- Adding an O2 Menu to Notepad++ and 'listen' to menu selections
- Creating a custom version of 'O2 Quick Development Gui' environment (stand-alone and in aspx)
- Changing a reference/dll value of a VS CSproj file
- Removing C# class from C# file in multiple WSDL files
- Creating a jQuery DataTable using serialized JSON object
- Creating a jQuery jsTree using serialized JSON object
- Simple Windows UIAutomation example
- O2 Trick to complile with explict references
- Invoking jQuery from O2
- Trigger an Keypress event in IE
- New Amazon EC2 'image filtering focused' Extension Methods
- Script to view Amazon EC2 Images List
- Using the O2's Amazon EC2 API
- New Amazon EC2 .Net API
- Solved the problem with decryping AmazonEC2 Instance's password
Thursday, 30 June 2011
14x O2 Scripts on: EC2, jQuery, VS CSProj, Notepad++ and O2 in Aspx
Here are 14 blog posts published in the last two months at the http://o2platform.wordpress.com blog covering the following topics: EC2, jQuery, VS CSProj, Notepad++ and O2 in Aspx
Thursday, 23 June 2011
The ESTAPI idea
the ESTAPI (the Enterprise Security TESTING API) was an idea that pop-up a couple years ago at the OWASP AppSecEu in Poland.
Basically the idea is that what is more valuable to app/framework developers, is NOT another API that they have to bake into their product, BUT a set of Unit/Integration tests that they can use to validate what they are doing.
In this world ESAPI would be an example of what that could look like, BUT what would be the expectation is that app and framework developers implement the same 'behaviour/capability' into their code.
And then ESTAPI would be used to develop AND validate those capabilities.
Let's take a simple example: HtmlAttributeEncoding and JavascriptEncoding across the multiple ESAPI language implementation? (Java, .NET,PHP, etc...) Shouldn't ALL of them pass the same ESTAPI test? surely ALL should have the same behaviour right? (i.e. given the same input, provide the same output)
Same thing for the popular Java Frameworks (Spring, Struts, Tapestry, JSF, etc...). We should be using ESTAPI to measure (and understand) how those frameworks behave.
Of course that there are cases where the devs will chose to use the ESAPI.jar (& its dependencies), BUT my view for a while now, is that 'THAT esapi.jar' adoption should NOT be the first step in ESAPI usage. This 'adaption' COULD be one of the options later down the line, but the first step should be on a bunch of ESTAPI tests adapted to the targeted app.
What I also like about the ESTAPI idea, is that it will give drive (and push) the ESAPI team to really segment and separate the esapi.jar dependencies. Since it will be much easier (or practical) to write ESTAPI tests on single-focused JARs, with its dependencies injected (i.e. using DI)
Saturday, 11 June 2011
Fluent Sharp is now available at NuGet and VS Gallery
Thanks to Daniel Brzozowski, O2's Fluent API is now available at NuGet and VS Gallery.
- NuGet Package: http://www.nuget.org/List/Packages/FluentSharp_O2
- VS Gallery: http://visualstudiogallery.msdn.microsoft.com/83b25558-5cbb-4966-bb89-ff3d65693109
- CodePlex home: http://fluentsharp.codeplex.com/
Monday, 6 June 2011
FluentSharp - An API for .NET developers
Key to the OWASP O2 Platform environment is its ability to quickly write scripts and mini-tools. In fact I took that to such a level, that I now write O2 in O2 (i.e. without using VisualStudio).
At core of O2 Scripting there is an .NET development environment (by default in C# but any .NET language is supported), and since O2 is starting to be use independently by developers, I separated the O2 core into a new API which I'm calling FluentSharp (see CodePlex project http://fluentsharp.codeplex.com/):
The main http://fluentsharp.codeplex.com/ page contains an example of how this API works and the reasoning behind the 'Fluent' concept.
I expect developers to embrace this API since it can improve their productivity, while creating smaller and more readable code. The first place to start is to use FluentSharp to build Unit-Tests and Integration-Tests (which once created can be extended into Security Tests using O2 :) )
At core of O2 Scripting there is an .NET development environment (by default in C# but any .NET language is supported), and since O2 is starting to be use independently by developers, I separated the O2 core into a new API which I'm calling FluentSharp (see CodePlex project http://fluentsharp.codeplex.com/):
The main http://fluentsharp.codeplex.com/ page contains an example of how this API works and the reasoning behind the 'Fluent' concept.I expect developers to embrace this API since it can improve their productivity, while creating smaller and more readable code. The first place to start is to use FluentSharp to build Unit-Tests and Integration-Tests (which once created can be extended into Security Tests using O2 :) )
Wednesday, 1 June 2011
Using O2 to exploit HacmeBank
Just posted this to the o2 mailing list:
Hi ..., no worries about being confused, O2 is VERY confusing for new users :)
Hi ..., no worries about being confused, O2 is VERY confusing for new users :)
On HacmeBank have you seen the O2 Scripts that automate a number of its exploits?
Here are a couple pointers for you to start:
- Main O2 page for hacmeBank: http://o2-ounceopen.com/wiki/
HacmeBank - The opensource version is here: http://code.google.com/
p/owasp-hacmebank/ - O2 Scripts on HacmeBank
- O2 BlackBox Analysis
- API with core HacmeBank functionality: http://code.
google.com/p/o2platform/ source/browse/trunk/O2_ Scripts/_Sample_ Vulnerabilities/HacmeBank/API_ HacmeBank.cs - http://o2-ounceopen.com/wiki/
HacmeBank%5CUnit_Tests_for_ Vulnerabilities - http://code.google.com/p/
o2platform/source/browse/ see here the video of this in action http://www.youtube.com/trunk/O2_Scripts/_Sample_ Vulnerabilities/HacmeBank/ HacmeBank_BlackBox_Exploits. cs.o2 watch?v=T2XVufhJLig&NR=1 - Here is a video on the current script that starts the local web servers: http://www.youtube.
com/watch?v=vucYncGiClE& feature=related - O2 WhiteBox/Source-Code Analysis
- http://o2-ounceopen.com/wiki/
O2_.NET_AST_Scanner_-_ with explanation here http://diniscruz.HacmeBank_-_SQL_Injection_PoC blogspot.com/2010/05/major-o2- . Also using this script is this BlackBox and whiteBox Poc of HacmeBank SQL injection vulnerability: http://www.youtube.com/watch?milestone-complete.html v=MdObVD53Iyg&feature=related - http://o2-ounceopen.com/wiki/
O2_.NET_AST_Scanner_-_ HacmeBank_Example - I also started writing an installer script for HacmeBank which I have not completed (see if you can complete it)
Other resources:
- Nice video on how to exploit HacmeBank WebServices using SoapUI: http://www.youtube.
com/watch?v=KftIvpRk7oQ
For more ideas on where to start on O2 see http://diniscruz.blogspot.com/2010/07/o2-platform-ideas-on-where-to-start.html
Finally here is a exercise for you:
"...reuse this HacmeBank IE Automation script
| public API_HacmeBank login(string userName, string password) |
| { |
| loginPage(); |
| ie.field("txtUserName").value( |
| ie.field("txtPassword").value( |
| ie.button("Submit").click(); |
| return this; |
| } |
on this script (instead of the Altoro SQLi)
(the SQLi script above will fuzz the login sequence and take a screenshot after each request
..."
..."
Note that the scripts above are the ones that you will find on your local C:\O2\O2Scripts_Database\_Scripts folder
Subscribe to:
Posts (Atom)