 
 ------------------------------------------------
 
@@ -1048,7 +1054,7 @@ We use the `dvba.apk <https://github.com/rewanthtammana/Damn-Vulnerable-Bank>`_
 
 .. image:: https://imgur.com/THWm2gN.jpg
 
-Quark Scipt: CWE-532.py
+Quark Script: CWE-532.py
 ========================
 
 Let's use the above APIs to show how the Quark script finds this vulnerability.
