Skip to content

Optimize the document of Quark Script CWE-295 #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 22, 2024
Merged

Optimize the document of Quark Script CWE-295 #47

merged 2 commits into from
Nov 22, 2024

Conversation

JerryTasi
Copy link
Contributor

Detect CWE-295 in Android Application

This scenario seeks to find Improper Certificate Validation.

CWE-295: Improper Certificate Validation

We analyze the definition of CWE-295 and identify its characteristics.

See CWE-295 for more details.

image

Code of CWE-295 in InsecureShop.apk

We use the InsecureShop.apk sample to explain the vulnerability code of CWE-295.

image

Quark Script CWE-295.py

To begin with, we use the API findMethodInAPK(samplePath, targetMethod) to locate all callers of method SslErrorHandler.proceed.

Next, we must verify whether the caller overrides the method WebViewClient.onReceivedSslErroris.

Therefore, we check if the method name and descriptor of the caller match those of WebViewClient.onReceivedSslErroris. After that, we use the API methodInstance.findSuperclassHierarchy() to check if the superclasses of the caller include Landroid/webkit/WebViewClient.

If both are YES, the APK will call SslErrorHandler.procees without certificate validation when an SSL error occurs, which may cause CWE-295 vulnerability.

from quark.script import findMethodInAPK

SAMPLE_PATH = "insecureShop.apk"
TARGET_METHOD = [
    "Landroid/webkit/SslErrorHandler;",  # class name
    "proceed",                           # method name
    "()V"                                # descriptor
]
OVERRIDDEN_METHOD = [
    "Landroid/webkit/WebViewClient;",    # class name
    "onReceivedSslError",                # method name
    "(Landroid/webkit/WebView;" + " Landroid/webkit/SslErrorHandler;" + \
    " Landroid/net/http/SslError;)V"     # descriptor
]

for sslProceedCaller in findMethodInAPK(SAMPLE_PATH, TARGET_METHOD):
    if (
        sslProceedCaller.name == OVERRIDDEN_METHOD[1]
        and sslProceedCaller.descriptor == OVERRIDDEN_METHOD[2]
        and OVERRIDDEN_METHOD[0] in sslProceedCaller.findSuperclassHierarchy()
    ):
        print(f"CWE-295 is detected in method, {sslProceedCaller.fullName}")

Quark Script Result

$ python3 CWE-295.py
CWE-295 is detected in method, Lcom/insecureshop/util/CustomWebViewClient; onReceivedSslError (Landroid/webkit/WebView; Landroid/webkit/SslErrorHandler; Landroid/net/http/SslError;)V

@zinwang zinwang self-requested a review November 22, 2024 10:02
@zinwang zinwang added the documentation Improvements or additions to documentation label Nov 22, 2024
zinwang
zinwang approved these changes Nov 22, 2024
View reviewed changes
Copy link
Collaborator

@zinwang zinwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@zinwang zinwang merged commit 2bb149e into quark-engine:main Nov 22, 2024
1 check passed
@JerryTasi JerryTasi deleted the patch-1 branch December 13, 2024 10:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zinwang zinwang zinwang approved these changes

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JerryTasi @zinwang