Optimize the document of Quark Script CWE-22, 23, and 78 (#56)

Author: JerryTasi

CWE-22/CWE-22.py

@@ -16,17 +16,17 @@
 quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
 
 for accessExternalDir in quarkResult.behaviorOccurList:
+
     filePath = accessExternalDir.secondAPI.getArguments()[2]
 
     if quarkResult.isHardcoded(filePath):
         continue
 
     caller = accessExternalDir.methodCaller
     strMatchingAPIs = [
-        api
-        for api in STRING_MATCHING_API
-        if quarkResult.findMethodInCaller(caller, api)
+        api for api in STRING_MATCHING_API if quarkResult.findMethodInCaller(
+            caller, api)
     ]
 
     if not strMatchingAPIs:
-        print(f"CWE-22 is detected in method, {caller.fullName}")
+        print(f"CWE-22 is detected in method, {caller.fullName}")

CWE-22/README.md

@@ -1,44 +1,38 @@
 # Detect CWE-22 in Android Application
 
-This scenario seeks to find **the improper limitation of a pathname to a
-restricted directory ('Path Traversal')**.
+This scenario seeks to find **the improper limitation of a pathname to a restricted directory ('Path Traversal')**.
 
-## CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\')
+## CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
 
 We analyze the definition of CWE-22 and identify its characteristics.
 
-See [CWE-22](https://cwe.mitre.org/data/definitions/22.html) for more
-details.
+See [CWE-22](https://cwe.mitre.org/data/definitions/22.html) for more details.
 
-![image](https://imgur.com/agRPwp8.png)
+![image](https://imgur.com/XnOUZsV.png)
 
 ## Code of CWE-22 in ovaa.apk
 
-We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
-explain the vulnerability code of CWE-22.
+We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-22.
 
-![image](https://imgur.com/WFpfzFk.png)
+![image](https://imgur.com/bgWgeT7.png)
 
-## Quark Script: CWE-22.py
+## CWE-22 Detection Process Using Quark Script API
+
+![image](https://imgur.com/D852ZLV.png)
+
+Let's use the above APIs to show how the Quark script finds this vulnerability.
 
-Let's use the above APIs to show how the Quark script finds this
-vulnerability.
+First, we design a detection rule `accessFileInExternalDir.json` to spot behavior accessing a file in an external directory.
 
-First, we design a detection rule `accessFileInExternalDir.json` to spot
-behavior accessing a file in an external directory.
+Next, we use API `methodInstance.getArguments()` to get the argument for the file path and use `quarkResultInstance.isHardcoded(argument)` to check if the argument is hardcoded into the APK. If **No**, the argument is from external input.
 
-Next, we use API `methodInstance.getArguments()` to get the argument for
-the file path and use `quarkResultInstance.isHardcoded(argument)` to
-check if the argument is hardcoded into the APK. If No, the argument is
-from external input.
+Finally, we use Quark API `quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to check if there are any APIs in the caller method for string matching. If **NO**, the APK does not neutralize special elements within the argument, which may cause CWE-22 vulnerability.
+
+## Quark Script: CWE-22.py
 
-Finally, we use Quark API
-`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to
-check if there are any APIs in the caller method for string matching. If
-NO, the APK does not neutralize special elements within the argument,
-which may cause CWE-22 vulnerability.
+![image](https://imgur.com/4b2e4tN.png)
 
-``` python
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "ovaa.apk"
@@ -57,25 +51,26 @@ ruleInstance = Rule(RULE_PATH)
 quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
 
 for accessExternalDir in quarkResult.behaviorOccurList:
+
     filePath = accessExternalDir.secondAPI.getArguments()[2]
 
     if quarkResult.isHardcoded(filePath):
         continue
 
     caller = accessExternalDir.methodCaller
     strMatchingAPIs = [
-        api
-        for api in STRING_MATCHING_API
-        if quarkResult.findMethodInCaller(caller, api)
+        api for api in STRING_MATCHING_API if quarkResult.findMethodInCaller(
+            caller, api)
     ]
 
     if not strMatchingAPIs:
         print(f"CWE-22 is detected in method, {caller.fullName}")
 ```
-
 ## Quark Rule: accessFileInExternalDir.json
 
-``` json
+![image](https://imgur.com/N2uKsZj.png)
+
+```json
 {
     "crime": "Access a file in an external directory",
     "permission": [],
@@ -98,7 +93,7 @@ for accessExternalDir in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```
 $ python3 CWE-22.py
 CWE-22 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor;
-```
+```

CWE-22/accessFileInExternalDir.json

@@ -16,4 +16,3 @@
     "score": 1,
     "label": []
 }
-

CWE-23/CWE-23.py

@@ -35,5 +35,3 @@
 
     if not strMatchingAPIs:
         print(f"CWE-23 is detected in method, {caller.fullName}")
-    elif strMatchingAPIs.find("..") == -1:
-        print(f"CWE-23 is detected in method, {caller.fullName}")

CWE-23/README.md

@@ -1,47 +1,38 @@
 # Detect CWE-23 in Android Application
 
-This scenario aims to demonstrate the detection of the **Relative Path
-Traversal** vulnerability.
+This scenario aims to demonstrate the detection of the **Relative Path Traversal** vulnerability.
 
 ## CWE-23: Relative Path Traversal
 
 We analyze the definition of CWE-23 and identify its characteristics.
 
-See [CWE-23](https://cwe.mitre.org/data/definitions/23.html) for more
-details.
+See [CWE-23](https://cwe.mitre.org/data/definitions/23.html) for more details.
 
-![image](https://imgur.com/YS9umQp.png)
+![image](https://imgur.com/k4UPsKO.png)
 
 ## Code of CWE-23 in ovaa.apk
 
-We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
-explain the vulnerability code of CWE-23.
+We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-23.
 
-![image](https://imgur.com/GosANyj.png)
+![image](https://imgur.com/KT277GG.png)
 
-## Quark Script: CWE-23.py
+## CWE-23 Detection Process Using Quark Script API
+
+![image](https://imgur.com/D852ZLV.png)
+
+Let’s use the above APIs to show how the Quark script finds this vulnerability.
 
-Let's use the above APIs to show how the Quark script finds this
-vulnerability.
+To begin with, we create a detection rule named ``accessFileInExternalDir.json`` to identify behavior that accesses a file in an external directory.
 
-To begin with, we will create a detection rule named
-`accessFileInExternalDir.json` to identify behavior that accesses a file
-in an external directory.
+Next, we use ``methodInstance.getArguments()`` to retrieve the file path argument and check whether it belongs to the APK. If it does not belong to the APK, the argument is likely from external input.
 
-Next, we will use `methodInstance.getArguments()` to retrieve the file
-path argument and check whether it belongs to the APK or not. If it does
-not belong to the APK, the argument is likely from external input.
+Then, we use the Quark Script API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` to search for any APIs in the caller method that are used to match strings. If no API is found, that implies the APK does not neutralize special elements within the argument, possibly resulting in CWE-23 vulnerability.
+
+## Quark Script: CWE-23.py
 
-Finally, we will use the Quark API
-`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to
-search for any APIs in the caller method that match the string. If no
-matching API is found, the APK does not neutralize special elements
-within the argument, which may result in the CWE-23 vulnerability. If a
-matching API is found, we will verify whether it neutralizes the
-Relative Path string or not. If it does not neutralize it, the APK may
-still be vulnerable to CWE-23.
+![image](https://imgur.com/lk1C4CX.jpg)
 
-``` python
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "ovaa.apk"
@@ -79,27 +70,27 @@ for accessExternalDir in quarkResult.behaviorOccurList:
 
     if not strMatchingAPIs:
         print(f"CWE-23 is detected in method, {caller.fullName}")
-    elif strMatchingAPIs.find("..") == -1:
-        print(f"CWE-23 is detected in method, {caller.fullName}")
 ```
 
 ## Quark Rule: accessFileInExternalDir.json
 
-``` json
+![image](https://imgur.com/N2uKsZj.png)
+
+```json
 {
     "crime": "Access a file in an external directory",
     "permission": [],
     "api": [
-    {
-        "class": "Landroid/os/Environment;",
-        "method": "getExternalStorageDirectory",
-        "descriptor": "()Ljava/io/File;"
-    },
-    {
-        "class": "Ljava/io/File;",
-        "method": "<init>",
-        "descriptor": "(Ljava/io/File;Ljava/lang/String;)V"
-    }
+        {
+            "class": "Landroid/os/Environment;",
+            "method": "getExternalStorageDirectory",
+            "descriptor": "()Ljava/io/File;"
+        },
+        {
+            "class": "Ljava/io/File;",
+            "method": "<init>",
+            "descriptor": "(Ljava/io/File;Ljava/lang/String;)V"
+        }
     ],
     "score": 1,
     "label": []
@@ -108,7 +99,7 @@ for accessExternalDir in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```
 $ python3 CWE-23.py
 CWE-23 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor;
-```
+```

CWE-23/accessFileInExternalDir.json

@@ -5,7 +5,7 @@
         {
             "class": "Landroid/os/Environment;",
             "method": "getExternalStorageDirectory",
-            "descriptor": "()Ljava/io/File"
+            "descriptor": "()Ljava/io/File;"
         },
         {
             "class": "Ljava/io/File;",

CWE-78/CWE-78.py

@@ -9,7 +9,11 @@
     ("Ljava/lang/String;", "indexOf", "(I)I"),
     ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
     ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
-    ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
+    (
+        "Ljava/lang/String;",
+        "replaceAll",
+        "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;",
+    ),
 ])
 
 specialElementsPattern = r"[ ;|,>`]+"
@@ -28,4 +32,4 @@
     if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(specialElementsPattern):
         continue
     else:
-        print(f"CWE-78 is detected in method, {caller.fullName}")
+        print(f"CWE-78 is detected in method, {caller.fullName}")

CWE-78/README.md

@@ -1,42 +1,40 @@
 # Detect CWE-78 in Android Application
 
-This scenario seeks to find **Improper Neutralization of Special
-Elements used in an OS Command** in the APK file.
+This scenario seeks to find **Improper Neutralization of Special Elements used in an OS Command** in the APK file.
 
-## CWE-78 Improper Neutralization of Special Elements used in an OS Command (\'OS Command Injection\')
+## CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
 
 We analyze the definition of CWE-78 and identify its characteristics.
 
-See [CWE-78](https://cwe.mitre.org/data/definitions/78.html) for more
-details.
+See [CWE-78](https://cwe.mitre.org/data/definitions/78.html) for more details.
 
-![image](https://imgur.com/aUB195P.png)
+![image](https://imgur.com/HpMGGsO.png)
 
 ## Code of CWE-78 in Vuldroid.apk
 
-We use the [Vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid)
-sample to explain the vulnerability code of CWE-78.
+We use the [Vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid) sample to explain the vulnerability code of CWE-78.
 
-![image](https://imgur.com/hO6m3Bz.png)
+![image](https://imgur.com/7Tu0Y3H.png)
 
-## Quark Script: CWE-78.py
+## CWE-78 Detection Process Using Quark Script API
+
+![image](https://imgur.com/Hi7qGjw.png)
+
+Let’s use the above APIs to show how the Quark script finds this vulnerability.
 
-Let's use the above APIs to show how the Quark script finds this
-vulnerability.
+First, we design a detection rule `ExternalStringsCommands.json` to spot on behavior using external strings as commands.
 
-First, we design a detection rule `ExternalStringsCommands.json` to spot
-on behavior using external strings as commands.
+Next, we use Quark API `behaviorInstance.getMethodsInArgs()` to get the methods that passed the external command.
 
-Next, we use Quark API `behaviorInstance.getMethodsInArgs()` to get the
-methods that passed the external command.
+Then we check if the method neutralizes any special elements in the argument.
 
-Then we check if the method neutralizes any special elements found in
-the argument.
+If the neutralization is not complete, then it may cause CWE-78 vulnerability.
+
+## Quark Script: CWE-78.py
 
-If the neutralization is not complete, then it may cause CWE-78
-vulnerability.
+![image](https://imgur.com/UpRWgGe.png)
 
-``` python
+```python
 from quark.script import runQuarkAnalysis, Rule, findMethodInAPK
 
 SAMPLE_PATH = "Vuldroid.apk"
@@ -48,7 +46,11 @@ STRING_MATCHING_API = set([
     ("Ljava/lang/String;", "indexOf", "(I)I"),
     ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
     ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
-    ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
+    (
+        "Ljava/lang/String;",
+        "replaceAll",
+        "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;",
+    ),
 ])
 
 specialElementsPattern = r"[ ;|,>`]+"
@@ -69,10 +71,12 @@ for ExternalStringCommand in quarkResult.behaviorOccurList:
     else:
         print(f"CWE-78 is detected in method, {caller.fullName}")
 ```
-
+        
 ## Quark Rule: ExternalStringCommand.json
 
-``` json
+![image](https://imgur.com/eoV8hnZ.png)
+
+```json
 {
     "crime": "Using external strings as commands",
     "permission": [],
@@ -95,9 +99,7 @@ for ExternalStringCommand in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
--   **Vuldroid.apk**
-
-``` TEXT
+```
 $ python3 CWE-78.py
 CWE-78 is detected in method, Lcom/vuldroid/application/RootDetection; onCreate (Landroid/os/Bundle;)V
-```
+```