Dinis Cruz Blog: May 2010

Thursday 27 May 2010

This is another test blog, now created while recording a video

Hello from inside O2 :)
(note: the preview feature is very cool :) )

This is a test Blog (posted via the new O2 platform Blogger API)

If this works I will follow it up with more details :)

Monday 24 May 2010

Major O2 Milestone: 'Complete Vulnerability Trace' for an HacmeBank Sql Injection vulnerability

(As emailed to the O2 Platform mailing list)

Finally, after tons and tons of features, I was able to create a 'Complete Vulnerability Trace' for an HacmeBank Sql Injection vulnerability.

And by 'Complete Vulnerability Traces' I mean a trace that:

starts on the Exploit Layer (i.e. the browser entry point),
then goes through the Web Layer code,
then does a jump over the 'internet' into the Web Services layer,
and ends up in the vulnerable .NET System.Data method :)

Using O2's MediaWiki API, I created the following 'draft with tons of screenshots' wiki page (containing details of what this trace looks like): http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_-_SQL_Injection_PoC

The example is shown in the "O2 .NET Ast Engine" module, and tomorrow I will post details on how to consume (most of) it from the "O2 .NET Ast Scanner" module (which will be easier to use)

Tuesday 18 May 2010

Major new version, O2 .NET Ast Scanner and first batch of videos

(As emailed to the O2 Platform mailing list)

Hi, I just pushed a new version of the O2 XRules Database (which you can install from here).

As usual there are tons of new features and bug fixes, but probably the most important one is the inclusion of the first working prototype of the O2 .NET Ast Scanner (which is an Open Source taint flow analysis engine which is able to create the code-paths for HacmeBank's Sql Injection)

In my efforts to try to document O2, I've started to create a number of webpages and videos (current hosted at the http://o2platform.com website).