Optimize the document of Quark Script CWE-20, 94, 921 (#49)

JerryTasi · web-flow · commit d8f79e1c59a6 · 2025-01-22T19:09:35.000+08:00
diff --git a/CWE-20/README.md b/CWE-20/README.md
@@ -1,38 +1,34 @@
 # Detect CWE-20 in Android Application
 
+This scenario seeks to find **Improper Input Validation** in the APK file.
 
-This scenario seeks to find **Improper Input Validation** in the APK
-file.
-
-## CWE-20 Improper Input Validation
+## CWE-20: Improper Input Validation
 
 We analyze the definition of CWE-20 and identify its characteristics.
 
-See [CWE-20](https://cwe.mitre.org/data/definitions/20.html) for more
-details.
+See [CWE-20](https://cwe.mitre.org/data/definitions/20.html) for more details.
 
-![image](https://imgur.com/21CzFUq.jpg)
+![image](https://imgur.com/eO8fepu.jpg)
 
 ## Code of CWE-20 in diva.apk
 
-We use the [diva.apk](https://github.com/payatu/diva-android) sample to
-explain the vulnerability code of CWE-20.
+We use the [diva.apk](https://github.com/payatu/diva-android) sample to explain the vulnerability code of CWE-20.
 
-![image](https://imgur.com/kRIuEHd.jpg)
+![image](https://imgur.com/nsuXYGU.jpg)
 
-## Quark Script CWE-20.py
+## CWE-20 Detection Process Using Quark Script API
+
+![image](https://imgur.com/C7zmwLm.jpg)
+
+Let’s use the above APIs to show how the Quark script finds this vulnerability.
 
-Let's use the above APIs to show how the Quark script finds this
-vulnerability.
+First, we design a detection rule ``openUrlThatUserInput.json``, to spot the behavior of opening the URL that the user inputs. Then, we use API ``behaviorInstance.getMethodsInArgs()`` to get a list of methods that the URL in ``loadUrl`` passes through. Finally, we check if any validation method is in the list. If No, the APK does not validate user input. That causes CWE-20 vulnerability.
 
-First, we design a detection rule `openUrlThatUserInput.json`, to spot
-the behavior of opening the URL that the user inputs. Then, we use API
-`behaviorInstance.getMethodsInArgs()` to get a list of methods that the
-URL in `loadUrl` passes through. Finally, we check if any validation
-method is in the list. If No, the APK does not validate user input. That
-causes CWE-20 vulnerability.
+## Quark Script CWE-20.py
+
+![image](https://imgur.com/bwPqc4K.jpg)
 
-``` python
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "diva.apk"
@@ -54,7 +50,9 @@ for openUrl in result.behaviorOccurList:
 
 ## Quark Rule: openUrlThatUserInput.json
 
-``` json
+![image](https://imgur.com/k4WT8Fb.jpg)
+
+```json
 {
     "crime": "Open the Url that user input",
     "permission": [],
@@ -77,7 +75,7 @@ for openUrl in result.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```
 $ python CWE-20.py
 CWE-20 is detected in method, Ljakhar/aseem/diva/InputValidation2URISchemeActivity; get (Landroid/view/View;)V
 ```
diff --git a/CWE-921/README.md b/CWE-921/README.md
@@ -1,36 +1,35 @@
 # Detect CWE-921 in Android Application
 
-This scenario seeks to find the **unsecured storage mechanism of
-sensitive data** in the APK file.
+This scenario seeks to find the **unsecured storage mechanism of sensitive data** in the APK file.
 
-## CWE-921 Storage of Sensitive Data in a Mechanism without Access Control
+## CWE-921: Storage of Sensitive Data in a Mechanism without Access Control
 
 We analyze the definition of CWE-921 and identify its characteristics.
 
-See [CWE-921](https://cwe.mitre.org/data/definitions/921.html) for more
-details.
+See [CWE-921](https://cwe.mitre.org/data/definitions/921.html) for more details.
+
+![image](https://imgur.com/2zlPLHe.jpg)
 
-![image](https://imgur.com/ihtjGAu.jpg)
 
 ## Code of CWE-921 in ovaa.apk
 
-We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
-explain the vulnerability code of CWE-921.
+We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-921.
 
-![image](https://imgur.com/ACzJct8.jpg)
+![image](https://imgur.com/2u5iL1K.jpg)
 
-## Quark Script: CWE-921.py
+## CWE-921 Detection Process Using Quark Script API
+
+![image](https://imgur.com/qHOMqKy.jpg)
+
+Let’s use the above APIs to show how the Quark script finds this vulnerability.
 
-Let's use the above APIs to show how the Quark script finds this
-vulnerability.
+First, we design a detection rule ``checkFileExistence.json`` to spot on behavior that checks if a file exists on a given storage mechanism. Then, we use API ``methodInstance.getArguments()`` to get the file path. Finally, CWE-921 is found if the file path contains the keyword ``sdcard``.
 
-First, we design a detection rule `checkFileExistence.json` to spot on
-behavior that checks if a file exists on a given storage mechanism.
-Then, we use API `methodInstance.getArguments()` to get the file path.
-Finally, CWE-921 is found if the file path contains the keyword
-`sdcard`.
+## Quark Script: CWE-921.py
+
+![image](https://imgur.com/HULgyIy.jpg)
 
-``` python
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "ovaa.apk"
@@ -48,7 +47,9 @@ for existingFile in quarkResult.behaviorOccurList:
 
 ## Quark Rule: checkFileExistence.json
 
-``` json
+![image](https://imgur.com/zRiYLtS.jpg)
+
+```json
 {
     "crime": "Check file existence",
     "permission": [],
@@ -71,7 +72,7 @@ for existingFile in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```
 $ python3 CWE-921.py
 This file is stored inside the SDcard
 
diff --git a/CWE-94/README.md b/CWE-94/README.md
@@ -1,57 +1,55 @@
 # Detect CWE-94 in Android Application
 
+This scenario seeks to find **code injection** in the APK file. 
 
-This scenario seeks to find **code injection** in the APK file.
-
-## CWE-94 Improper Control of Generation of Code
+## CWE-94: Improper Control of Generation of Code
 
 We analyze the definition of CWE-94 and identify its characteristics.
 
-See [CWE-94](https://cwe.mitre.org/data/definitions/94.html) for more
-details.
+See [CWE-94](https://cwe.mitre.org/data/definitions/94.html) for more details.
 
-![image](https://imgur.com/faWwd3p.jpg)
+![image](https://imgur.com/M9Jlgrn.png)
 
 ## Code of CWE-94 in ovaa.apk
 
-We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
-explain the vulnerability code of CWE-94.
+We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-94.
 
-![image](https://imgur.com/duobWF2.jpg)
+![image](https://imgur.com/MdlAnvu.png)
 
-## Quark Script: CWE-94.py
+## CWE-94 Detection Process Using Quark Script API
+
+Let's use the above APIs to show how the Quark script finds this vulnerability.
 
-Let\'s use the above APIs to show how the Quark script finds this
-vulnerability.
+First, we design a detection rule ``loadExternalCode.json`` to spot on behavior using the method ``createPackageContext``. Then, we find the caller method that calls the ``createPackageContext``. Finally, we check if the method ``checkSignatures`` is called in the caller method for verification.
 
-First, we design a detection rule `loadExternalCode.json` to spot on
-behavior using the method `createPackageContext`. Then, we find the
-caller method that calls the `createPackageContext`. Finally, we check
-if the method `checkSignatures` is called in the caller method for
-verification.
+![image](https://imgur.com/6cPBMWP.jpg)
+
+## Quark Script: CWE-94.py
 
-``` python
+![image](https://imgur.com/Aw26Lv2.jpg)
+
+```python
 from quark.script import runQuarkAnalysis, Rule
 
 SAMPLE_PATH = "ovaa.apk"
 RULE_PATH = "loadExternalCode.json"
 
 targetMethod = [
-    "Landroid/content/pm/PackageManager;",
-    "checkSignatures",
-    "(Ljava/lang/String;Ljava/lang/String;)I"
-    ]
+        "Landroid/content/pm/PackageManager;",
+        "checkSignatures",
+        "(Ljava/lang/String;Ljava/lang/String;)I"
+        ]
 
 ruleInstance = Rule(RULE_PATH)
 quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
 
 for ldExternalCode in quarkResult.behaviorOccurList:
 
     callerMethod = [
-        ldExternalCode.methodCaller.className,
-        ldExternalCode.methodCaller.methodName,
-        ldExternalCode.methodCaller.descriptor
-        ]
+            ldExternalCode.methodCaller.className,
+            ldExternalCode.methodCaller.methodName,
+            ldExternalCode.methodCaller.descriptor
+            ]
 
     if not quarkResult.findMethodInCaller(callerMethod, targetMethod):
         print(f"Method: {targetMethod[1]} not found!")
@@ -60,7 +58,9 @@ for ldExternalCode in quarkResult.behaviorOccurList:
 
 ## Quark Rule: loadExternalCode.json
 
-``` json
+![image](https://imgur.com/IHENeJx.jpg)
+
+```json
 {
     "crime": "Load external code from other APK.",
     "permission": [],
@@ -83,7 +83,7 @@ for ldExternalCode in quarkResult.behaviorOccurList:
 
 ## Quark Script Result
 
-``` TEXT
+```TEXT
 $ python3 CWE-94.py
 Method: checkSignatures not found!
 CWE-94 is detected in ovaa.apk
