Optimize the document of Quark Script CWE-73, 79, and 88 (#57)

* Optimize the document of Quark Script CWE-73, 79, and 88

* Optimize the document of Quark Script CWE-73, 79, and 88

Author: JerryTasi

CWE-73/CWE-73.py

@@ -1,7 +1,7 @@
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "ovaa.apk"
-RULE_PATH = "accessFileInExternalDir.json"
+RULE_PATH = "useLastPathSegmentAsFileName.json"
 
 OPEN_FILE_API = [
     "Landroid/os/ParcelFileDescriptor;",                   # Class name
@@ -22,4 +22,4 @@
     result = quarkResult.findMethodInCaller(caller, OPEN_FILE_API)
 
     if result:
-        print("CWE-73 is detected in method, ", caller.fullName)
+        print("CWE-73 is detected in method, ", caller.fullName)

CWE-73/README.md

@@ -1,48 +1,42 @@
-# Detect CWE-73 in Android Application
+# Detect CWE-73 in Android Application 
 
-This scenario seeks to find **External Control of File Name or Path** in
-the APK file.
+This scenario seeks to find **External Control of File Name or Path** in the APK file.
 
 ## CWE-73 External Control of File Name or Path
 
 We analyze the definition of CWE-73 and identify its characteristics.
 
-See [CWE-73](https://cwe.mitre.org/data/definitions/73.html) for more
-details.
+See [CWE-73](https://cwe.mitre.org/data/definitions/73.html) for more details.
 
-![image](https://imgur.com/ES7xg5X.png)
+![image](https://imgur.com/I1C5yku.png)
 
 ## Code of CWE-73 in ovaa.apk
 
-We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
-explain the vulnerability code of CWE-73.
+We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-73.
 
-![image](https://imgur.com/9oa1HIC.png)
+![image](https://imgur.com/gLJ6zWr.png)
 
-## Quark Script: CWE-73.py
+## CWE-73 Detection Process Using Quark Script API
+
+![image](https://imgur.com/zGjZHA1.png)
 
-Let's use the above APIs to show how Quark script find this
-vulnerability.
+Let’s use the above APIs to show how Quark script finds this vulnerability.
 
-First, we design a detection rule `accessFileInExternalDir.json` to spot
-behavior accessing a file in an external directory.
+First, we design a detection rule ``useLastPathSegmentAsFileName.json`` to spot behavior that uses the last path segment as the file name.
 
-Second, we use API `methodInstance.getArguments()` to get the argument
-for the file path and use `quarkResultInstance.isHardcoded(argument)` to
-check if the argument is hardcoded into the APK. If **No**, the argument
-is from external input.
+Second, we use the API ``methodInstance.getArguments()`` to get the argument for the file path and use ``quarkResultInstance.isHardcoded(argument)`` to check if the argument is hardcoded into the APK. If **No**, the argument is from external input.
 
-Finally, we use Quark API
-`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to
-check if any APIs in the caller method for opening files. If **YES**,
-the APK performs file operations using external input as a path, which
-may cause CWE-73 vulnerability.
+Finally, we use Quark API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` to check if there are any APIs in the caller method for opening files. If **YES**, the APK performs file operations using external input as a path, which may cause CWE-73 vulnerability.
+
+## Quark Script: CWE-73.py
 
-``` python
+![image](https://imgur.com/EHrcCPg.png)
+
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "ovaa.apk"
-RULE_PATH = "accessFileInExternalDir.json"
+RULE_PATH = "useLastPathSegmentAsFileName.json"
 
 OPEN_FILE_API = [
     "Landroid/os/ParcelFileDescriptor;",                   # Class name
@@ -66,17 +60,19 @@ for accessExternalDir in quarkResult.behaviorOccurList:
         print("CWE-73 is detected in method, ", caller.fullName)
 ```
 
-## Quark Rule: accessFileInExternalDir.json
+## Quark Rule: useLastPathSegmentAsFileName.json
+
+![image](https://imgur.com/JxBdde0.png)
 
-``` json
+```json
 {
-    "crime": "Access a file in an external directory",
+    "crime": "Use the last path segment as the file name",
     "permission": [],
     "api": [
         {
-            "class": "Landroid/os/Environment;",
-            "method": "getExternalStorageDirectory",
-            "descriptor": "()Ljava/io/File;"
+            "class": "Landroid/net/Uri;",
+            "method": "getLastPathSegment",
+            "descriptor": "()Ljava/lang/String;"
         },
         {
             "class": "Ljava/io/File;",
@@ -91,7 +87,7 @@ for accessExternalDir in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```
 $ python CWE-73.py
 CWE-73 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor;
 ```

CWE-73/accessFileInExternalDir.json renamed to CWE-73/useLastPathSegmentAsFileName.json

@@ -1,11 +1,11 @@
 {
-    "crime": "Access a file in an external directory",
+    "crime": "Use the last path segment as the file name",
     "permission": [],
     "api": [
         {
-            "class": "Landroid/os/Environment;",
-            "method": "getExternalStorageDirectory",
-            "descriptor": "()Ljava/io/File;"
+            "class": "Landroid/net/Uri;",
+            "method": "getLastPathSegment",
+            "descriptor": "()Ljava/lang/String;"
         },
         {
             "class": "Ljava/io/File;",
@@ -16,4 +16,3 @@
     "score": 1,
     "label": []
 }
-

CWE-79/CWE-79.py

@@ -47,4 +47,4 @@
         ]
 
         if not XSSFiltersInCaller:
-            print(f"CWE-79 is detected in method, {caller.fullName}")
+            print(f"CWE-79 is detected in method, {caller.fullName}")

CWE-79/README.md

@@ -1,39 +1,36 @@
 # Detect CWE-79 in Android Application
 
-This scenario seeks to find **Improper Neutralization of Input During
-Web Page Generation ('Cross-site Scripting')** in the APK file.
+This scenario seeks to find **Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)** in the APK file.
 
-## CWE-79 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\')
+## CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
 
 We analyze the definition of CWE-79 and identify its characteristics.
 
-See [CWE-79](https://cwe.mitre.org/data/definitions/79.html) for more
-details.
+See [CWE-79](https://cwe.mitre.org/data/definitions/79.html) for more details.
 
-![image](https://imgur.com/jAwgD0x.png)
+![image](https://imgur.com/3W1QpU1.png)
 
 ## Code of CWE-79 in Vuldroid.apk
 
-We use the [Vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid)
-sample to explain the vulnerability code of CWE-79.
+We use the [Vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid) sample to explain the vulnerability code of CWE-79.
 
-![image](https://imgur.com/lC6EKun.png)
+![image](https://imgur.com/iv3Guwi.png)
 
-## Quark Script CWE-79.py
+## CWE-79 Detection Process Using Quark Script API
+
+![image](https://imgur.com/MpUjFP0.png)
 
-Let's use the above APIs to show how the Quark script finds this
-vulnerability.
+Let’s use the above APIs to show how the Quark script finds this vulnerability.
 
-First, we design a detection rule `loadUrlFromIntent.json` to spot the
-behavior loading URL from intent data to the WebView instance.
+First, we design a detection rule ``loadUrlFromIntent.json`` to spot the behavior loading URL from intent data to the WebView instance.
 
-Next, we use API
-`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` and
-`methodInstance.getArguments()` to check if the Javascript execution is
-enabled in the WebView. Finally, we check if there are any famous XSS
-filters. If NO, that may cause CWE-79 vulnerability.
+Next, we use API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` and ``methodInstance.getArguments()`` to check if the Javascript execution is enabled in the WebView. Finally, we check if there are any famous XSS filters. If **NO**, that may cause CWE-79 vulnerability.
+
+## Quark Script CWE-79.py
 
-``` python
+![image](https://imgur.com/NyMpLZW.png)
+
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "Vuldroid.apk"
@@ -88,7 +85,9 @@ for loadUrl in quarkResult.behaviorOccurList:
 
 ## Quark Rule: loadUrlFromIntent.json
 
-``` json
+![image](https://imgur.com/m4aa4Jk.png)
+
+```json
 {
     "crime": "Load URL from intent to WebView",
     "permission": [],
@@ -111,7 +110,7 @@ for loadUrl in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```TEXT
 $ python CWE-79.py
 CWE-79 is detected in method, Lcom/vuldroid/application/ForgetPassword; onCreate (Landroid/os/Bundle;)V
-```
+```

CWE-88/CWE-88.py

@@ -28,4 +28,5 @@
     if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(delimeter):
         continue
     else:
-        print(f"CWE-88 is detected in method, {caller.fullName}")
+        print(f"CWE-88 is detected in method, {caller.fullName}")
+

CWE-88/README.md

@@ -1,78 +1,79 @@
-# Detect CWE-88 in Android Application
-
+# Detect CWE-88 in Android Application 
 
 This scenario seeks to find **Argument Injection** in the APK file.
 
 ## CWE-88 Improper Neutralization of Argument Delimiters in a Command
 
 We analyze the definition of CWE-88 and identify its characteristics.
 
-See [CWE-88](https://cwe.mitre.org/data/definitions/88.html) for more
-details.
+See [CWE-88](https://cwe.mitre.org/data/definitions/88.html) for more details.
 
-![image](https://imgur.com/7EBPGUT.png)
+![image](https://imgur.com/5vfXkIE.png)
 
 ## Code of CWE-88 in vuldroid.apk
 
-We use the [vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid)
-sample to explain the vulnerability code of CWE-88.
+We use the [vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid) sample to explain the vulnerability code of CWE-88.
 
-![image](https://imgur.com/emnvGcE.png)
+![image](https://imgur.com/recX0t5.png)
 
-## Quark Script: CWE-88.py
+## CWE-88 Detection Process Using Quark Script API
+
+![image](https://imgur.com/s7Ajr6M.png)
 
-Let's use the above APIs to show how the Quark script finds this
-vulnerability.
+Let‘s use the above APIs to show how the Quark script finds this vulnerability.
 
-First, we design a detection rule `ExternalStringsCommands.json` to spot
-on behavior using external strings as commands.
+First, we design a detection rule ``ExternalStringsCommands.json`` to spot on behavior using external strings as commands.
 
-Next, we use Quark API `behaviorInstance.getMethodsInArgs()` to get the
-methods that passed the external command.
+Next, we use Quark API ``behaviorInstance.getMethodsInArgs()`` to get the methods that passed the external command.
 
-Then we check if the method neutralizes any special elements in the
-argument.
+Then we check if the method neutralizes any special elements in the argument.
 
-If the neutralization is not complete, then it may cause CWE-88
-vulnerability.
+If the neutralization is not complete, then it may cause CWE-88 vulnerability.
+
+## Quark Script: CWE-88.py
 
-``` python
+![image](https://imgur.com/f8Yee3P.png)
+
+```python
 from quark.script import runQuarkAnalysis, Rule, findMethodInAPK
 
-SAMPLE_PATH = "Vuldroid.apk"
-RULE_PATH = "ExternalStringCommand.json"
+    SAMPLE_PATH = "Vuldroid.apk"
+    RULE_PATH = "ExternalStringCommand.json"
+
 
+    STRING_MATCHING_API = set([
+        ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"),
+        ("Ljava/lang/String;", "indexOf", "(I)I"),
+        ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
+        ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
+        ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
+    ])
 
-STRING_MATCHING_API = set([
-    ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"),
-    ("Ljava/lang/String;", "indexOf", "(I)I"),
-    ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
-    ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
-    ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
-])
+    delimeter = "-"
 
-delimeter = "-"
+    ruleInstance = Rule(RULE_PATH)
+    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
 
-ruleInstance = Rule(RULE_PATH)
-quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
+    for ExternalStringCommand in quarkResult.behaviorOccurList:
 
-for ExternalStringCommand in quarkResult.behaviorOccurList:
+        methodCalled = set()
+        caller = ExternalStringCommand.methodCaller
 
-    methodCalled = set()
-    caller = ExternalStringCommand.methodCaller
+        for method in ExternalStringCommand.getMethodsInArgs():
+            methodCalled.add(method.fullName)
 
-    for method in ExternalStringCommand.getMethodsInArgs():
-        methodCalled.add(method.fullName)
+        if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(delimeter):
+            continue
+        else:
+            print(f"CWE-88 is detected in method, {caller.fullName}")
 
-    if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(delimeter):
-        continue
-    else:
-        print(f"CWE-88 is detected in method, {caller.fullName}")
 ```
 
 ## Quark Rule: ExternalStringCommand.json
 
-``` json
+![image](https://imgur.com/s9QNF19.png)
+
+```json
 {
     "crime": "Using external strings as commands",
     "permission": [],
@@ -95,7 +96,7 @@ for ExternalStringCommand in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```
 $ python3 CWE-88.py
 CWE-88 is detected in method, Lcom/vuldroid/application/RootDetection; onCreate (Landroid/os/Bundle;)V
 ```