Add Quark script showcase of detecting CWE-256

[JerryTasi]

Detect CWE-256 in Android Application

This scenario seeks to find Plaintext Storage of a Password.

CWE-256: Plaintext Storage of a Password

We analyze the definition of CWE-256 and identify its characteristics.

See CWE-256 for more details.

Code of CWE-256 in ovaa.apk

We use the ovaa.apk sample to explain the vulnerability code of CWE-256.

CWE-256 Detection Process Using Quark Script API

First, we define a detection rule putStrAndCommit.json to identify behaviors that store information using SharedPreferences.Editor.

Next, we call behaviorInstance.getParamValues() to retrieve all parameter values associated with this behavior. We then check whether any parameter contains keywords that suggest it is being used as a password (e.g., password, pswd, or passwd).

Finally, we use behaviorInstance.isArgFromMethod(targetMethod) to verify whether the doFinal method for encryption is applied on the second argument value. (Note: this Quark Script API checks all arguments, not just a specific one. Therefore, the API returns True even if the doFinal method is applied on the key argument rather than the value argument of putString . But the situation is so rare that we can neglect it.)

If the answer is NO, it indicates that the value may be stored in plaintext, which could lead to a CWE-256 vulnerability.

Quark Script CWE-256.py

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "ovaa.apk"
RULE_PATH = "putStrAndCommit.json"

encryptAPI = ["Ljavax/crypto/Cipher;", "doFinal", ""]

passwordPatterns = ["password", "pswd", "passwd"]


ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for putStrAndCommit in quarkResult.behaviorOccurList:
    paramValues = [
        paramValue.lower() for paramValue in putStrAndCommit.getParamValues()
    ]
    if not any(
        passwordPattern in paramValues for passwordPattern in passwordPatterns
    ):
        continue

    if not putStrAndCommit.isArgFromMethod(encryptAPI):
        print(
            f"CWE-256 is detected in method",
            putStrAndCommit.methodCaller.fullName
        )

Quark Rule: putStrAndCommit.json

{
    "crime": "Use editor to store information",
    "permission": [],
    "api": [
        {
            "class": "Landroid/content/SharedPreferences$Editor;",
            "method": "putString",
            "descriptor": "(Ljava/lang/String;Ljava/lang/String;)Landroid/content/SharedPreferences$Editor;"
        },
        {
            "class": "Landroid/content/SharedPreferences$Editor;",
            "method": "commit",
            "descriptor": "()Z"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python3 CWE-256.py
CWE-256 is detected in method, Loversecured/ovaa/utils/LoginUtils; saveCredentials (Loversecured/ovaa/objects/LoginData;)V

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.10%. Comparing base (cdceaba) to head (41b3487).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #804   +/-   ##
=======================================
  Coverage   81.10%   81.10%           
=======================================
  Files          75       75           
  Lines        6372     6372           
=======================================
  Hits         5168     5168           
  Misses       1204     1204           

Flag	Coverage Δ
unittests	81.10% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sidra-asa]

LGTM. Thank you