Optimize the document of Quark Script CWE-319, 327, and 328 (#59)

JerryTasi · web-flow · commit d28c7dc229b9 · 2025-08-14T15:14:09.000+08:00
diff --git a/CWE-319/CWE-319.py b/CWE-319/CWE-319.py
@@ -22,4 +22,4 @@
         if cleartextProtocolUrl:
             print(f"CWE-319 detected!")
             print(f"Here are the found URLs with cleartext protocol:")
-            print("\n".join(cleartextProtocolUrl))
+            print("\n".join(cleartextProtocolUrl))
diff --git a/CWE-319/README.md b/CWE-319/README.md
@@ -1,38 +1,36 @@
 # Detect CWE-319 in Android Application
 
-
-This scenario seeks to find **Cleartext Transmission of Sensitive
-Information** in the APK file.
+This scenario seeks to find **Cleartext Transmission of Sensitive Information** in the APK file.
 
 ## CWE-319 Cleartext Transmission of Sensitive Information
 
 We analyze the definition of CWE-319 and identify its characteristics.
 
-See [CWE-319](https://cwe.mitre.org/data/definitions/319.html) for more
-details.
+See [CWE-319](https://cwe.mitre.org/data/definitions/319.html) for more details.
 
-![image](https://imgur.com/tk8rtYf.jpg)
+![image](https://imgur.com/hjEYP5b.jpg)
 
 ## Code of CWE-319 in ovaa.apk
 
-We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
-explain the vulnerability code of CWE-319.
+We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-319.
 
-![image](https://imgur.com/Ew4UOAR.jpg)
+![image](https://imgur.com/wCYfTNx.jpg)
 
-## Quark Script: CWE-319.py
+## CWE-319 Detection Process Using Quark Script API
+
+![image](https://imgur.com/H1FgUtE.jpg)
+
+Let’s use the above APIs to show how the Quark script finds this vulnerability. This sample uses the package `Retrofit` to request Web APIs, but the APIs use cleartext protocols.
 
-Let\'s use the above APIs to show how the Quark script finds this
-vulnerability. This sample uses the package Retrofit to request Web
-APIs, but the APIs use cleartext protocols.
+We first design a detection rule `setRetrofitBaseUrl.json` to spot on behavior that sets the base URL of the Retrofit instance. Then, we loop through a custom list of cleartext protocol schemes and use API `behaviorInstance.hasString(pattern, isRegex)` to filter if there are arguments that are URL strings with cleartext protocol.
 
-We first design a detection rule `setRetrofitBaseUrl.json` to spot on
-behavior that sets the base URL of the Retrofit instance. Then, we loop
-through a custom list of cleartext protocol schemes and use API
-`behaviorInstance.hasString(pattern, isRegex)` to filter arguments that
-are URL strings with cleartext protocol.
+If the answer is **YES**, CWE-319 vulnerability is caused.
 
-``` python
+## Quark Script: CWE-319.py
+
+![image](https://imgur.com/CktArDJ.jpg)
+
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "./ovaa.apk"
@@ -62,7 +60,9 @@ for setRetrofitBaseUrl in quarkResult.behaviorOccurList:
 
 ## Quark Rule: setRetrofitBaseUrl.json
 
-``` json
+![image](https://imgur.com/751Dhce.jpg)
+
+```json
 {
     "crime": "Set Retrofit Base Url",
     "permission": [],
@@ -86,7 +86,7 @@ for setRetrofitBaseUrl in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```TEXT
 $ python3 CWE-319.py
 CWE-319 detected!
 Here are the found URLs with cleartext protocol:
diff --git a/CWE-327/CWE-327.py b/CWE-327/CWE-327.py
@@ -14,4 +14,4 @@
 
     for algo in WEAK_ALGORITHMS:
         if useCryptoAlgo.hasString(algo):
-            print(f"CWE-327 is detected in method, {caller.fullName}")
+            print(f"CWE-327 is detected in method, {caller.fullName}")
diff --git a/CWE-327/README.md b/CWE-327/README.md
@@ -1,36 +1,34 @@
 # Detect CWE-327 in Android Application
 
-This scenario seeks to find **Use of a Broken or Risky Cryptographic
-Algorithm** in the APK file.
+This scenario seeks to find **Use of a Broken or Risky Cryptographic Algorithm** in the APK file.
 
-# CWE-327 Use of a Broken or Risky Cryptographic Algorithm
+## CWE-327 Use of a Broken or Risky Cryptographic Algorithm
 
 We analyze the definition of CWE-327 and identify its characteristics.
 
-See [CWE-327](https://cwe.mitre.org/data/definitions/327.html) for more
-details.
+See [CWE-327](https://cwe.mitre.org/data/definitions/327.html) for more details.
 
-![image](https://imgur.com/VlX7MTc.png)
+![image](https://imgur.com/Xfm5C9K.jpg)
 
 ## Code of CWE-327 in InjuredAndroid.apk
 
-We use the [InjuredAndroid.apk](https://github.com/B3nac/InjuredAndroid)
-sample to explain the vulnerability code of CWE-327.
+We use the [InjuredAndroid.apk](https://github.com/B3nac/InjuredAndroid) sample to explain the vulnerability code of CWE-327.
 
-![image](https://imgur.com/XFvu8zb.png)
+![image](https://imgur.com/R5zkGt2.jpg)
 
-## Quark Script CWE-327.py
+## CWE-327 Detection Process Using Quark Script API
+
+![image](https://imgur.com/2owB5Z7.jpg)
+
+Let’s use the above APIs to show how the Quark script finds this vulnerability.
 
-Let's use the above APIs to show how the Quark script finds this
-vulnerability.
+We first design a detection rule `useOfCryptographicAlgo.json` to spot on behavior using cryptographic algorithms. Then, we use API `behaviorInstance.hasString(pattern, isRegex)` with a list to check if the algorithm is risky. If **YES**, that may cause the exposure of sensitive data.
 
-We first design a detection rule `useOfCryptographicAlgo.json` to spot
-on behavior using cryptographic algorithms. Then, we use API
-`behaviorInstance.hasString(pattern, isRegex)` with a list to check if
-the algorithm is risky. If YES, that may cause the exposure of sensitive
-data.
+## Quark Script CWE-327.py
+
+![image](https://imgur.com/4fa3yS0.jpg)
 
-``` python
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "InjuredAndroid.apk"
@@ -52,7 +50,9 @@ for useCryptoAlgo in quarkResult.behaviorOccurList:
 
 ## Quark Rule: useOfCryptographicAlgo.json
 
-``` json
+![image](https://imgur.com/rjRykWM.jpg)
+
+```json
 {
     "crime": "Use of cryptographic algorithm",
     "permission": [],
@@ -75,7 +75,7 @@ for useCryptoAlgo in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```TEXT
 $ python3 CWE-327.py
 CWE-327 is detected in method, Lb3nac/injuredandroid/k; b (Ljava/lang/String;)Ljava/lang/String;
 CWE-327 is detected in method, Lb3nac/injuredandroid/k; a (Ljava/lang/String;)Ljava/lang/String;
diff --git a/CWE-327/useOfCryptographicAlgo.json b/CWE-327/useOfCryptographicAlgo.json
@@ -15,4 +15,4 @@
     ],
     "score": 1,
     "label": []
-}
+}
diff --git a/CWE-328/CWE-328.py b/CWE-328/CWE-328.py
@@ -37,4 +37,4 @@
         print(
             f"CWE-328 is detected in {SAMPLE_PATH},\n\t"
             f"and it occurs in method, {setHashAlgo.fullName}"
-        )
+        )
diff --git a/CWE-328/README.md b/CWE-328/README.md
@@ -1,36 +1,34 @@
 # Detect CWE-328 in Android Application
 
-
-This scenario seeks to find **the use of weak Hash**.
+This scenario seeks to find the **Use of Weak Hash**.
 
 ## CWE-328 Use of Weak Hash
 
 We analyze the definition of CWE-328 and identify its characteristics.
 
-See [CWE-328](https://cwe.mitre.org/data/definitions/328.html) for more
-details.
+See [CWE-328](https://cwe.mitre.org/data/definitions/328.html) for more details.
 
-![image](https://imgur.com/1jkGcSq.png)
+![image](https://imgur.com/DUaOaKi.jpg)
 
 ## Code of CWE-328 in allsafe.apk
 
-We use the [allsafe.apk](https://github.com/t0thkr1s/allsafe) sample to
-explain the vulnerability code of CWE-328.
+We use the [allsafe.apk](https://github.com/t0thkr1s/allsafe) sample to explain the vulnerability code of CWE-328.
 
-![image](https://imgur.com/b0yFDht.png)
+![image](https://imgur.com/nyreKX2.jpg)
 
-## Quark Script: CWE-328.py
+## CWE-328 Detection Process Using Quark Script API
+
+![image](https://imgur.com/bM7WJKo.jpg)
 
-Let's use the above APIs to show how the Quark script finds this
-vulnerability.
+Let's use the above APIs to show how the Quark script finds this vulnerability.
+
+First, we use API `findMethodInAPK(samplePath, targetMethod)` to find the method `MessageDigest.getInstance()` or `SecretKeyFactory.getInstance()`. Next, we use API `methodInstance.getArguments()` with a list to check if the method uses weak hashing algorithms. If **YES**, that causes CWE-328 vulnerability.
+
+## Quark Script: CWE-328.py
 
-First, we use API `findMethodInAPK(samplePath, targetMethod)` to find
-the method `MessageDigest.getInstance()` or
-`SecretKeyFactory.getInstance()`. Next, we use API
-`methodInstance.getArguments()` with a list to check if the method uses
-weak hashing algorithms. If **YES**, that causes CWE-328 vulnerability.
+![image](https://imgur.com/wb9Baa3.jpg)
 
-``` python
+```python
 from quark.script import findMethodInAPK
 
 SAMPLE_PATH = "./allsafe.apk"
@@ -75,7 +73,7 @@ for setHashAlgo in methodsFound:
 
 ## Quark Script Result
 
-``` TEXT
+```TEXT
 $ python3 CWE-328.py
 CWE-328 is detected in ./allsafe.apk,
         and it occurs in method, Linfosecadventures/allsafe/challenges/SQLInjection; md5 (Ljava/lang/String;)Ljava/lang/String;
