Optimize the document of Quark Script CWE-338, 489, and 532 (#60)

JerryTasi · web-flow · commit 6cd00f40eb9e · 2025-08-14T15:14:27.000+08:00
diff --git a/CWE-338/CWE-338.py b/CWE-338/CWE-338.py
@@ -13,6 +13,7 @@
 
 for usePRNGMethod in quarkResult.behaviorOccurList:
     for prngCaller in usePRNGMethod.methodCaller.getXrefFrom():
-        if any(keyword in prngCaller.fullName
-               for keyword in CREDENTIAL_KEYWORDS):
-            print("CWE-338 is detected in %s" % prngCaller.fullName)
+        if any(
+            keyword in prngCaller.fullName for keyword in CREDENTIAL_KEYWORDS
+        ):
+            print("CWE-338 is detected in %s" % prngCaller.fullName)
diff --git a/CWE-338/README.md b/CWE-338/README.md
@@ -1,23 +1,32 @@
-# Detect CWE-338 in Android Application (pivva.apk)
+# Detect CWE-338 in Android Application
 
-This scenario aims to detect the **Use of Cryptographically Weak
-Pseudo-Random Number Generator (PRNG).** See
-[CWE-338](https://cwe.mitre.org/data/definitions/338.html) for more
-details.
+This scenario seeks to find **Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)**.
 
-To demonstrate how the Quark script finds this vulnerability, we will
-use the [pivaa](https://github.com/HTBridge/pivaa) APK file and the
-above APIs.
+## CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
 
-First, we design a detection rule `useMethodOfPRNG.json` to spot on
-behavior that uses Pseudo Random Number Generator (PRNG). Then, we use
-API `methodInstance.getXrefFrom()` to get the caller method of PRNG.
-Finally, we use some keywords such as "token", "password", and "encrypt"
-to check if the PRNG is for credential usage.
+We analyze the definition of CWE-338 and identify its characteristics.
+
+See [CWE-338](https://cwe.mitre.org/data/definitions/338.html) for more details.
+
+![image](https://imgur.com/aLybax5.jpg)
+
+## Code of CWE-338 in pivaa.apk
+
+We use the [pivaa.apk](https://github.com/HTBridge/pivaa) sample to explain the vulnerability code of CWE-338.
+
+![image](https://i.postimg.cc/mr5rpTDz/image.png)
+
+## CWE-338 Detection Process Using Quark Script API
+
+![image](https://imgur.com/yWLNwZV.jpg)
+
+First, we design a detection rule `useMethodOfPRNG.json` to spot on behavior that uses Pseudo Random Number Generator (PRNG). Then, we use API `methodInstance.getXrefFrom()` to get the caller method of PRNG. Finally, we use some keywords such as "token", "password", and "encrypt" to check if the PRNG is for credential usage.
 
 ## Quark Script CWE-338.py
 
-``` python
+![image](https://i.postimg.cc/xdt54Lft/image.png)
+
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "pivaa.apk"
@@ -33,14 +42,17 @@ quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
 
 for usePRNGMethod in quarkResult.behaviorOccurList:
     for prngCaller in usePRNGMethod.methodCaller.getXrefFrom():
-        if any(keyword in prngCaller.fullName
-            for keyword in CREDENTIAL_KEYWORDS):
+        if any(
+            keyword in prngCaller.fullName for keyword in CREDENTIAL_KEYWORDS
+        ):
             print("CWE-338 is detected in %s" % prngCaller.fullName)
 ```
+    
+## Quark Rule: useMethodOfPRNG.json
 
-## useMethodOfPRNG.json
+![image](https://i.postimg.cc/jS6x74Kg/image.png)
 
-``` json
+```json
 {
     "crime": "Use method of PRNG",
     "permission": [],
@@ -63,7 +75,7 @@ for usePRNGMethod in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```TEXT
 $ python CWE-338.py
 CWE-338 is detected in Lcom/htbridge/pivaa/EncryptionActivity$2; onClick (Landroid/view/View;)V
 ```
diff --git a/CWE-338/useMethodOfPRNG.json b/CWE-338/useMethodOfPRNG.json
@@ -15,4 +15,4 @@
     ],
     "score": 1,
     "label": []
-}
+}
diff --git a/CWE-489/CWE-489.py b/CWE-489/CWE-489.py
@@ -3,4 +3,4 @@
 SAMPLE_PATH = "allsafe.apk"
 
 if getApplication(SAMPLE_PATH).isDebuggable():
-    print(f"CWE-489 is detected in {SAMPLE_PATH}.")
+    print(f"CWE-489 is detected in {SAMPLE_PATH}.")
diff --git a/CWE-489/README.md b/CWE-489/README.md
@@ -1,28 +1,32 @@
-# Detect CWE-489 in Android Application (allsafe.apk, AndroGoat.apk, pivaa.apk)
+# Detect CWE-489 in Android Application
 
+This scenario seeks to find **active debug code**.
 
-This scenario seeks to find **active debug code** in the APK file. See
-[CWE-489](https://cwe.mitre.org/data/definitions/489.html) for more
-details.
+## CWE-489: Active Debug Code
 
-Let\'s use [allsafe.apk](https://github.com/t0thkr1s/allsafe),
-[AndroGoat.apk](https://github.com/satishpatnayak/AndroGoat),
-[pivaa.apk](https://github.com/HTBridge/pivaa), and the above APIs to
-show how the Quark script finds this vulnerability.
+We analyze the definition of CWE-489 and identify its characteristics.
 
-First, we use Quark API `getApplication(samplePath)` to get the
-application element in the manifest file. Then we use
-`applicationInstance.isDebuggable()` to check if the application element
-sets the attribute `android:debuggable` to true. If **Yes**, that causes
-CWE-489 vulnerabilities.
+See [CWE-489](https://cwe.mitre.org/data/definitions/489.html) for more details.
+
+![image](https://imgur.com/UuDNFXW.jpg)
+
+## Code of CWE-489 in allsafe.apk
+
+We use the [allsafe.apk](https://github.com/t0thkr1s/allsafe) sample to explain the vulnerability code of CWE-489.
+
+![image](https://imgur.com/QSrATmt.jpg)
+
+## CWE-489 Detection Process Using Quark Script API
+
+![image](https://imgur.com/ydGfkV4.jpg)
+
+First, we use Quark API ``getApplication(samplePath)`` to get the application element in the manifest file. Then we use ``applicationInstance.isDebuggable()`` to check if the application element sets the attribute ``android:debuggable`` to true. If **Yes**, that causes CWE-489 vulnerabilities.
 
 ## Quark Script CWE-489.py
 
-The Quark Script below uses allsafe.apk to demonstrate. You can change
-the `SAMPLE_PATH` to the sample you want to detect. For example,
-`SAMPLE_PATH = AndroGoat.apk` or `SAMPLE_PATH = pivaa.apk`.
+![image](https://imgur.com/ToCAmD3.jpg)
 
-``` python
+```python
 from quark.script import getApplication
 
 SAMPLE_PATH = "allsafe.apk"
@@ -33,23 +37,7 @@ if getApplication(SAMPLE_PATH).isDebuggable():
 
 ## Quark Script Result
 
--   **allsafe.apk**
-
-``` TEXT
-$ python3 CWE-489.py
-CWE-489 is detected in allsafe.apk
-```
-
--   **AndroGoat.apk**
-
-``` TEXT
-$ python3 CWE-489.py
-CWE-489 is detected in AndroGoat.apk
-```
-
--   **pivaa.apk**
-
-``` TEXT
+```TEXT
 $ python3 CWE-489.py
-CWE-489 is detected in pivaa.apk
+CWE-489 is detected in allsafe.apk.
 ```
diff --git a/CWE-532/CWE-532.py b/CWE-532/CWE-532.py
@@ -19,4 +19,4 @@
 
     for keyword in CREDENTIAL_KEYWORDS:
         if keyword in arguments[1]:
-            print(f"CWE-532 is detected in method, {debugLogger.fullName}")
+            print(f"CWE-532 is detected in method, {debugLogger.fullName}")
diff --git a/CWE-532/README.md b/CWE-532/README.md
@@ -1,27 +1,36 @@
-# Detect CWE-532 in Android Application (dvba.apk)
+# Detect CWE-532 in Android Application
 
-This scenario seeks to find **insertion of sensitive information into
-Log file**. See
-[CWE-532](https://cwe.mitre.org/data/definitions/532.html) for more
-details.
+This scenario seeks to find **insertion of sensitive information into Log file** in the APK file.
 
-Let's use this
-[APK](https://github.com/rewanthtammana/Damn-Vulnerable-Bank) and the
-above APIs to show how the Quark script finds this vulnerability.
+## CWE-532: Insertion of Sensitive Information into Log File
 
-First, we use API `findMethodInAPK(samplePath, targetMethod)` to locate
-`log.d` method. Then we use API `methodInstance.getArguments()` to get
-the argument that input to `log.d`. Finally, we use some keywords such
-as \"token\", \"password\", and \"decrypt\" to check if arguments
-include sensitive data. If the answer is YES, that may cause sensitive
-data leakage into log file.
+We analyze the definition of CWE-532 and identify its characteristics.
 
-You can use your own keywords in the keywords list to detect sensitive
-data.
+See [CWE-532](https://cwe.mitre.org/data/definitions/532.html) for more details.
 
-## Quark Script CWE-532.py
+![image](https://imgur.com/6WzpyId.jpg)
 
-``` python
+## Code of CWE-532 in dvba.apk
+
+We use the [dvba.apk](https://github.com/rewanthtammana/Damn-Vulnerable-Bank)  sample to explain the vulnerability code of CWE-532.
+
+![image](https://imgur.com/cLzBvh2.jpg)
+
+## CWE-532 Detection Process Using Quark Script API
+
+![image](https://imgur.com/KLbnflF.jpg)
+
+Let's use the above APIs to show how the Quark script finds this vulnerability.
+
+First, we use the API ``findMethodInAPK(samplePath, targetMethod)`` to locate ``log.d`` method. Then we use API ``methodInstance.getArguments()`` to get the argument that input to ``log.d``. Finally, we use some keywords such as "token", "password", and "decrypt" to check if arguments include sensitive data. If the answer is **YES**, that may cause sensitive data leakage into log file.
+
+You can use your own keywords in the keywords list to detect sensitive data.
+
+## Quark Script: CWE-532.py
+
+![image](https://imgur.com/L9Ciqlp.jpg)
+
+```python
 from quark.script import findMethodInAPK
 
 SAMPLE_PATH = "dvba.apk"
@@ -48,7 +57,7 @@ for debugLogger in methodsFound:
 
 ## Quark Script Result
 
-``` TEXT
+```TEXT
 $ python CWE-532.py
 CWE-532 is detected in method, Lcom/google/firebase/auth/FirebaseAuth; d (Lc/c/b/h/o;)V
-```
+```
