Thursday, 25 November 2010

O2 Platform Videos (Nov 2010)


If you new to the OWASP O2 Platform (or are still trying to get your head around it), here are a number of YouTube videos based on: a) known vulnerable applications (i.e HacmeBank, WebGoat),  b) public websites (GMail, Twitter) and c) O2 scripts that I have written:
  • http://www.youtube.com/watch?v=T2XVufhJLig - Example of Unit Test Execution GUI that can be created using O2. In this example a number of HacmeBank vulnerabilities are shown using browser-automation (some of these vulnerabilities/exploits contain complex workflows, like for example: the 'login into admin section' exploit, which uses a ViewState vulnerability to access the dynamic password required to login as the administrator)
  • http://www.youtube.com/watch?v=MdObVD53Iyg - Full PoC of Sql Injection for developers. Includes an real-time browser automation/animation of the multi-step vulnerability exploit (on the left), followed by an animation (on the right) of the vulnerability taint-flow path (on the source-code). It probably is hard to see on the video, but the trace created using O2 (Open Source modules/scripts) contains the following structure:
    • the trace starts with the 'URL + injection parameter' (which is what a BlackBox scanner will produce) 
    • maps the URL to the entry point on the source-code (at the Web Layer)
    • follows the tainted-data (i.e. the variables with payload) all the way until the call to the Web Services
    • maps the 'Web-Layer Web Services call' with the 'method that is invoked on the Web Services Layer' (i.e. connects the Web Services caller with the callee)
    • follows the tainted-data all the way to the vulnerable Sql Execution (passing by the string concatenation that creates the SQL Injection vulnerability)
  • http://www.youtube.com/watch?v=1bbKNvyvLO0 - A similar example of the Unit test GUI that can be delivered to developers, this time using OWASP WebGoat as the target application
  • http://www.youtube.com/watch?v=DpDiGpzaVw0 - Unit Test created in O2 that tests for a vulnerability in Twitter (the result is green because the vulnerability is currently patched)
  • http://www.youtube.com/watch?v=rTD31e7HY4E - example of a complex browser-automation workflow: Create GMAIL account
  • http://www.youtube.com/watch?v=Gu8Hg02Zv5c  - example of a complex browser-automation workflow: Create Twitter account (different execution GUI from the GMAIL account creation script)
  • http://www.youtube.com/watch?v=YsVX5-nGHWI - example of another type of dynamic GUIs that can be created using O2 (most of O2 GUIs are O2 Scripts dynamically compiled and executed). In this case this GUI allows the easy creation of XSS demos/PoCs
  • http://www.youtube.com/watch?v=j0d3F3wqfRU - using O2 .NET Static Analysis engine to perform source code code reviews and to find vulnerabilities in .Net's Hacmebank
  • To see all O2 related videos, see http://www.youtube.com/user/diniscruz#g/u (most of these videos where created using O2's Video creation tool/script)