Skip to content

Commit bb1689a

Browse files
authored
Add CWE-601 Quark Script (#36)
1 parent 11e2a18 commit bb1689a

File tree

2 files changed

+113
-0
lines changed

2 files changed

+113
-0
lines changed

CWE-601/CWE-601.py

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
from quark.script import findMethodInAPK
2+
3+
SAMPLE_PATH = 'ovaa.apk'
4+
5+
# This is the input for findMethodInAPK, formatted as class name, method name, descriptor
6+
TARGET_METHOD = ["", "startActivity", "(Landroid/content/Intent;)V"]
7+
8+
"""
9+
Due to varying descriptors and classes in smali code from different APIs,
10+
our search relies solely on the consistent method names.
11+
"""
12+
13+
EXTERNAL_INPUT_METHODS = [
14+
"getIntent",
15+
"getQueryParameter"
16+
]
17+
18+
INPUT_FILTER_METHODS = [
19+
"parse",
20+
"isValidUrl",
21+
"Pattern",
22+
"Matcher",
23+
"encode",
24+
"decode",
25+
"escapeHtml",
26+
"HttpURLConnection"
27+
]
28+
29+
redirectMethods = findMethodInAPK(SAMPLE_PATH, TARGET_METHOD)
30+
31+
for redirectMethod in redirectMethods:
32+
arguments = redirectMethod.getArguments()
33+
for argument in arguments:
34+
if any(externalInput in argument for
35+
externalInput in EXTERNAL_INPUT_METHODS):
36+
if not any(filterMethod in argument for
37+
filterMethod in INPUT_FILTER_METHODS):
38+
print(f"CWE-601 is detected in {redirectMethod.fullName}")
39+
40+
41+
42+

CWE-601/README.md

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
Detect CWE-601 in Android Application (ovaa)
2+
------------------------------------------------------
3+
4+
This scenario aims to demonstrate the detection of the **URL Redirection to Untrusted Site** vulnerability using [ovaa.apk](https://github.com/oversecured/ovaa). See [CWE-601](https://cwe.mitre.org/data/definitions/601.html) for more details.
5+
6+
To detect the vulnerability, we need to find all the caller methods of ``startActivity`` API that might receive external input without input validation. The ``findMethodInAPK`` function finds all the methods in the APK file that call the ``startActivity`` API. Next, we examine the arguments of each method to discover the methods receiving external input. If a method receives external input but lacks of proper input validation, the CWE-601 vulnerability is identified.
7+
8+
Quark Script CWE-601.py
9+
==========================
10+
11+
The Quark Script below uses ovaa.apk to demonstrate.
12+
13+
```python
14+
15+
16+
from quark.script import findMethodInAPK
17+
18+
SAMPLE_PATH = 'ovaa.apk'
19+
20+
# This is the input for findMethodInAPK, formatted as class name, method name, descriptor
21+
TARGET_METHOD = ["", "startActivity", "(Landroid/content/Intent;)V"]
22+
23+
"""
24+
Due to varying descriptors and classes in smali code from different APIs,
25+
our search relies solely on the consistent method names.
26+
"""
27+
28+
EXTERNAL_INPUT_METHODS = [
29+
"getIntent",
30+
"getQueryParameter"
31+
]
32+
33+
INPUT_FILTER_METHODS = [
34+
"parse",
35+
"isValidUrl",
36+
"Pattern",
37+
"Matcher",
38+
"encode",
39+
"decode",
40+
"escapeHtml",
41+
"HttpURLConnection"
42+
]
43+
44+
redirectMethods = findMethodInAPK(SAMPLE_PATH, TARGET_METHOD)
45+
46+
for redirectMethod in redirectMethods:
47+
arguments = redirectMethod.getArguments()
48+
for argument in arguments:
49+
if any(externalInput in argument for
50+
externalInput in EXTERNAL_INPUT_METHODS):
51+
if not any(filterMethod in argument for
52+
filterMethod in INPUT_FILTER_METHODS):
53+
print(f"CWE-601 is detected in {redirectMethod.fullName}")
54+
55+
56+
57+
58+
59+
```
60+
61+
Quark Script Result
62+
======================
63+
- **ovaa.apk**
64+
65+
```
66+
67+
$ python CWE-601.py
68+
CWE-601 is detected in Loversecured/ovaa/activities/DeeplinkActivity; processDeeplink (Landroid/net/Uri;)V
69+
CWE-601 is detected in Loversecured/ovaa/activities/LoginActivity; onLoginFinished ()V
70+
71+
```

0 commit comments

Comments
 (0)