diff --git a/.github/workflows/testQuarkScript.yml b/.github/workflows/testQuarkScript.yml index c97a567..ee80972 100644 --- a/.github/workflows/testQuarkScript.yml +++ b/.github/workflows/testQuarkScript.yml @@ -9,7 +9,7 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: @@ -57,7 +57,7 @@ jobs: git clone "https://github.com/quark-engine/apk-samples.git" mv -vn $GITHUB_WORKSPACE/CWE-*/CWE-*.py test_ground/ mv -vn $GITHUB_WORKSPACE/CWE-*/*.json test_ground/ - mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ + # mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ mv -vn ./apk-samples/vulnerable-samples/*.apk test_ground/ diff --git a/CWE-20/README.md b/CWE-20/README.md index 9d9e8f4..a12e676 100644 --- a/CWE-20/README.md +++ b/CWE-20/README.md @@ -1,38 +1,34 @@ # Detect CWE-20 in Android Application +This scenario seeks to find **Improper Input Validation** in the APK file. -This scenario seeks to find **Improper Input Validation** in the APK -file. - -## CWE-20 Improper Input Validation +## CWE-20: Improper Input Validation We analyze the definition of CWE-20 and identify its characteristics. -See [CWE-20](https://cwe.mitre.org/data/definitions/20.html) for more -details. +See [CWE-20](https://cwe.mitre.org/data/definitions/20.html) for more details. -![image](https://imgur.com/21CzFUq.jpg) +![image](https://imgur.com/eO8fepu.jpg) ## Code of CWE-20 in diva.apk -We use the [diva.apk](https://github.com/payatu/diva-android) sample to -explain the vulnerability code of CWE-20. +We use the [diva.apk](https://github.com/payatu/diva-android) sample to explain the vulnerability code of CWE-20. -![image](https://imgur.com/kRIuEHd.jpg) +![image](https://imgur.com/nsuXYGU.jpg) -## Quark Script CWE-20.py +## CWE-20 Detection Process Using Quark Script API + +![image](https://imgur.com/C7zmwLm.jpg) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. -Let's use the above APIs to show how the Quark script finds this -vulnerability. +First, we design a detection rule ``openUrlThatUserInput.json``, to spot the behavior of opening the URL that the user inputs. Then, we use API ``behaviorInstance.getMethodsInArgs()`` to get a list of methods that the URL in ``loadUrl`` passes through. Finally, we check if any validation method is in the list. If No, the APK does not validate user input. That causes CWE-20 vulnerability. -First, we design a detection rule `openUrlThatUserInput.json`, to spot -the behavior of opening the URL that the user inputs. Then, we use API -`behaviorInstance.getMethodsInArgs()` to get a list of methods that the -URL in `loadUrl` passes through. Finally, we check if any validation -method is in the list. If No, the APK does not validate user input. That -causes CWE-20 vulnerability. +## Quark Script CWE-20.py + +![image](https://imgur.com/bwPqc4K.jpg) -``` python +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "diva.apk" @@ -54,7 +50,9 @@ for openUrl in result.behaviorOccurList: ## Quark Rule: openUrlThatUserInput.json -``` json +![image](https://imgur.com/k4WT8Fb.jpg) + +```json { "crime": "Open the Url that user input", "permission": [], @@ -77,7 +75,7 @@ for openUrl in result.behaviorOccurList: ## Quark Script Result -``` TEXT +``` $ python CWE-20.py CWE-20 is detected in method, Ljakhar/aseem/diva/InputValidation2URISchemeActivity; get (Landroid/view/View;)V ``` diff --git a/CWE-312/agent.js b/CWE-312/agent.js deleted file mode 100644 index e69de29..0000000 diff --git a/CWE-921/README.md b/CWE-921/README.md index 5315ce4..23bf563 100644 --- a/CWE-921/README.md +++ b/CWE-921/README.md @@ -1,36 +1,35 @@ # Detect CWE-921 in Android Application -This scenario seeks to find the **unsecured storage mechanism of -sensitive data** in the APK file. +This scenario seeks to find the **unsecured storage mechanism of sensitive data** in the APK file. -## CWE-921 Storage of Sensitive Data in a Mechanism without Access Control +## CWE-921: Storage of Sensitive Data in a Mechanism without Access Control We analyze the definition of CWE-921 and identify its characteristics. -See [CWE-921](https://cwe.mitre.org/data/definitions/921.html) for more -details. +See [CWE-921](https://cwe.mitre.org/data/definitions/921.html) for more details. + +![image](https://imgur.com/2zlPLHe.jpg) -![image](https://imgur.com/ihtjGAu.jpg) ## Code of CWE-921 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-921. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-921. -![image](https://imgur.com/ACzJct8.jpg) +![image](https://imgur.com/2u5iL1K.jpg) -## Quark Script: CWE-921.py +## CWE-921 Detection Process Using Quark Script API + +![image](https://imgur.com/qHOMqKy.jpg) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. -Let's use the above APIs to show how the Quark script finds this -vulnerability. +First, we design a detection rule ``checkFileExistence.json`` to spot on behavior that checks if a file exists on a given storage mechanism. Then, we use API ``methodInstance.getArguments()`` to get the file path. Finally, CWE-921 is found if the file path contains the keyword ``sdcard``. -First, we design a detection rule `checkFileExistence.json` to spot on -behavior that checks if a file exists on a given storage mechanism. -Then, we use API `methodInstance.getArguments()` to get the file path. -Finally, CWE-921 is found if the file path contains the keyword -`sdcard`. +## Quark Script: CWE-921.py + +![image](https://imgur.com/HULgyIy.jpg) -``` python +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "ovaa.apk" @@ -48,7 +47,9 @@ for existingFile in quarkResult.behaviorOccurList: ## Quark Rule: checkFileExistence.json -``` json +![image](https://imgur.com/zRiYLtS.jpg) + +```json { "crime": "Check file existence", "permission": [], @@ -71,7 +72,7 @@ for existingFile in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT +``` $ python3 CWE-921.py This file is stored inside the SDcard diff --git a/CWE-94/README.md b/CWE-94/README.md index b6d2640..78d0d99 100644 --- a/CWE-94/README.md +++ b/CWE-94/README.md @@ -1,46 +1,44 @@ # Detect CWE-94 in Android Application +This scenario seeks to find **code injection** in the APK file. -This scenario seeks to find **code injection** in the APK file. - -## CWE-94 Improper Control of Generation of Code +## CWE-94: Improper Control of Generation of Code We analyze the definition of CWE-94 and identify its characteristics. -See [CWE-94](https://cwe.mitre.org/data/definitions/94.html) for more -details. +See [CWE-94](https://cwe.mitre.org/data/definitions/94.html) for more details. -![image](https://imgur.com/faWwd3p.jpg) +![image](https://imgur.com/M9Jlgrn.png) ## Code of CWE-94 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-94. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-94. -![image](https://imgur.com/duobWF2.jpg) +![image](https://imgur.com/MdlAnvu.png) -## Quark Script: CWE-94.py +## CWE-94 Detection Process Using Quark Script API + +Let's use the above APIs to show how the Quark script finds this vulnerability. -Let\'s use the above APIs to show how the Quark script finds this -vulnerability. +First, we design a detection rule ``loadExternalCode.json`` to spot on behavior using the method ``createPackageContext``. Then, we find the caller method that calls the ``createPackageContext``. Finally, we check if the method ``checkSignatures`` is called in the caller method for verification. -First, we design a detection rule `loadExternalCode.json` to spot on -behavior using the method `createPackageContext`. Then, we find the -caller method that calls the `createPackageContext`. Finally, we check -if the method `checkSignatures` is called in the caller method for -verification. +![image](https://imgur.com/6cPBMWP.jpg) + +## Quark Script: CWE-94.py -``` python +![image](https://imgur.com/Aw26Lv2.jpg) + +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "ovaa.apk" RULE_PATH = "loadExternalCode.json" targetMethod = [ - "Landroid/content/pm/PackageManager;", - "checkSignatures", - "(Ljava/lang/String;Ljava/lang/String;)I" - ] + "Landroid/content/pm/PackageManager;", + "checkSignatures", + "(Ljava/lang/String;Ljava/lang/String;)I" + ] ruleInstance = Rule(RULE_PATH) quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) @@ -48,10 +46,10 @@ quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) for ldExternalCode in quarkResult.behaviorOccurList: callerMethod = [ - ldExternalCode.methodCaller.className, - ldExternalCode.methodCaller.methodName, - ldExternalCode.methodCaller.descriptor - ] + ldExternalCode.methodCaller.className, + ldExternalCode.methodCaller.methodName, + ldExternalCode.methodCaller.descriptor + ] if not quarkResult.findMethodInCaller(callerMethod, targetMethod): print(f"Method: {targetMethod[1]} not found!") @@ -60,7 +58,9 @@ for ldExternalCode in quarkResult.behaviorOccurList: ## Quark Rule: loadExternalCode.json -``` json +![image](https://imgur.com/IHENeJx.jpg) + +```json { "crime": "Load external code from other APK.", "permission": [], @@ -83,7 +83,7 @@ for ldExternalCode in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT +```TEXT $ python3 CWE-94.py Method: checkSignatures not found! CWE-94 is detected in ovaa.apk