Skip to content

Commit 41e67f5

Browse files
JerryTasiJerryTasi
authored
Optimize the document of Quark Script CWE-798
1 parent 67d628e commit 41e67f5

File tree

1 file changed

+22
-22
lines changed

1 file changed

+22
-22
lines changed

CWE-798/README.md

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,36 +1,35 @@
11
# Detect CWE-798 in Android Application
22

3-
This scenario seeks to find hard-coded credentials in the APK file.
3+
This scenario seeks to find **hard-coded credentials** in the APK file.
44

5-
## CWE-798 Use of Hard-coded Credentials
5+
## CWE-798: Use of Hard-coded Credentials
66

77
We analyze the definition of CWE-798 and identify its characteristics.
88

9-
See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more
10-
details.
9+
See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more details.
1110

12-
![image](https://i.imgur.com/0G9APpf.jpg)
11+
![image](https://imgur.com/rF8J8hE.png)
1312

1413
## Code of CWE-798 in ovaa.apk
1514

16-
We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
17-
explain the vulnerability code of CWE-798.
15+
We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-798.
1816

19-
![image](https://i.imgur.com/ikaJlDW.jpg)
17+
![image](https://imgur.com/Cg7DacP.png)
2018

21-
## Quark Script: CWE-798.py
2219

23-
Let\'s use the above APIs to show how the Quark script finds this
24-
vulnerability.
20+
## CWE-798 Detection Process Using Quark Script API
21+
22+
![image](https://imgur.com/R8CfDqD.png)
23+
24+
Let’s use the above APIs to show how the Quark script finds this vulnerability.
25+
26+
First, we design a detection rule ``findSecretKeySpec.json`` to spot on behavior using the constructor ``SecretKeySpec``. Second, we get all the parameter values from this constructor. Then, we parse the AES key from the parameter values. Finally, we check if the AES key is hardcoded in the APK file. If the answer is **YES**, BINGO!!! We find hard-coded credentials in the APK file.
2527

26-
First, we design a detection rule `findSecretKeySpec.json` to spot on
27-
behavior using the method `SecretKeySpec`. Then, we get all the
28-
parameter values that are input to this method. And we parse the AES key
29-
out of the parameter values. Finally, we check if the AES key is
30-
hardcoded in the APK file. If the answer is YES, BINGO!!! We find
31-
hard-coded credentials in the APK file.
28+
## Quark Script: CWE-798.py
29+
30+
![image](https://imgur.com/IOyrqDc.png)
3231

33-
``` python
32+
```python
3433
import re
3534
from quark.script import runQuarkAnalysis, Rule
3635

@@ -54,7 +53,9 @@ for secretKeySpec in quarkResult.behaviorOccurList:
5453

5554
## Quark Rule: findSecretKeySpec.json
5655

57-
``` json
56+
![image](https://imgur.com/2BYOE70.png)
57+
58+
```json
5859
{
5960
"crime": "Detect APK using SecretKeySpec.",
6061
"permission": [],
@@ -77,8 +78,7 @@ for secretKeySpec in quarkResult.behaviorOccurList:
7778

7879
## Quark Script Result
7980

80-
``` TEXT
81-
$ python3 findSecretKeySpec.py
82-
81+
```TEXT
82+
$ python3 CWE-798.py
8383
Found hard-coded AES key 49u5gh249gh24985ghf429gh4ch8f23f
8484
```

0 commit comments

Comments
 (0)