Skip to content

Add Quark script showcase of detecting CWE-256 #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 31, 2025
Merged

Add Quark script showcase of detecting CWE-256 #66

merged 1 commit into from
Aug 31, 2025

Conversation

JerryTasi
Copy link
Contributor

Detect CWE-256 in Android Application

This scenario seeks to find Plaintext Storage of a Password.

CWE-256: Plaintext Storage of a Password

We analyze the definition of CWE-256 and identify its characteristics.

See CWE-256 for more details.

image

Code of CWE-256 in ovaa.apk

We use the ovaa.apk sample to explain the vulnerability code of CWE-256.

image

CWE-256 Detection Process Using Quark Script API

image

First, we define a detection rule putStrAndCommit.json to identify behaviors that store information using SharedPreferences.Editor.

Next, we call behaviorInstance.getParamValues() to retrieve all parameter values associated with this behavior. We then check whether any parameter contains keywords that suggest it is being used as a password (e.g., password, pswd, or passwd).

Finally, we use behaviorInstance.isArgFromMethod(targetMethod) to verify whether the doFinal method for encryption is applied on the second argument value. (Note: this Quark Script API checks all arguments, not just a specific one. Therefore, the API returns True even if the doFinal method is applied on the key argument rather than the value argument of putString . But the situation is so rare that we can neglect it.)

If the answer is NO, it indicates that the value may be stored in plaintext, which could lead to a CWE-256 vulnerability.

Quark Script CWE-256.py

image

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "ovaa.apk"
RULE_PATH = "putStrAndCommit.json"

encryptAPI = ["Ljavax/crypto/Cipher;", "doFinal", ""]

passwordPatterns = ["password", "pswd", "passwd"]


ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for putStrAndCommit in quarkResult.behaviorOccurList:
    paramValues = [
        paramValue.lower() for paramValue in putStrAndCommit.getParamValues()
    ]
    if not any(
        passwordPattern in paramValues for passwordPattern in passwordPatterns
    ):
        continue

    if not putStrAndCommit.isArgFromMethod(encryptAPI):
        print(
            f"CWE-256 is detected in method",
            putStrAndCommit.methodCaller.fullName
        )

Quark Rule: putStrAndCommit.json

image

{
    "crime": "Use editor to store information",
    "permission": [],
    "api": [
        {
            "class": "Landroid/content/SharedPreferences$Editor;",
            "method": "putString",
            "descriptor": "(Ljava/lang/String;Ljava/lang/String;)Landroid/content/SharedPreferences$Editor;"
        },
        {
            "class": "Landroid/content/SharedPreferences$Editor;",
            "method": "commit",
            "descriptor": "()Z"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python3 CWE-256.py
CWE-256 is detected in method, Loversecured/ovaa/utils/LoginUtils; saveCredentials (Loversecured/ovaa/objects/LoginData;)V

sidra-asa
sidra-asa approved these changes Aug 31, 2025
View reviewed changes
Copy link
Collaborator

@sidra-asa sidra-asa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you.

@sidra-asa sidra-asa merged commit 63ee55e into quark-engine:main Aug 31, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sidra-asa sidra-asa sidra-asa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JerryTasi @sidra-asa