Optimize the document of Quark Script CWE-89, 117, and 295 (#58)

JerryTasi · web-flow · commit 4de585bb4ba5 · 2025-08-14T15:13:56.000+08:00
diff --git a/CWE-117/CWE-117.py b/CWE-117/CWE-117.py
@@ -19,4 +19,4 @@
 
     if not isKeywordFound:
         caller = logOutputBehavior.methodCaller.fullName
-        print(f"CWE-117 is detected in method, {caller}")
+        print(f"CWE-117 is detected in method, {caller}")
diff --git a/CWE-117/README.md b/CWE-117/README.md
@@ -8,22 +8,28 @@ We analyze the definition of CWE-117 and identify its characteristics.
 
 See [CWE-117](https://cwe.mitre.org/data/definitions/117.html) for more details.
 
-![image](https://imgur.com/poFP2Py.jpg)
+![image](https://imgur.com/JEAyEsU.jpg)
 
 ## Code of CWE-117 in allsafe.apk
 
 We use the [allsafe.apk](https://github.com/t0thkr1s/allsafe) sample to explain the vulnerability code of CWE-117.
 
-![image](https://imgur.com/AgCpFzr.jpg)
+![image](https://imgur.com/ueePFNu.jpg)
 
-## Quark Script CWE-117.py
+## CWE-117 Detection Process Using Quark Script API
+
+![image](https://imgur.com/Y5hd4Uc.jpg)
 
 First, we design a detection rule ``writeContentToLog.json`` to spot on behavior using the method that writes contents to the log file.
 
 Then, we use ``methodInstance.getArguments()`` to get all parameter values of this method. And we check if these parameters contain keywords of APIs for neutralization, such as ``escape``, ``replace``, ``format``, and ``setFilter``.
 
 If the answer is **YES**, that may result in secret context leakage into the log file, or the attacker may perform log forging attacks.
 
+## Quark Script CWE-117.py
+
+![image](https://imgur.com/F1X3qg3.jpg)
+
 ```python
 from quark.script import Rule, runQuarkAnalysis
 
@@ -51,9 +57,11 @@ for logOutputBehavior in quarkResult.behaviorOccurList:
 
 ## Quark Rule: writeContentToLog.json
 
+![image](https://imgur.com/hC4zGgT.jpg)
+
 ```json
 {
-    "crime": "Write contents to the log.",
+    "crime": "Write contents to the log",
     "permission": [],
     "api": [
         {
@@ -77,4 +85,4 @@ for logOutputBehavior in quarkResult.behaviorOccurList:
 ```TEXT
 $ python CWE-117.py
 CWE-117 is detected in method, Linfosecadventures/allsafe/challenges/InsecureLogging; lambda$onCreateView$0 (Lcom/google/android/material/textfield/TextInputEditText; Landroid/widget/TextView; I Landroid/view/KeyEvent;)Z
-```
+```
diff --git a/CWE-117/writeContentToLog.json b/CWE-117/writeContentToLog.json
@@ -1,5 +1,5 @@
 {
-    "crime": "Write contents to the log.",
+    "crime": "Write contents to the log",
     "permission": [],
     "api": [
         {
diff --git a/CWE-295/CWE-295.py b/CWE-295/CWE-295.py
@@ -4,13 +4,14 @@
 TARGET_METHOD = [
     "Landroid/webkit/SslErrorHandler;",  # class name
     "proceed",                           # method name
-    "()V"                                # descriptor
+    "()V",                               # descriptor
 ]
 OVERRIDDEN_METHOD = [
     "Landroid/webkit/WebViewClient;",    # class name
     "onReceivedSslError",                # method name
-    "(Landroid/webkit/WebView;" + " Landroid/webkit/SslErrorHandler;" + \
-    " Landroid/net/http/SslError;)V"     # descriptor
+    "(Landroid/webkit/WebView;"
+    + " Landroid/webkit/SslErrorHandler;"
+    + " Landroid/net/http/SslError;)V",  # descriptor
 ]
 
 for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
diff --git a/CWE-295/README.md b/CWE-295/README.md
@@ -8,23 +8,29 @@ We analyze the definition of CWE-295 and identify its characteristics.
 
 See [CWE-295](https://cwe.mitre.org/data/definitions/295.html) for more details.
 
-![image](https://imgur.com/cuZ5qPp.jpg)
+![image](https://imgur.com/w6yx17J.jpg)
 
 ## Code of CWE-295 in InsecureShop.apk
 
 We use the [InsecureShop.apk](https://github.com/hax0rgb/InsecureShop) sample to explain the vulnerability code of CWE-295.
 
-![image](https://imgur.com/t7Y5clb.jpg)
+![image](https://imgur.com/iBt3mzh.jpg)
 
-## Quark Script CWE-295.py
+## CWE-295 Detection Process Using Quark Script API
+
+![image](https://imgur.com/HBBurwx.jpg)
 
 To begin with, we use the API ``findMethodInAPK(samplePath, targetMethod)`` to locate all callers of method ``SslErrorHandler.proceed``.
 
-Next, we must verify whether the caller overrides the method ``WebViewClient.onReceivedSslErroris``.
+Next, we must verify whether the caller overrides the method ``WebViewClient.onReceivedSslError``.
+
+Therefore, we check if the caller has the same method name and descriptor as ``WebViewClient.onReceivedSslError``, then use ``findSuperclassHierarchy()`` to see if its class extends ``Landroid/webkit/WebViewClient``.
 
-Therefore, we check if the method name and descriptor of the caller match those of ``WebViewClient.onReceivedSslErroris``. After that, we use the API ``methodInstance.findSuperclassHierarchy()`` to check if the superclasses of the caller include ``Landroid/webkit/WebViewClient``.
+If both are **YES**, the APK will proceed with HTTPS connections without certificate validation when an SSL error occurs, which may cause CWE-295 vulnerability.
 
-If both are **YES**, the APK will call ``SslErrorHandler.procees`` without certificate validation when an SSL error occurs, which may cause CWE-295 vulnerability.
+## Quark Script CWE-295.py
+
+![image](https://imgur.com/h9ydW0Y.jpg)
 
 ```python
 from quark.script import findMethodInAPK
@@ -33,13 +39,14 @@ SAMPLE_PATH = "insecureShop.apk"
 TARGET_METHOD = [
     "Landroid/webkit/SslErrorHandler;",  # class name
     "proceed",                           # method name
-    "()V"                                # descriptor
+    "()V",                               # descriptor
 ]
 OVERRIDDEN_METHOD = [
     "Landroid/webkit/WebViewClient;",    # class name
     "onReceivedSslError",                # method name
-    "(Landroid/webkit/WebView;" + " Landroid/webkit/SslErrorHandler;" + \
-    " Landroid/net/http/SslError;)V"     # descriptor
+    "(Landroid/webkit/WebView;"
+    + " Landroid/webkit/SslErrorHandler;"
+    + " Landroid/net/http/SslError;)V",  # descriptor
 ]
 
 for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
@@ -56,4 +63,4 @@ for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
 ```TEXT
 $　python3 CWE-295.py
 CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V
-```
+```
diff --git a/CWE-89/CWE-89.py b/CWE-89/CWE-89.py
@@ -14,6 +14,6 @@
 
 for sqlCommandExecution in quarkResult.behaviorOccurList:
     if sqlCommandExecution.isArgFromMethod(
-            targetMethod
+        targetMethod
     ):
-        print(f"CWE-89 is detected in {SAMPLE_PATH}")
+        print(f"CWE-89 is detected in {SAMPLE_PATH}")
diff --git a/CWE-89/README.md b/CWE-89/README.md
@@ -6,31 +6,29 @@ This scenario seeks to find **SQL injection** in the APK file.
 
 We analyze the definition of CWE-89 and identify its characteristics.
 
-See [CWE-89](https://cwe.mitre.org/data/definitions/89.html) for more
-details.
+See [CWE-89](https://cwe.mitre.org/data/definitions/89.html) for more details.
 
-![image](https://i.imgur.com/iJ1yIBb.jpg)
+![image](https://imgur.com/Yx9vIS2.jpg)
 
-## Code of CWE-89 in androgoat.apk
+## Code of CWE-89 in AndroGoat.apk
 
-We use the [androgoat.apk](https://github.com/satishpatnayak/AndroGoat)
-sample to explain the vulnerability code of CWE-89.
+We use the [AndroGoat.apk](https://github.com/satishpatnayak/AndroGoat) sample to explain the vulnerability code of CWE-89.
 
-![image](https://i.imgur.com/bdQqWFb.jpg)
+![image](https://imgur.com/QWvu8te.jpg)
 
-## Quark Script: CWE-89.py
+## CWE-89 Detection Process Using Quark Script API
+
+![image](https://imgur.com/gvPBB3v.jpg)
+
+Let’s use the above APIs to show how the Quark script finds this vulnerability.
 
-Let\'s use the above APIs to show how the Quark script finds this
-vulnerability.
+First, we design a detection rule `executeSQLCommand.json` to spot on behavior using SQL command Execution. Then, we use API `behaviorInstance.isArgFromMethod(targetMethod)` to check if `append` uses the value of `getText` as the argument. If yes, we confirmed that the SQL command string is built from user input, which will cause CWE-89 vulnerability.
 
-First, we design a detection rule `executeSQLCommand.json` to spot on
-behavior using SQL command Execution. Then, we use API
-`behaviorInstance.isArgFromMethod(targetMethod)` to check if `append`
-uses the value of `getText` as the argument. If yes, we confirmed that
-the SQL command string is built from user input, which will cause CWE-89
-vulnerability.
+## Quark Script: CWE-89.py
+
+![image](https://imgur.com/B6Mfp2L.jpg)
 
-``` python
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "AndroGoat.apk"
@@ -54,7 +52,9 @@ for sqlCommandExecution in quarkResult.behaviorOccurList:
 
 ## Quark Rule: executeSQLCommand.json
 
-``` json
+![image](https://imgur.com/aYnt5oq.jpg)
+
+```json
 {
     "crime": "Execute SQL Command",
     "permission": [],
@@ -77,7 +77,7 @@ for sqlCommandExecution in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` text
+```TEXT
 $ python3 CWE-89.py
 
 CWE-89 is detected in AndroGoat.apk
diff --git a/CWE-89/executeSQLCommand.json b/CWE-89/executeSQLCommand.json
@@ -15,4 +15,4 @@
     ],
     "score": 1,
     "label": []
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "crime": "Write contents to the log.",`
	`2`	`+ "crime": "Write contents to the log",`
`3`	`3`	`"permission": [],`
`4`	`4`	`"api": [`
`5`	`5`	`{`