Proposed workflow for breaking and analysing FVDL Files

Following the multiple blog entries prosted about O2's support for Fortify's FVDL, (sent to me by an O2 user) here is a description of a use-case that O2 should support:

I would shoot for the ability to disposition large *.fpr/*.fvdl files.

Here is a typical workflow:

1. Scan is run code base generating an *.fpr file

2. Code Reviews receive the file but because it is too large it cannot be opened by Fortify's tool.

3. Code reviewer uses O2 to open file and disposition or suppress issues by Category (XSS, SQL Injection, Path Tampering, etc.)

4. Code Reviewer then saves dispositions to *.fpr file.

5. The *.fpr is saved and on subsequent scan of the same application. The new.fpr file is merged with the old.fpr file.

6. The code reviewer works on the merged.fpr to disposition items.

7. Wash, rinse, repeat.

The data needs to be stored in the *.fpr file because most code assessment processes relies on merging the old fpr with the new *.fpr/*.fvdl on subsequent rereviews.

Next step(s) is to write a script(s) to implement this workflow, and try to figure the best GUIs to enable it.

What needs to be done to map Static Analysis Traces from Controllers and Views

Here is a reply I just posted on the O2 Mailing list, which provides a number of ideas on how to map/glue partial traces (i.e. traces that have sinks on Controllers and Sources on Views)

------------------------------------------

I think we are exactly on the same page, and welcome to the wonderful world of 'Framework behaviour mapping' :)

More FVDL scripting and example of (O2 created).NET Taint Flow trace

Here is a reply I just sent to a new O2 user that is trying to get his head around O2 Scripting (to parse, filter and visualize FVDL Files) , which also includes a link to a blog post with an example of what the O2 .NET Static Analysis engine is able to create:

"...I've pushed another blog post that should give you more ideas on what you can do with O2 scripting and FVDL files: http://o2platform.wordpress.com/2011/07/29/creating-the-the-util-view-fvdl-traces-h2-script-lots-of-data-analysis-code-samples (I wrote this last week, but run out of time to publish it then) ..."

Question: what do you mean by "connecting some related issues..an unsupported MVC pattern breaks the data flow from the controller to the view" ? Are you trying to connect the tain-flow traces? (for example a trace that starts in a Controller and continues on a View?)

If so, you need to take a look at what I was doing with the traces I used to get from the Ounce Labs engine. I was doing exactly that. 

There is quite a lot of scripts and code in O2 to support the joining of traces (from simple to complex use cases), so let me know if this is what you are trying to do (note that to really take advantage of O2, we should expand the current FVDL parser to create IO2Findings objects, since once we have that, we can use the existing O2 tools for Finding's viewing and Trace's joining (including Drag&Drop trace creation support)).

To see an example of the kind of traces you can do in O2, check this out .NET HacmeBank SQL Injection vulnerability trace example: http://o2platform.wordpress.com/2011/07/29/o2-net-ast-scanner-hacmebank-sql-injection-poc .

Note how that 'O2 created trace':

• starts on a URL (the real Source of tainted data), 
• then follows the taint flow into a server-side Textbox, 
• and into the WebService's call on the WebSite code
• and into the WebServices' method on the WebService's code (this was a separate trace that was joined with the first one), 
• and continues the taint follow until it reaches the Sql Injection Sink

101 O2 Platform Blog posts (by category) - on July 21st

If you are looking for info on O2 features and scripting capabilities, the best place to look is the O2 Blog (at http://o2platform.wordpress.com)

Here is the full list of the currently 101 entries (listed by category (the last post listed them by publish date)):

• .NET
  • Selecting a TabControl page in a Thread safe way
  • Humm ... .NET Random class is not Thread Safe?
  • Injecting O2 into another .NET Process (in this case NUnit.exe)
  • Adding an O2 Menu to Notepad++ and 'listen' to menu selections
  • Creating a custom version of 'O2 Quick Development Gui' environment (stand-alone and in aspx)
  • Changing a reference/dll value of a VS CSproj file
  • Removing C# class from C# file in multiple WSDL files
  • O2 Trick to complile with explict references
  • Scripting "O2 Tool - AST Search" to find Null references (.NET Static Analysis)
  • O2 Tool - AST Search (.NET Static Analysis)
  • O2 Script: consume webservices by using the WSDL's C#
  • O2 Script: Using Reflection to Invoke Bing Search Web Service
  • O2 Script: Dynamic creation of .Net Assemblies, Types, Methods, Properties and Fields
  • Making HttpRequest QueryString and Form Editable
  • Decomposing an Lamba method used in an O2 Script
  • Custom O2 for .NET Static Analysis
  • O2 Script: Create XSD and Assembly from XML file
  • Using Reflection to (try to) set .NET default proxy settings
  • Dealing with "The server committed a protocol violation. Section=ResponseStatusLine"
• EC2
  • O2 Platform Amazon EC2 Image (AMI)
  • Using 'Amazon S3 Browser' script to upload files to Amazon S3
  • New Amazon EC2 'image filtering focused' Extension Methods
  • Script to view Amazon EC2 Images List
  • Using the O2's Amazon EC2 API
  • New Amazon EC2 .Net API
  • Solved the problem with decryping AmazonEC2 Instance's password
  • Trying to Decrypt Amazon EC2 password using BouncyCastle and it is not working
  • Amazon EC2 Browser - Timer to Stop Instances
  • O2 Tool - Amazon EC2 Browser
• Fortify
  • Fortify FVDL Files - Simple Viewer based on PropertyGrid
  • Fortify FVDL Files - Looking at the API_Fortify classes that parse the fvdl data
  • Fortify FVDL Files - First working Parser and Viewer for *.fvdl files
  • Fortify FVDL files - Creating .NET classes that map to Fvdl xml structure
  • Fortify FVDL files - Creating an API and consumining it
  • Fortify FVDL files - Simple TableList Viewer Tool
  • Fortify FVDL files - Creating and consuming the schema and CSharp file
• IE Automation
  • Login into Starbucks (via BTOpenZone) using Browser Automation (Watin)
  • Visualizing the links in JPetStore (Spring MVC)
  • Writing an O2 'IE Automation' Script for JPetStore Account Creation
  • Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example)
  • Using jQuery to consume an ASP.NET Ashx from JSON in two files
  • Creating a jQuery DataTable using serialized JSON object
  • Creating a jQuery jsTree using serialized JSON object
  • Invoking jQuery from O2
  • Trigger an Keypress event in IE
  • Script to fetch and present large number of Wordpress.com blog entries
  • O2 Script to automatically upload clipboard images to Wordpress.com
  • O2 Script: Util - Javascript Object viewer
  • IE Automation: Manipulating RadioButtons
  • Running Javascript in O2's IE Automation environment
  • O2 Script: DWR Functions Viewer and Invoker
  • O2 Util: Add sites to IE trusted zone
  • O2 Method: Adding sites to IE trusted zones
  • Using WatiN as a browser automation engine
  • O2 Script to perform a google search
  • Solving WebGoat Sql Injection lesson (3rd one)
  • O2 Script - Retrieving crossdomain.xml from Google
• Interoperability
  • Submit file to Veracode Trial: using Browser and Windows Automation (WatiN and White APIs)
  • Fortify FVDL Files - Simple Viewer based on PropertyGrid
  • Fortify FVDL Files - Looking at the API_Fortify classes that parse the fvdl data
  • Fortify FVDL Files - First working Parser and Viewer for *.fvdl files
  • Fortify FVDL files - Creating .NET classes that map to Fvdl xml structure
  • Fortify FVDL files - Creating an API and consumining it
  • Fortify FVDL files - Simple TableList Viewer Tool
  • Fortify FVDL files - Creating and consuming the schema and CSharp file
  • Using 'Amazon S3 Browser' script to upload files to Amazon S3
  • Using OpenPGP to Easily create temp PGP keys for secure file exchange
  • Injecting O2 into another .NET Process (in this case NUnit.exe)
  • Consuming Veracode Findings File(s) using O2
  • Adding an O2 Menu to Notepad++ and 'listen' to menu selections
  • Simple Windows UIAutomation example
  • O2 Script: loading data from an Xslx (OpenXml) file
  • O2 Script: Installing TortoiseSVN and ProcessExplorer
  • O2 Script: Creating a Git Clone using TortoiseGIT
  • O2 Script: adding the SSH Key to GitHub
  • O2 Script: automating PuttyGen to create Public and Private Keys
  • O2 Script: Automating TortoiseGit installation
  • O2 Util: Wordpress Editor
  • O2 Script - Creating PDFs with OWASP AppSec Brazil Certificates
  • IBM AppScan Source 7.0 Scripting: Viewing *.ozasmt file Contents
  • Accessing YouTube via its C# API
  • O2 Script: Twitter OAuth using TweetSharp
• Java
  • Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC)
• JPetStore
  • Submit file to Veracode Trial: using Browser and Windows Automation (WatiN and White APIs)
  • Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic's vulnerabilities)
  • Util - Java, Jsp and Xml File Search (Example using Spring MVC JPetStore)
  • Simple Viewer to see JSP files (example using Spring MVC SPetStore)
  • Packaged Spring MVC Security Test Apps: JPetStore and PetClinc
  • Visualizing the links in JPetStore (Spring MVC)
  • Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC)
  • Viewing JPetStore Hsqldb database and couple more Autobinding issues
  • Writing an O2 'IE Automation' Script for JPetStore Account Creation
  • Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example)
  • Creating an API for JPetStore Browser automation
  • O2 Script: 'Spring MVC Util - View Controllers'
  • O2 Script for "Spring MVC JPetStore - Start Servers" (start/stop apache and hsqldb)
  • O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
• jQuery
  • Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example)
  • Using jQuery to consume an ASP.NET Ashx from JSON in two files
  • Creating a jQuery DataTable using serialized JSON object
  • Creating a jQuery jsTree using serialized JSON object
  • Invoking jQuery from O2
  • Trigger an Keypress event in IE
• Misc Topics
  • O2Script: Not Optimized fuzz string generator
  • Source code test
• Moq
  • Unit Test for HttpModule using Moq to wrap HttpRequest
  • Mocking HttpContext HttpRequest and HttpResponse for UnitTests (using Moq)
• O2 Internals
  • O2 Script to download O2 Reference DLLs from SVN
  • O2 Trick to complile with explict references
  • Decomposing an Lamba method used in an O2 Script
  • O2 Script: Downloading File
  • Creating an API to be consumed by an O2 Script
  • Consuming extension method from external file
  • Example of Custom O2 focused on a security consultant's need
  • Creating custom O2 Versions
  • Creating a Simple Ribbon Bar
  • 7th Oct - ClickOnce Publish
  • New blog engine for O2 Development related posts
• Spring MVC
  • Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic's vulnerabilities)
  • Util - Java, Jsp and Xml File Search (Example using Spring MVC JPetStore)
  • Simple Viewer to see JSP files (example using Spring MVC SPetStore)
  • Packaged Spring MVC Security Test Apps: JPetStore and PetClinc
  • Visualizing the links in JPetStore (Spring MVC)
  • Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC)
  • Viewing JPetStore Hsqldb database and couple more Autobinding issues
  • Writing an O2 'IE Automation' Script for JPetStore Account Creation
  • Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example)
  • Creating an API for JPetStore Browser automation
  • O2 Script: 'Spring MVC Util - View Controllers'
  • O2 Script for "Spring MVC JPetStore - Start Servers" (start/stop apache and hsqldb)
  • O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
• Veracode
  • Submit file to Veracode Trial: using Browser and Windows Automation (WatiN and White APIs)
  • Consuming Veracode Findings File(s) using O2
• videos
  • WebGoat - First Example of O2 WebGoat API
  • Writing an O2 'IE Automation' Script for JPetStore Account Creation
  • O2 Script: 'Spring MVC Util - View Controllers'
  • O2 Script for "Spring MVC JPetStore - Start Servers" (start/stop apache and hsqldb)
  • O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
• WatiN
  • Submit file to Veracode Trial: using Browser and Windows Automation (WatiN and White APIs)
  • Login into Starbucks (via BTOpenZone) using Browser Automation (Watin)
  • Using 'Amazon S3 Browser' script to upload files to Amazon S3
  • Visualizing the links in JPetStore (Spring MVC)
  • O2 Script to download O2 Reference DLLs from SVN
  • Writing an O2 'IE Automation' Script for JPetStore Account Creation
  • Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example)
  • Creating an API for JPetStore Browser automation
  • O2 Script for "Spring MVC JPetStore - Start Servers" (start/stop apache and hsqldb)
  • O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
  • Creating a jQuery DataTable using serialized JSON object
  • Creating a jQuery jsTree using serialized JSON object
  • Invoking jQuery from O2
  • Trigger an Keypress event in IE
  • O2 Script to automatically upload clipboard images to Wordpress.com
  • O2 Tool - Amazon EC2 Browser
  • IE Automation: Manipulating RadioButtons
  • O2 Script: Testing for RDP server
  • Running Javascript in O2's IE Automation environment
  • O2 Util: Wordpress Editor
  • O2 Method: Adding sites to IE trusted zones
  • Using WatiN as a browser automation engine
  • O2 Script to perform a google search
  • Solving WebGoat Sql Injection lesson (3rd one)
  • O2 Script - Retrieving crossdomain.xml from Google
  • O2 Script: Twitter OAuth using TweetSharp
• WebGoat
  • WebGoat - First Example of O2 WebGoat API
• Windows Tools
  • Using OpenPGP to Easily create temp PGP keys for secure file exchange
  • O2 Script: Quick File Viewer
  • O2 Script: Testing for RDP server
  • O2 Script Sequence: Creating a Windows Registry Viewer
  • Util - Font Viewer.h2
• WS
  • O2 Script: consume webservices by using the WSDL's C#
  • O2 Script: Using Reflection to Invoke Bing Search Web Service
  • Using a webservice to get the IP Address

101 O2 Platform Blog posts (by publish date) - on July 21st

If you are looking for info on O2 features and scripting capabilities, the best place to look is the O2 Blog (at http://o2platform.wordpress.com)

Here are the full list of the currently 101 entries (here listed by publish date (next post will list them by category))

• WebGoat - First Example of O2 WebGoat API (21 July 11)
• Submit file to Veracode Trial: using Browser and Windows Automation (WatiN and White APIs) (20 July 11)
• Login into Starbucks (via BTOpenZone) using Browser Automation (Watin) (20 July 11)
• Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic's vulnerabilities) (19 July 11)
• O2 Platform Amazon EC2 Image (AMI) (18 July 11)
• Util - Java, Jsp and Xml File Search (Example using Spring MVC JPetStore) (18 July 11)
• Simple Viewer to see JSP files (example using Spring MVC SPetStore) (18 July 11)
• Packaged Spring MVC Security Test Apps: JPetStore and PetClinc (18 July 11)
• Fortify FVDL Files - Simple Viewer based on PropertyGrid (18 July 11)
• Fortify FVDL Files - Looking at the API_Fortify classes that parse the fvdl data (18 July 11)
• Fortify FVDL Files - First working Parser and Viewer for *.fvdl files (18 July 11)
• Selecting a TabControl page in a Thread safe way (18 July 11)
• Fortify FVDL files - Creating .NET classes that map to Fvdl xml structure (17 July 11)
• Fortify FVDL files - Creating an API and consumining it (17 July 11)
• Fortify FVDL files - Simple TableList Viewer Tool (17 July 11)
• Fortify FVDL files - Creating and consuming the schema and CSharp file (16 July 11)
• Using 'Amazon S3 Browser' script to upload files to Amazon S3 (16 July 11)
• Humm ... .NET Random class is not Thread Safe? (16 July 11)
• Visualizing the links in JPetStore (Spring MVC) (15 July 11)
• Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC) (15 July 11)
• Using OpenPGP to Easily create temp PGP keys for secure file exchange (15 July 11)
• O2 Script to download O2 Reference DLLs from SVN (13 July 11)
• Viewing JPetStore Hsqldb database and couple more Autobinding issues (13 July 11)
• Writing an O2 'IE Automation' Script for JPetStore Account Creation (13 July 11)
• Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example) (13 July 11)
• Creating an API for JPetStore Browser automation (13 July 11)
• Using jQuery to consume an ASP.NET Ashx from JSON in two files (12 July 11)
• O2 Script: 'Spring MVC Util - View Controllers' (12 July 11)
• O2 Script for "Spring MVC JPetStore - Start Servers" (start/stop apache and hsqldb) (12 July 11)
• O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore (11 July 11)
• Injecting O2 into another .NET Process (in this case NUnit.exe) (07 July 11)
• Consuming Veracode Findings File(s) using O2 (01 July 11)
• Adding an O2 Menu to Notepad++ and 'listen' to menu selections (30 June 11)
• Creating a custom version of 'O2 Quick Development Gui' environment (stand-alone and in aspx) (30 June 11)
• Changing a reference/dll value of a VS CSproj file (27 June 11)
• Removing C# class from C# file in multiple WSDL files (25 June 11)
• Creating a jQuery DataTable using serialized JSON object (21 June 11)
• Creating a jQuery jsTree using serialized JSON object (21 June 11)
• Simple Windows UIAutomation example (18 June 11)
• O2 Trick to complile with explict references (16 June 11)
• Invoking jQuery from O2 (08 June 11)
• Trigger an Keypress event in IE (06 June 11)
• New Amazon EC2 'image filtering focused' Extension Methods (17 April 11)
• Script to view Amazon EC2 Images List (16 April 11)
• Using the O2's Amazon EC2 API (16 April 11)
• New Amazon EC2 .Net API (16 April 11)
• Solved the problem with decryping AmazonEC2 Instance's password (16 April 11)
• Script to fetch and present large number of Wordpress.com blog entries (16 April 11)
• O2 Script to automatically upload clipboard images to Wordpress.com (16 April 11)
• Trying to Decrypt Amazon EC2 password using BouncyCastle and it is not working (16 April 11)
• Scripting "O2 Tool - AST Search" to find Null references (.NET Static Analysis) (10 April 11)
• O2 Tool - AST Search (.NET Static Analysis) (10 April 11)
• Unit Test for HttpModule using Moq to wrap HttpRequest (10 April 11)
• Amazon EC2 Browser - Timer to Stop Instances (10 April 11)
• O2 Tool - Amazon EC2 Browser (08 April 11)
• Mocking HttpContext HttpRequest and HttpResponse for UnitTests (using Moq) (05 April 11)
• O2Script: Not Optimized fuzz string generator (04 April 11)
• O2 Script: consume webservices by using the WSDL's C# (03 April 11)
• O2 Script: Using Reflection to Invoke Bing Search Web Service (03 April 11)
• O2 Script: Dynamic creation of .Net Assemblies, Types, Methods, Properties and Fields (02 April 11)
• O2 Script: Util - Javascript Object viewer (31 March 11)
• IE Automation: Manipulating RadioButtons (31 March 11)
• O2 Script: Quick File Viewer (26 March 11)
• Making HttpRequest QueryString and Form Editable (25 March 11)
• O2 Script: loading data from an Xslx (OpenXml) file (24 March 11)
• Decomposing an Lamba method used in an O2 Script (24 March 11)
• O2 Script: Installing TortoiseSVN and ProcessExplorer (18 March 11)
• O2 Script: Creating a Git Clone using TortoiseGIT (18 March 11)
• O2 Script: adding the SSH Key to GitHub (18 March 11)
• O2 Script: automating PuttyGen to create Public and Private Keys (16 March 11)
• O2 Script: Automating TortoiseGit installation (15 March 11)
• Custom O2 for .NET Static Analysis (09 March 11)
• O2 Script: Testing for RDP server (08 March 11)
• Running Javascript in O2's IE Automation environment (08 March 11)
• O2 Script: DWR Functions Viewer and Invoker (07 March 11)
• O2 Script: Downloading File (06 March 11)
• O2 Util: Wordpress Editor (04 March 11)
• O2 Util: Add sites to IE trusted zone (04 March 11)
• O2 Script Sequence: Creating a Windows Registry Viewer (04 March 11)
• O2 Method: Adding sites to IE trusted zones (04 March 11)
• Using WatiN as a browser automation engine (28 February 11)
• Creating an API to be consumed by an O2 Script (20 February 11)
• Consuming extension method from external file (20 February 11)
• O2 Script: Create XSD and Assembly from XML file (20 February 11)
• O2 Script - Creating PDFs with OWASP AppSec Brazil Certificates (04 December 10)
• O2 Script to perform a google search (04 December 10)
• Solving WebGoat Sql Injection lesson (3rd one) (03 December 10)
• O2 Script - Retrieving crossdomain.xml from Google (02 December 10)
• Using a webservice to get the IP Address (26 November 10)
• Using Reflection to (try to) set .NET default proxy settings (03 November 10)
• Example of Custom O2 focused on a security consultant's need (02 November 10)
• Creating custom O2 Versions (02 November 10)
• Util - Font Viewer.h2 (02 November 10)
• IBM AppScan Source 7.0 Scripting: Viewing *.ozasmt file Contents (02 November 10)
• Dealing with "The server committed a protocol violation. Section=ResponseStatusLine" (20 October 10)
• Accessing YouTube via its C# API (19 October 10)
• O2 Script: Twitter OAuth using TweetSharp (18 October 10)
• Creating a Simple Ribbon Bar (18 October 10)
• 7th Oct - ClickOnce Publish (07 October 10)
• New blog engine for O2 Development related posts (07 October 10)
• Source code test (30 April 10)

Current O2 support for analyzing Spring MVC

During the past week I spent some time documenting O2's support for Spring MVC apps.

There is still quite a lot to do before we can do a proper security analysis of the JPetStore and PetClinic applications (for example 'mapping the JSPs to the controllers'), but hopefully these blog posts show the kind of analysis that is possible using O2:

O2 Platform Amazon EC2 Image (AMI)

I did this a while back, but somehow forgot to make reference to it.

If you have an Amazon AWS (EC2) account, you can now use it to fire up a preconfigured Windows Image with O2 on it :)

Here is a blog post with more details: http://o2platform.wordpress.com/2011/07/18/o2-platform-amazon-ec2-image-ami/

Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)

If you want to use O2 on Spring MVC apps that use Annotation-Based controllers, there is an O2 module that you can use which will allow you to view/test those controllers (including the Autobinding elements)

Here is a blog post that shows how it works: Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic's vulnerabilities)

This is quite an old O2 module (using the previous GUI), but what I really like about it, is that it shows how static analysis can be used to drive black box tests (which is the best way to perform blackbox reviews).

What we really need next, is to convert this code into the new 'O2 Script based world' and into the Spring MVC mappings classes (as shown in the JPetStore example).

Using O2 to Parse and Visualize Fortify's FVDL files

Following a request from an O2 user that needed to parse an 430Mb FVDL file (which Fortify's own tool couldn't open), during the last weekend I created a parser and couple visualizing tools so that now we can use O2 to consume FVDL files (as sample files, I used the data published by NIST SAMATE on its SATE 2008 project)

I took the time to document my process and workflow on a series of blogs posts. These posts show how to go from a raw XML file into a easily consumable and highly scalable solution/toolkit. They are a good example of the type of workflows that O2 has been designed to enable.

Here are the blog posts (with the newest on top since those are the ones with the final result)

• Fortify FVDL Files – First working Parser and Viewer for *.fvdl files 
• Fortify FVDL Files – Simple Viewer based on PropertyGrid 
• Fortify FVDL Files – Looking at the API_Fortify classes that parse the fvdl data 
• Fortify FVDL files – Creating .NET classes that map to Fvdl xml structure
• Fortify FVDL files – Creating an API and consumining it
• Fortify FVDL files – Simple TableList Viewer Tool 
• Fortify FVDL files – Creating and consuming the schema and CSharp file 

I'm pretty happy with the end result, since it was quite easy to write the parser, and the end solution scales very nicely. Also as you will see, there is a LOT of great data that is included inside the original XML file, so the next step is to build a couple more tools to filter/view/visualize it (for example: a view that filters the vulnerabilities by type/severity and shows the traces using the included code-snippets)

If you have access to Fortify FVDL files, please give this tool a test-drive and see if you can spot any issues with the XSD that was created (we also will most likely need to create special parsing methods to deal with the variations between the multiple versions of FVDL files).

Another issue with the .NET Random class

OK, maybe it is just me, but I was not aware that the random class was not Thread Safe (I was aware that it is recommended that you don't create a new Random object on every use).

I just documented my findings/experience at the O2 Blog http://o2platform.wordpress.com/2011/07/16/humm-net-random-class-is-not-thread-safe/ and, I have to say that I have the feeling that there are a number of security vulnerabilities out there created by this behaviour (think of an multi-thread environment which receives a lot of traffic and uses the Random class for session/key/token/id generation).

And since it requires a certain number of requests/threads to trigger the problem, it might not be easy to detect, debug and/or replicate (note that Random doesn't fail safely... i.e. once the race condition is triggered, it will just return 0).

Here are a couple projects that (look like they) use the Random class: http://www.google.com/codesearch#search/&q=%22new%20Random%22%20lang:%5Ec%23$&type=cs

New design for o2platform blog and links to post categories

UPDATE: See also New design for this blog

I just spent some time at the O2 Blog where I selected a new theme and categorized all 80 posts.

See image below for the new look, or visit http://o2platform.wordpress.com/ directly (please let me know what you think of).

Details of Today's O2 Spring-MVC focused webcast

Hi, in case you want to join in, here are the are the main links for today's event (Analysing a Spring MVC App (JPetStore) using the OWASP O2 Platform)

• The webcast is done using join.me and you can access it by visiting this link: https://join.me/135-208-702
• You can download the demo files from here: http://s3.amazonaws.com/Demo_Files/jPetStore%20-%20O2%20Demo%20Pack.zip
• If you haven't installed O2, now would be a good time to do it: http://code.google.com/p/o2platform/downloads/list

See you at the WebCast (via https://join.me/135-208-702)

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

O2 Webcast: "Analysing a Spring MVC App (JPetStore) using the OWASP O2 Platform"

I just setup the following webcast at EventBrite: Analysing a Spring MVC App (JPetStore) using the OWASP O2 Platform

Couple more blog posts on JPetStore and additional Spring MVC Autobinding vulnerabilities

On the Spring MVC topic, I added a couple more blog posts and video to the O2 developer blog:

• http://o2platform.wordpress.com/2011/07/13/viewing-jpetstore-hsqldb-database-and-couple-more-autobinding-issues/
• http://o2platform.wordpress.com/2011/07/13/writing-an-o2-ie-automation-script-for-jpetstore-account-creation/ with supporting YouTube video http://www.youtube.com/watch?v=J4Ojqzb6qsw
• http://o2platform.wordpress.com/2011/07/13/injecting-firebuglite-and-jquery-into-a-ie-automation-page-jpetstore-example/
• http://o2platform.wordpress.com/2011/07/13/creating-an-api-for-jpetstore-browser-auto/

I also noticed that using the same autobinding vulnerability, it is possible to change the quantity of the item being purchased to a negative value which has interesting implications on the current purchase and more importantly on the global (to JPetStore) 'item stock quantity' value.

I have not scripted this latest issue, but if you want looking at trying these scripts, why don't you have a go at writing it?

:)

Reaching out to Spring Developers

I just posted an entry on the Spring Framework forums http://forum.springsource.org/showthread.php?111901-Security-Vulnerabilities-with-JPetStore-and-visualization-of-the-AutoBinding-Issues which hopefully will get some tracking from their side.

I will reach out to my contacts over there (Spring Source), but if you know somebody at SpringSource (or at a heavy user of Spring MVC) please put them in touch.

Thanks

Finally ... here is how I have been analysing Spring MVC apps using O2

One of the greatest challenges I always had when reviewing Spring MVC applications, was to gain a full picture of its controllers, and more importantly its CommandClasses (i.e. the POJOs that are AutoBinded by Spring and who are a common source of high/critical vulnerabilities in Spring MVC apps).

The way I approach these problems (visualizing/understanding Spring, Struts, DWR, Sharepoint, etc...), is to write scripts that consume the Application's articfacts (web.xml, *-servlet.xml, source-code, class files) and then consolidate that information in 'easy' (or easier) to undersand visualizations.

Unfortunally most of the great examples that I had in the past were built on top of Client code, so I couldn't really share them. But finally, the O2 Scripts have reached a level of maturity that it was easy to create a generic version of them for Spring's MVC Demo application: JPetStore.

"Two Security Vulnerabilities in the Spring Framework’s MVC" pdf (from 2008)

(update: see Finally ... here is how I have been analysing Spring MVC apps using O2 post for an update on how to exploit and visualize these issues using O2)

Since the Ounce website doesn't exist anymore, here is the link to the "Two Security Vulnerabilities in the  Spring Framework’s MVC" we published 3 years ago, which unfortunately it is still very relevant today.

Reaching out to .NET developers (in this case Nunit)

I just posted the text below to NUnit's main mailing list. This is something that I've wanting to do for a while, and finally I think that O2 is reaching a level of maturity that developers of other tools will find it interesting, and will adopt parts of it.

This is all part of the strategy of building bridges with developers, to add value to their world, and to allow us to speak the same language.

In this case, if we can get a good dialog with the NUnit folks, I would love to add 'security focussed Unit Tests' to the NUnit Community

"...
Hi, I'm the main developer of the OWASP O2 Platform (see http://o2platform.com and http://o2platform.wordpress.com) and I just wrote a blog post that you might find very interesting:

• Injecting O2 into another .NET Process (in this case NUnit.exe): http://o2platform.wordpress.com/2011/07/07/injecting-o2-into-another-net-process-in-this-case-nunit-exe/

O2 Platform is a .NET application that has a number of very powerful Reflection APIs. It also makes extensive use of Fluent APIs which you can see a published example here: fluentsharp.codeplex.com

As part of that PoC there is also an O2 Command Prompt that popups up which allows direct access to NUnit's Gui and memory objects. This would be very useful for NUnit developers since it would allow them to have direct access to the GUi controls without needing to recompile and execute the application.

Feel free to contact me if you have further questions or want to see a demo of this in action

Dinis
..."

Injecting O2 into another .NET Process (in this case NUnit.exe)

Here is an O2 script that I wrote while delivering O2 Training to a Company in Phoenix (as a PoC of how O2 could be further integrated into their SDL).

Check out this blog post for screenshots and the code that make this happen: http://o2platform.wordpress.com/2011/07/07/injecting-o2-into-another-net-process-in-this-case-nunit-exe/
In the past I also did the same for Fiddler, where I was able to modify its GUI and decouple a bunch of its windows.

Just to make this clear, with this technique you can take control of any .NET app and (from an O2 Script) completely manipulate its GUI (and features)

Dinis Cruz

IronJS looks very interresting

Need to take this for a test drive:

• https://github.com/fholm/IronJS
• https://github.com/fholm/IronJS/wiki
• https://github.com/fholm/IronJS/wiki/Creating-a-hosting-context
• http://ironjs.wordpress.com/
• http://newcome.wordpress.com/2010/05/25/embedding-ironjs/ and http://newcome.wordpress.com/2011/03/13/embedding-ironjs-part-ii/
• http://blog.dotsmart.net/2011/04/20/first-steps-with-ironjs-0-2/
• http://dotnet.dzone.com/articles/pumping-iron-javascript
• http://dlr.codeplex.com/

Javascript related and also interesting:

• http://newcome.wordpress.com/2010/05/08/node-net-node-js-implemented-in-javascript-on-the-net-runtime/
• http://wtfjs.com/

If you are looking for an WebAppSec job in Boston...

...here are a couple cool positions from SecurityInnovation

Posted today (1st July 2011) in http://news.ycombinator.com/item?id=2719028 by Joe Basirico ...

"...
Security Innovation's (http://securityinnovation.com) team of amazing hackers is hiring (Boston, MA).

I'm looking to hire a couple awesome security professionals for our Boston office.

We assess a wide range of really interesting technologies, from web apps to mobile to crypto. You have to have a true passion for security, most of the team does this on their off time and it's all we talk about.

If you dream in hex, clickjack for breakfast, exploit XSS, SQLi and CSRF for lunch, Buffer Overflows and Format String Vulns for Dinner and some AuthN/AuthZ hijacking for a midnight snack you're our kind of candidate.

You'll have time and budget to do research, go to and speak at conferences, and build tools that will change the internet (We helped develop Firesheep, if you remember that).

You can e-mail me directly: jbasirico at securityinnovation dot com for more information.

Check out our postings:

• http://securityinnovation.recruiterbox.com
• http://www.linkedin.com/jobs?viewJob=&jobId=171832
• http://www.linkedin.com/jobs?viewJob=&jobId=1718256

..."