Friday 14 December 2012

CI is the Key for Application Security SDL integration

The more time I spent with CI (namely with TeamCity) the more my instinct is saying ‘this is how we should be delivering and automating security knowledge!'.

OWASP project reboot spent funds (not a lot spent so far)

From Alison here are the latest numbers from the OWASP Project Reboot 2012 initiative:


Humm, from the numbers in there, it looks like only the CISO Guide spent some funds

TeamMentor global search, duplicate articles and a new ‘Any’ Library

In the 3.2 version of TeamMentor image
there is a Library per technology (.Net, Android, C++, iOS, Java, PHP) and type (CWE, PCI DSS Compliance):

Wednesday 12 December 2012

Rewiting Git History (locally and at GitHub)

When fixing the ASP.NET WCF REST help page ‘Memory gates checking’ error at AppHarbor

I ended up with a number of Git Commits: locally image 

ASP.NET WCF REST help page ‘Memory gates checking’ error at AppHarbor

Here is an weird one....

Just did an TeamMentor auto-deploy (via a GitHub push that triggered AppHarbor via a webhook) and the published site is running OK (on the deployed AppHarbor server) ....

Problem with Environment.SpecialFolder.ApplicationData in Azure

While I was testing the TeamCity auto deployment from Git to Azure, I hit on an weird bug where TeamMentor's website would look (and load) OK in AppHarbor, but would fail in Azure.

Stylizer - Real-time CSS Editing

The Stylizer looks really powerful for CSS editing and customization. I really liked it’s video page which provided a great overview (and learning environment) for Stylizer multiple features (it is a great way to quickly and effective present a product)

Monday 10 December 2012

Testing an WCF Rest Service directly and via a local instance created by WebServiceHost

Here is an example of a simple REST based WebService which is tested using 3 techniques:

  • IIS
  • Direct object creation
  • Locally hosted instance of the WCF service (using .Net's WebServiceHost class)


Windows Azure is what IIS 7.5 should be

The more I look at Windows Azure (while dealing with IIS deployment automation issues in TeamMentor) the more I fell that Windows Azure is what IIS 7.5 (or 8) should be.

What is really good about Windows Azure is its deployment and versioning capabilities (you can even deploy via git pushes these days). And apart from the webserver bit, most of IIS' Gui is focused on website deployment (which is what Azure does really well).

JustCode is following VisualStudio 2012 bad Design decisions

I’m trying to avoid using VisualStudio 2012 because not only I haven’t seen any feature that I need, its ‘lets remove all the color Design’ is just horrible.

And what is really annoying, is that VisualStudio 2012 (very bad) Design decision are then followed by VisualStudio extension vendors (like JustCode) who create a Gui that looks like this (in VS 2010):

Minimum required files to run git.exe on windows (for clone, push and pull)

I want to add native Git support to TeamMentor (and O2) and don't want to ship the entire git folder structure that is installed with msysgit

Some JustCode compilation issues (on .NET 4.0 dynamic keyword and method default parameters)

I’m giving JustCode another go and it doesn’t seem to like some .Net 4.0 features (which btw compile ok in VisualStudio):

Sunday 9 December 2012

Two great posts on Gamification

From TechCrunch’s Tadhg Kell here are two great articles that explain the Gamification concept really well:
His core idea is that Gamification boilds down one of to three things: validation, completion and prizes

Adding a C# REPL Script to Windows Live Writer

Let’s give Windows Live Writer 'Copy and Paste of images' feature a test-drive by documenting how to inject a C# REPL script into it

Software Labels – Jeff’s OWASP AppSecDC 2010 presentation (another dropped good idea)

An old idea from Jeff Williams (which is spot on) is the need to apply Labels to Software and Web Applications.

The concept is simple, but its implementation is really hard, because of the lack of quality standards/metrics in our industry

Signs of a well Designed Feature

A well Designed Feature (i.e. that works) is one that, for a particular task (like coping and pasting images on this blog) gives its user the feeling that:
  • initially the new workflow just seems simpler and a little bit faster (when compared with the preview one)
  • after a while, how it worked before goes kinda misty
  • but, if the previous one has to be used again, it will seem REAAALLLLY slow and cumbersome!
Of course that in reality, the change is never that big, but once the user feels/understands the new version, using the old one is just painful.

Why does trying some Windows Live Writer Plug-ins expose me the total system compromise

As you can see on the Trying a couple more Windows Live Code Formatters post, I tried a number of Live Writer Plug-ins before I found one that I liked.
But if you notice (just to try a couple plug-ins!) I had to install a bunch of MSIs and give them full access to my box! And after installing those plug-ins run with Full Trust (again being able to do whatever they want to any of my windows processes)
This is crazy, this is faith-based security.

Trying a couple more Windows Live Code Formatters

As you can see at the end of the  Failing to use Windows Live Writer 2011 (and going back to 2009) the highest ranking (and recommended by default) code formatting plug-in didn’t work. So let’s try  a couple more:

Failing to use Windows Live Writer 2011 (and going back to 2009)

As you can see at the end of Using Window Live Writer to write Blogger posts I originally started using the 2009 version, so I tried use the 2011 and it failed miserably because, Copy and Paste doesn’t work anymore!!!! This is crazy!! Why???

Using Window Live Writer to write Blogger posts

As per this @shanselman reply https://twitter.com/shanselman/status/277514388376784896 (following a question I asked @troyhunt) I’m giving Windows Live Writer 2009 a try, and it seems to support Blogger, and (more importantly  copy and past of images (with auto upload to Picassa) which is exactly what I wanted (see The 'Sync Design Problem' of adding images to this blog for a description of the problem I had)

Saturday 8 December 2012

Just Uninstalled ReSharper

The performance hit was just too much, and since I got a reply from JustCode I will give it another try

Thursday 6 December 2012

Just tried JustCode and its a shame they don't support ExtensionMethods

I just gave JustCode VisualStudio Extension a test drive (which amazingly still hasn't entered the SAST market) and although I really liked what I saw (and felt much better/faster than resharper) it had a critical problem, where it failed to recognise the FluentSharp's Extension Methods in TeamMentor:

What a 'salad of DLLs' are the ASP.NET MVC 4.0 template projects

I was taking a look at ASP.NET MVC 4.0 to see how easy it would be to use its routing engine for TeamMentor REST API, and its just ridiculous the sheer amount amount of dependencies that it required (as per the the test/template projects).

ASP.NET Support in SAST and IBM F4F

At the moment (Dec 2012) my understanding is that all SAST tools struggle to scan/understand ASP.NET MVC apps.

The only way to really support/understand/scan ASP.NET MVC is to map how that framework works/behaves (I don't think any SAST vendor/tool does that),  and as with any Framework, there is a lot to map:
  • The controllers (equivalent to WebService's methods, which need to be marked as Tainted-Sources/Callbacks)
  • The controller's authorization/authentication mappings (done using Attributes)
  • The Autobinded Models
  • The Views mappings (i..e what views are connected to what controllers)
  • The MVC Execution life cycle
  • The auto-encoding (or not) of view controls (and new display engines like razor)

How to use TeamMentor for training?

Another area that I really would like to see pushed is the idea/concept to use TeamMentor (TM) materials for training.

And by training I don't just mean class-room or ICT. A key element of TeamMentor is the idea that it is a 'Mentor'  And mentors are by definition teachers :)

So how can TM be used in short (and in bursts) training sessions? (or knowledge transfers)

Feedback on TeamMentor webcast (with Ideas to make TeamMentor better)

Danny Harris saw the 'Streamline the Fix' Webcast, liked what he saw, and sent us great feedback

Here is what he sent (unedited by me):

Simple, Unique, Valuable - Lenovo Design Principles

Just saw on BBC the Rory in China: Lenovo's quest to be cool article which has an interesting 2m interview with Yao Yingjia (Lenovo's Jonathan Ive) where he talks about his views on design (and how it is 24/7 frame-of-mind)

In there Yao talks about what he calls Lenovo's Design Principles which are: Simple, Unique and Valuable

These are pretty good concepts and I really liked the way Yao was talking about design.

I couldn't find a page about Lenovo's Design Principles (the top link was this post that links to a Fast Company article on  9 Principles For Great Branding By Design), so I guess Lenovo still has a bit to go in publishing their internal ideas and visions :)

That said, Lenovo's Design Blog seems like a good start

Wednesday 5 December 2012

O2 Light - Dual Scan and Code Fix Tag (2009)

Here is a PoC I wrote in 2009 (post OunceLabs IBM acquisition) of a mini tool (with drag-n-drop support) that:
  • Fired up scans of Ounce 6 and AppScan Developer (the two SAST engines that IBM had at the time)
  • Imported both set of scan Findings to O2
  • Created consolidated list of Findings (i.e. findings that existed in both sets of results)
  • Showed consolidated Findings to user (with ability to open them in Ounce 6)
As with the OunceLabs WebScan Module this O2 Light - Dual Scan and Code Fix Tag module (downloadable from here) doesn't build in VisualStudio anymore, but I was able to get a couple screenshots from VisualStudio's Control Designer.

OunceLabs WebScan Module (with 'Will It Scan' feature)

Back in the days (2008) I created a PoC for OunceLabs engine where it was possible to trigger scans via a website.

I found the files but there were a number of missing dependencies (like some JNBridge stuff which was shipped with last version of the OunceLabs product (pre IBM)).

So the best I can do is to open it in VisualStudio and show the aspx pages in design view.

Notes on JSP TLD injection

Another oldie pdf I found on my archive which contains some interesting notes on xss injection on JSPs TLDs (this is probably the smallest pdf I've posted here for a while).

What is interesting about the JSP TLD is that there are two parsing stages (which affect the payloads/exploits/vulnerability state)

IIS permission problem on TM deployment ('race condition' like)

We're having an 'interesting' IIS deployment problem in one of TeamMentor live servers (running IIS 7.5)

After installing an TM library (using the technique show in the Installing New Libraries via control panel video) I was faced with this:

Unedited TeamMentor 3.2 Feedback

Here is some nice feedback I received today from a fellow security consultant whom I showed TeamMentor via a join.me session (which works great for this kind of 'quick remote desktop sharing' sessions)

"...So my initial thoughts were why does not every software organization has a copy of this, it seems like a no brainer to me. I haven't spent much time with the product but here is what I like from what I saw this morning:

Comparing two GitHub Issues List

Is there a way to compare two GitHub Issues lists?

What I need is a programatic way to compare the items that exist in two GitHub repositories (repo A and repo B),  do a diff, and list the ones that don't exist in repo B (i.e. which ones were not copied from repo A to repo B)

Tuesday 4 December 2012

Implementing S4 - Source-code Security Scanning Services - v0.5.pdf (2008)

From the OunceLabs archives here is a document I wrote back in 2008 that provides a roadmap (and template) for companies (or team) that want to implement a S4 (Source-code Security Scanning Services)

I never finished this document, but there are lots of good (and battle-proven) ideas in there :)

Interesting Encoding problem with TeamMentor Japanese translation

Here an interesting prob I had to deal today with the first pass of TeamMentor's translation into Japanese.

The translation phase was quite sweet. We sent the TeamMentor Xml files file to the translation company, which they were able to plug into their system, and once completed, they send us back a zip with the translated xml files :)

That zip was then uploaded (via drag and drop) into a TM test server (see video of that workflow here) and it all worked .... except for the metadata and filters:

O2 Presentation - from Jan 2009

Here is a presentation I delivered about O2 to OunceLabs (before the acquisition).

It's pretty cool to see the position (for O2) I had back then, and how that is still very relevant today (it's a bit depressing that the industry has not moved much in the last 4 years)

F1 How To - Scanning HacmeBank WebServices v0.6 (from 2008)

Another one from the O2 Archives, here is a pdf (shown below) that I wrote in June 2008 that showed how to use F1 (what the O2 Platform used to be called before it was Open Sourced) to scan HacmeBank Website and WebServices

Check out the consolidated graphs that I was able to create at the time. Pretty cool way to visualize multiple traces in one graph :)

The 2nd part of the document, shows how F1 was used to auto-create-callbacks (i.e. tainted sources) in the OunceLabs engine (this feature has since been added to the latest version of IBM AppScan Source)

ASP.NET MVC – XSS and AutoBind Vulns in MVC Example app (from 2008)

Here is a old pdf that I wrote ages ago (Sep 2008) that documents a couple Spring MVC AutoBinding vulnerabilities (similar to the ones shown in Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform)

IBM AppScan Standard, Source and VisualStudio (in the same GUI/App)

Here are some cool screenshots sent to me by an O2 user, that used the technique shown in Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings) to create a GUI, where windows from AppScan Standard (.Net app), AppScan Source (Java app) and VisualStudio (C++/.NET/WPF app) are shown side by-by-side (fully functional) in an external process.

Bellow you can see the four Windows in action:

  • Top Left: Findings TreeView from AppScan Standard (.Net)
  • Top Right: Code Editor from VisualStudio (C++/WPF)
  • Bottom Left: Trace View from AppScan Source (Java)
  • Bottom Right: Guidance from AppScan Standard (WebBrowser)

OWASP Press and using LeanPub with GitHub and DropBox

As mentioned on my 934 page eBook/PDF with this blog from LeanPub.com post, Dennis Groves has found a way to use GitHub with DropBox to manage the workflow of creating eBooks using LeanPub

This is really great stuff, and you can read the details at his  OWASP Press post.

Slides for 'Streamline the Fix' Webcast

Just posted on SlideShare the slides we are going to present later today at the Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process Webcast (register here)

Monday 3 December 2012

TeamMentor Webcast I'm doing Tomorrow (on how to use TM to help fixing vulnerabilities)

If you want to take a look at TeamMentor, I'm doing a Webcast tomorrow (4th Dec 2012) on the topic Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process

You can register here and let me know if there is a specific scenario you would like me to cover



When is the next OWASP Summit!!!!!

Looking at the OWASP Summit pictures reminded me of the amazing experience that the OWASP Summit 2011 was. There was so much positive energy in the air and we got much done (see the final report and the session's outcomes).

We need another one!!!!

Surely we can have one in 2013!

It's nice to get a compliment, and please go and HUG an FOSS project today

The thing about Open Source development is that there is this weird 'coding to the fog' situation where the number of feedback that is received is SO small that it takes a lot of 'self-motivation' to keep going (specially at a high speed/energy level).

For example, I received today this really nice comment from Steven regarding the talk I did last week  (where I presented a variation of Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings) ):

...I was amazed by your work on O2, in fact so baffled I forgot to give you a standing ovation at the end of your talk at the OWASP Benelux days...

And it's nice to hear this ....  thanks Steven, it means a lot to me :)

OWASP Revenue Splits and the "Non-profits have a charter to be innovators"

Seth Godin recent post on Non-profits have a charter to be innovators is really spot-on, and very accurately describes the problem that (I believe) exits today at OWASP

When Seth mentions that non-profits usually say: '...We're doing important work. Our funders count on us to be reasonable and cautious and proven, because the work we're doing is too important to risk failure...',  he could be speaking on behalf of a number of OWASP Leaders, since I have heard many variations of that phrase at OWASP before (in fact you will see such variation later on this post)

Contrary to what a lot of OWASP core leaders (the ones that care and spend time on 'OWASP the entity') believe, OWASP doesn't have a lack of funds problem!

OWASP has a 'how to spend money' problem 

and a

'Not spending enough OWASP funds' problem!

Sunday 2 December 2012

I never liked the term 'Rugged Software', what about Robust/Resilient Software?

I still have not fully rationalised why I don't like (as security professional and as a developer) the term (and some parts of the concept) of the Rugged Software

Recently when talking about similar concepts (i.e. writing secure code/applications) I found myself talking about the need to create Robust/Resilient Applications.

Isn't Resilient Software a better term to describe applications/code that are able to correctly handle, mitigate and react to malicious behaviour/input?

Netflix “Resilience Engineering” FOSS Library and Security

Really powerful stuff (and to-read material):


934 page eBook/PDF with this blog from LeanPub.com

[UPDATE Mar/2014]: following what started with the post below, I have now published a book created at Leanpub on AngularJS. See Published Beta version of "Practical AngularJS" Book (in both digital and print format) for all the details



Dennis Groves called my attention to the really interesting/powerful online publishing leanpub.com website/service (which he is trying for publishing OWASP books).

I just tried with the content from this blog, and as a first pass, I'm quite impressed with the results.

To get the 934 page pdf (or EPUB/MOBI file) for this blog:

TeamMentor Pricing, Licensing and Partner program

Following questions received, here are the details about the current TeamMentor's pricing and partner program:

Mapping the relationships between: Principles, Guidelines, Checklists, How-Tos, etc...

From the (under construction) tm4tm site (TeamMentor for TeamMentor), here is a nice diagram (see below) that maps the relationships between the multiple types of TM articles/Guidances:


Would I recommend Checkmarx as a SAST engine?

I was asked this question twice in the last couple days, and my answer is YES!

Although CheckMarx is still not as open and easy to engage as I would like them to be, they are actually one of the best ones out there.

And there is one asset that CheckMarx SAST engine has that is REALLY GOOOOOOODDDDDDD!!!!

Their rules are written in C# and if you (like me) like to write custom rules, they have a nice REPL interface that can be used by power users (with access to a lot of the metadata and code-transformations created during the analysis phase)

I'm currently integrating TeamMentor with Checkmarx (for a joint customer) and I really like it. You can see our latest PoC at http://checkmarx.teammentor.net, which includes a view that shows a mapping between:

  • a security finding, 
  • it's CWE description
  • the TeamMentor landing page (for that finding)
  • the C# CheckMarx rule that triggered that finding

Saturday 1 December 2012

To research further: BeanShell, EasyHook, C# Cookbook and PhantomJS/CasperJS

From the O2 training class I delivered last week (and the research on Windows Messages) here are a couple interesting APIs/Tools to research further, and see if it is easy to add O2 support for them:



Eric Lippert joining Coverity

This is VERY interesting, since Eric is one of the C# Microsoft Gurus.

You can read his announcement on is his last MSDN post A new fabulous adventure and on his new blog

Good on Coverity for catching such good talent, and I wonder if they are (finally) going to enter the SAST space for C#/.Net

Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings)

UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for another powerful example of consuming Chrome (and IE and Firefox) window in another process


Here is the video presented at OWASP BeNeLux conference, which shows how I used the O2 Platform to create a consolidated view of 3 different window's processes (one from .Net/CLR, one from Java/JM and one from C++ applications). Note that these windows are hosted by a 4th (.Net) process and are fully functional.

The objective of this 'consolidated multi-process window view', is to give developers a really strong 'vulnerability fixing environment'.

Friday 30 November 2012

Simple Unit Test to detect XSS using FuzzDB and IE automation

Here is an example of a simple Unit Test written in the Write and Execute Unit Tests v1.0.exe tool which will check for XSS on AltoroMutual website

The idea is that when the Red Boxes go Green, the vulnerability is fixed.

Write and Execute Unit Tests v1.0.exe

Here is a nice util to quickly write NUnit tests. This is designed for fast prototyping of UnitTests, which when stable can be moved into a wider set of tests (executed by NUnit)

You can download this tool from: Write and Execute Unit Tests v1.0.exe

Write technical content for SI's SME course development and TeamMentor

Just got this request from SI's Chris Williams (cwilliams@securityinnovation.com) which some of you might be interested in:

--------------------

As the SI course catalog  and Team Mentor continue to grow, so does our need for SMEs to write outlines, create PowerPoint decks, review draft content, and write TM articles.

Thursday 29 November 2012

Showing Chrome, Eclipse, IBM AppScan Standard and VisualStudio in the same Process/Window


UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for another powerful example of consuming Chrome (and IE and Firefox) window in another process



Using the control shown in Util - Win32 Window Handle Hijack (4x host panels) I was able to create a process that has windows from:

  • Chrome (top left)
  • Eclipse (top right)
  • IBM AppScan Standard (bottom left)
  • VisualStudio (bottom right)

Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe

Using the exact same control used in Util - Win32 Window Handle Hijack (simple) v1.0 here is a 4x Panel version of it (i.e. using 2 rows and 2 columns)

This allows for the hijack of a multiple Windows into a common (external) process/GUI

You can download this 1Mb tool from Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe

Util - Win32 Window Handle Hijack (simple) v1.0.exe

After Util - Windows Handles Viewer (with Child Windows), I created a tool that allows the easy hijacking (or borrowing) of any Window/Control (that is running in the same Logged-in user Window's Desktop )

This is possible due to  Win32 SetParent's capability to allow a Win32 Window/Control to have a parent from a different process (see first examples of this technique in action in: IBM AppScan Source's and AppScan Standard's TreeViews running side-by-site in the same GUI and in Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)

You can download the 1 Mb tool from:  Util - Win32 Window Handle Hijack (simple) v1.0.exe

Util - Windows Handles Viewer (with Child Windows) v1.0.exe

Following from the tool shown in Util - Windows Handles - View Handle Screenshot v1.0, the next step was to create a tool that shows (for the selected Win32 Window) the handle's children structure (i.e. what 'child windows' exists for the selected window/control)

You can download the 1 Mb tool from Util - Windows Handles Viewer (with Child Windows) v1.0.exe

Here is what the tool looks like (with the 'target icon' used to select the control):



Here is the Pdf with the 'how the script was created' step-by-step guide:

Disabling DWM.exe in Windows 7 (for performance reasons)

I noticed that I had a dwm.exe process running in my dev VM that had 230Mb which is not good.

After a quick search I found that it belonged to the Windows Desktop Manager service, which is responsible for the fancy animations in Windows 7 and can safely be disabled (using the Services):

Monday 26 November 2012

Free one-day 'Advanced O2' Training at BeNeLux OWASP Day 2012 (29th November)

In case you missed this one (and are somewhere in Europe), I'm delivering an 1 day 'Advanced O2' training at BeNeLux OWASP Day 2012. So if you want to learn more about the O2 Platform, this is the place to come :)

The training is on Thursday 29th and you can register here

Saturday 24 November 2012

Why doesn't VisualStudio (or .NET) have StackOverflow Detection?

It's crazy the fact that one simple mistake in one thread (a recursive call to itself) will bring the entire .Net process down!!!

Friday 23 November 2012

Util - Windows Handles - View Handle Screenshot v1.0.exe

Following from Util - Windows Handles Viewer (Simple GUI with REPL) here is nice utility that takes a screenshot of the target handle's window (when the target process doesn't use the the Win32 Windows controls, you will get a screenshot of the main Window)

You can download the 868 Kb tool from: Util - Windows Handles - View Handle Screenshot v1.0.exe

Including/Reusing an H2 script inside another H2 Script

Here is a cool technique that I use to include *.H2 scripts into other scripts, and the environment that I create during its development:

Formatting code for readability

On the theme of making things better and caring about the parts that can't be seen, here is an example of how I like to format large groups of .Net methods (so that they are easier to read and to look at)

Here is what a .Net Class usually looks like (if you allow VisualStudio to format it)

Another VS 2010 crash

It should not be possible to crash apps like VisualStudio. That kind of mission critical app should have a number of anti-crash protections.

But VisualStudio is a massive salad of technologies (see images at the end), and amazingly (bad) it allows its extension's errors to crash the whole app (which again should not happen). 

During my regular use of VisualStudio, I get all sorts of errors/crashes, for example here is the latest one (without any other extensions installed):

11 O2 stand-alone tools (with a lot more created but not blogged about)

As part of the new design of this blog, I just cleaned up a bit the O2 Platform Tools Label/Page, and here are the 11 that have been published so far:

The 'Sync Design Problem' of adding images to this blog

I still don't have a good solution to upload images to this blog.

Here is my current workflow (as just happened for the image I just on my last blog entry)

Google Drive #Fail and DropBox #Win

For a company that is 'just a feature' DropBox keeps delivering the goods.

(for the past week or so) I tried to use Google Drive to backup about 7Gb of images I had from an older iPhone.

New design for this blog

I just spent a little bit applying a new design to this blog and cleaning up the layout a bit (hopefully it will make it easier to use and to find the best bits)

Thursday 22 November 2012

Tool to view (and unload) the AppDomains in the current .Net Process

As I was trying to execute an script/app in a separate AppDomain, I realized that there wasn't an easy way to look at the details of the currently loaded AppDomains

Tuesday 20 November 2012

Two 6-months contract to work on TeamMentor (QA and Dev)

Here is a heads up for an official 'SI job hiring' post that should be published asap (i.e. when we get it done).

Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe

Based on the Util - Windows Handles Viewer (Simple Gui) v1.0.exe tool, here is a bigger version (5Mbs) which contains a C# REPL Script editor (with the detected handle provided as a parameter).

You can get this version from Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe

Util - Windows Handles Viewer (Simple Gui) v1.0.exe

Following my research into Win32 Messaging APIs that allowed me to put both IBM AppScan Source and Standard working side by side and to connect TeamMentor with AppScan Source, here is a pretty sweet Windows Handles Viewer which allows the easy discovery (and in some cases modification) of the Window's Handle of a particular Win32's Button, TextBox, Menu, Window, etc...

You can download this (857kb) .NET 4.0 app from Util - Windows Handles Viewer (Simple Gui) v1.0.exe

Saturday 17 November 2012

Good resources on User32.dll windows messaging

Here are a number of good resources I found went I was researching the solution that allowed me to Inject a .NET REPL into an Unmanaged/C++ Application

Making Java, .Net and C++ apps work together

This past week I was in the 'zone' (coding 16h a day) and as you can see by the links below, I was able to (finally) find a way to make Java, .Net and C++ apps work together. 

I've 'only' been trying to do this for the past 5 years.

There are two key technological concepts at play here (which can work together or isolation)

IBM AppScan Source's and AppScan Standard's TreeViews running side-by-site in the same GUI

Using the technique described in Injecting a .NET REPL into an Unmanaged/C++ application (Notepad) I was able to create this PoC (below) where you can see both IBM AppScan Source (Java) and IBM AppScan Standard (.NET) TreeViews hosted inside a 3rd party C# based Form:



Using Jni4Net (Part 4) - Integrating AppScan with TeamMentor (first PoC)

Using the Jni4Net based  Eclipse plugin shown in the Using Jni4Net (Part 3) - Writing and Invoking O2 Methods from Java and Eclipse post, I was able to create a PoC of showing TeamMentor Guidance when a particular security finding is selected (in AppScan Source):


Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)

Using Windows Messages (and some O2 Platform glue) I found a way to 'inject' a window (i.e. a windows control) from one process into another one.

Its is actually quite easy, the key is to use the user32.dll setParent API call to change the location (and rendering) of a particular control.

Here is an example of injecting an .NET TextBox into Notepad (on the left is the .NET Textbox and on the right is the Notepad's Textbox)




Using Jni4Net (Part 3) - Writing and Invoking O2 Methods from Java and Eclipse.pdf

After Using Jni4Net (Part 1) - To C# REPL a java process (ZAP Proxy) and  Using Jni4Net (Part 2) - Controling OWASP ZAP remotely (via Java BeanShell REPL in .Net) the next step was to see if we could consume (and code) the .NET APIs from Java.

And again Jni4Net really worked!

Here is a .NET WinForms control, coded and executed from the (Eclipse written) Java code:




Using Jni4Net (Part 2) - Controling OWASP ZAP remotely (via Java BeanShell REPL in .Net)

Once I was able to Use Jni4Net (Part 1) - To C# REPL a java process (ZAP Proxy) I was able to use the ZAP BeanShell support to start controlling and manipulating ZAP's GUI from the .Net C# REPL.

Here is an example of adding a new 'Site' (i.e. a TreeNode) to the main ZAP 'Site's window (i.e. TreeView)



Using Jni4Net (Part 1) - To C# REPL a java process (ZAP Proxy)

Last week I discovered the Jni4Net FOSS project which provides the foundation blocks to create a Java bridge to .Net (and vice-versa).

To try Jni4Net, and see if it was really possible to have .Net and Java code running on the same process (with the CLR and JVM being able to invoke each other's methods), I decided to see if I could connect the O2 Platform with the OWASP ZAP project (with both running on the same process)

My first step was to use the Injecting C# DLLs into Managed (C#) and Unmanaged (C++) processes  O2 capabilities to inject an C# REPL into the ZAP process.

And here they are in action:


  • the foreground window is the (CLR based) C# REPL 
  • the background window is the (JVM based) ZAP process.

Managing website's content via GitHub edits (which are auto-committed and push into AppHarbor)

Based on the test site created by TM Fork into stand-alone Sales and Marketing site , here is an example of how to can manage the content of that 'AppHarbor published site' using GitHub

Here is the workflow that is going to be shown below:
  • Edit a file in a GitHub Repository (using GitHub's website edit interface)
  • Save it (which GitHub will auto-create a Commit with the changes)
  • The Commit will trigger a build request to AppHarbor
  • AppHarbor will receive the request and do a Git Pull from GitHub
  • Once the new code is pulled, AppHarbor will build it
  • And if the build is successful, AppHarbor will deploy the built files into to a live server

Great O2 Platform Presentation from Michael (final draft)

Michael Hidalgo sent me a copy of his presentation called "The O2 Platform : Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities" that he is going to present on the 21st Nov 2012 at OWASP's Latam conference in Uruguay :)

TM Fork into stand-alone Sales and Marketing site

After Coming up with a name for TeamMentor's public site (which resulted in the getsecure name being chosen) it was time to create that site.

After spending some time refactoring TeamMentor's (TM) main code-based (to only use the needed bits) here is a stand-alone TM site which will hold the TM Sales and Marketing pages.

If you have a couple cycles, please take it for a test drive (and try not to break it too much since the SI guys are also looking at it at the moment (that said if you break it, I can fix it with a simple git push :)  ))

This is what it looks like (with a design based on ThemeForest AirStream):


And here are the details:
Important note: although the content changes will be shown on the site (the ones done via the 'notepad' editor) this data will be lost on every new publish.

There are two ways to make persistent changes:
  • get a local clone of the Site_getsecure.teammentor.net, change the content locally, commit those changes locally, and do a push to GitHub (which will trigger a publish to AppHarbor)
  • edit the desired file on GitHub's web edit interface (for example the Eval page or the Customer page), which when saved, GitHub will auto-create a Commit with the changes (which will trigger a publish to AppHarbor). 
Let me know how it goes, and again, please don't break it too much :)

Friday 16 November 2012

Lovely 'post help' email from Wikipedia

After 'helping' Wikipedia (see Improved Wikipedia funding page... for details) I received a really nice 'Thank you from the Wikimedia Foundation' email from Sue

And since she asked so nicely for me to share her words, here they are verbatim:

--------------------------------------------------------------------------------------------------

Dear dinis,

Thank you for donating to the Wikimedia Foundation. You are wonderful!

It's easy to ignore our fundraising banners, and I'm really glad you didn't. This is how Wikipedia pays its bills --- people like you giving us money, so we can keep the site freely available for everyone around the world.

People tell me they donate to Wikipedia because they find it useful, and they trust it because even though it's not perfect, they know it's written for them. Wikipedia isn’t meant to advance somebody's PR agenda or push a particular ideology, or to persuade you to believe something that's not true. We aim to tell the truth, and we can do that because of you. The fact that you fund the site keeps us independent and able to deliver what you need and want from Wikipedia. Exactly as it should be.

You should know: your donation isn’t just covering your own costs. The average donor is paying for his or her own use of Wikipedia, plus the costs of hundreds of other people. Your donation keeps Wikipedia available for an ambitious kid in Bangalore who’s teaching herself computer programming. A middle-aged homemaker in Vienna who’s just been diagnosed with Parkinson’s disease. A novelist researching 1850s Britain. A 10-year-old in San Salvador who’s just discovered Carl Sagan.

On behalf of those people, and the half-billion other readers of Wikipedia and its sister sites and projects, I thank you for joining us in our effort to make the sum of all human knowledge available for everyone. Your donation makes the world a better place. Thank you.

Most people don't know Wikipedia's run by a non-profit. Please consider sharing this e-mail with a few of your friends to encourage them to donate too. And if you're interested, you should try adding some new information to Wikipedia. If you see a typo or other small mistake, please fix it, and if you find something missing, please add it. There are resources here that can help you get started. Don't worry about making a mistake: that's normal when people first start editing and if it happens, other Wikipedians will be happy to fix it for you.

I appreciate your trust in us, and I promise you we'll use your money well.

Thanks, Sue

--------------------------------------------------------------------------------------------------

This is how to do it, well done Wikipedia

Notice the nice touch (in bold) to encourage participation in creating Wikipedia content.

Improved Wikipedia funding page, why OWASP needs something similar, and who buys OWASP Corporate Memberships

Just went to Wikipedia and saw this:

Coming up with a name for TeamMentor's public site

I'm moving the current TM Eval and Customer pages into its own server, and I was struggling to come up with a name that worked (in the xxxxxx.teammentor.net DNS name format).

So I jumped on Skype and after a couple minutes bouncing some names with Roman (who I have no idea where in the world he is) and we come up with: novulns.teammentor.net

as in:

  • http://novulns.teammentor.net/Eval
  • http://novulns.teammentor.net/Customer
  • http://novulns.teammentor.net/Buy
  • http://novulns.teammentor.net/Support
What do you think? does it work?


For reference here are the other names we come up with (by order of appearance):
  • sales.teammentor.net
  • marketing.teamentor.net
  • live.teammentor.net
  • customerzone.teammentor.net
  • get.teammentor.net
  • clientportal.teammentor.net
  • clietsite.teammentor.net
  • xss.teammentor.net
  • bazzar.teammentor.net
  • sqli.teammentor.net
  • stopxss.teammentor.net
  • getsecure.teammentor.net
  • novulns.teammentor.net
Note how looking at this list, it's possible to see the chain-of-ideas that lead us to the last one (which just clicked for us)

Monday 12 November 2012

Util - Java Decompiler (JAD based) v1.0.exe

If you want to take a quick look at the Java code inside a Jar file, here is a simple Java/Jar Decompiler (based on the JAD tool)

You can download the tool from: Util - Java Decompiler (JAD based) v1.0.exe (stand-alone O2 Platform script)

Friday 9 November 2012

AppScan Source Findings in Ozasmt files (and O2 tools to View, Filter, Join, Stitch and Script them)

If you are using AppScan Source (previously called OunceLabs) you will find these O2 Tools really useful:

O2 tools to view and script J2EE, Struts and Tiles xml config files

If you are reviewing Java/J2EE applications, here are a number of mini O2 tools that will help you to understand what is going on:


Viewing 'Console Out' messages created inside UserControls (when rendered by VisualStudio's Form Designer)

Now that we have the ability to Add 'Console Out' to VisualStudio IDE as a native Window the question is: "Where can we use Console.WriteLine inside VisualStudio?",  in a way that the written lines/chars show in that Console Out window:




The key to understand the question is to visualize this:

  • The Console Out window is running inside VisualStudio (i.e. in the same process)
  • The Console Out window script captured the VisualStudio process' Console Out (of which there is only one, and the reason why if you open multiple Console Out windows (as shown above) only the last one opened will capture the output
  • To send a message to Console Out window the sender (i.e. the code executed) must be inside the same VisualStudio Process
  • This means that (based on quick tests) VisualStudio scripting engines (like the Immediate Window or the F# interpreter) will not work (since they are running outside the VisualStudio process)
One easy way to trigger an Console.WriteLine is to write it in one of the C# REPL script GUIs (from the O2 VisualStudio Extension) :)


But what would be really useful would be to trigger Console.WriteLine debug messages during normal VisualStudio development, for example when programming WinForms Controls :)

To show how that is possible, lets start with an empty WinForms Application project:


Which comes with default WinForms Form:


Next add a UserControl with a Label:


And add that UserControl to the Form:


The interesting part of what just happened, is that VisualStudio invokes the constructor of the UserControl1.cs (in order to create a live instance of that Control) before adding it to the Form1.cs object.

And that (the UserControl1.cs constructor) is where we can trigger the Console.WriteLine calls.

Open the Code Behind file for the UserControl1.cs file:


Write a Console.Write message and build the project (note the message shown in the Console Out window)


The reason that happened, is because (after a successful build) VisualStudio needs to refresh the controls currently shown in the Form's Designer (for example to take into account any visual changes in those controls)

Here is another way to trigger the Console.WriteLine call (i.e. to trigger the UserControl.cs constructor).

Close Form1.cs from the Form Designer:


And the open it again:


Yet another option is to delete the UserControl1.cs from the Form1.cs:



And add it back again:


Basically, the UserControl1.cs constructor will be invoked every time that control is added (or shown), like in the image below, where another instance of UserControl1.cs was dragged into the Form1.cs:


Interestingly enough, this as a number of security implications, since a security payload/exploit can be triggered just by adding/viewing a UserControl inside the Form Designer. The problem is that the payload will run with the same privileges given to VisualStudio (not the privileges used to run the application)

Adding 'Console Out' to VisualStudio IDE as a native Window

Michael Hidalgo has posted two blog entries where he uses the O2's VisualStudio Extension to open an Console Out window inside VisualStudio, which is then used to help with a quick test on the DateTime object (and making his life easier)

Micheal is using the API_ConsoleOut.cs (which you can read in more detail at API_ConsoleOut.cs – New and InProcess Capture of the Console Output ) to add a 'Console OutPanel to a Form Window.

Now this Form object is a WinForms control and is not a native VisualStudio Window, which means that we can't add it to the VisualStudio Panes.


A better option is to make this a native VisualStudio Window, which is quite easy to do.

Open the C# REPL - VisualStudio 2010 API (from the REPL menu)



And with the VisualStudio_2010 object:



Create a native VisualStudio window (with a WinForms Panel inside it):


Use the same add_ConsoleOut extension method on the Panel object (the one returned by the open_Panel extension method):



And now the Console Out is now inside a native VisualStudio window, which we can access and manipulate.

Here is an example of changing the base window's width, height, top and left values:


Which of course we can now put anywhere inside VisualStudio's GUI



Next see the Viewing 'Console Out' messages created inside UserControls (when rendered by VisualStudio's Form Designer) for a practical example of using this technique during development.

Thursday 8 November 2012

LucidChart.com looks like a pretty good Visio online replacement

Although this visualisation of TeamMentor's GitHub dev workflow is pretty good, it was created using Visio, and I really don't want to use Visio again (I'm done using large desktop apps with no web integration/publishing).

The good news is that :

  • Roman found LucidChart.com
  • he was able to import that complex Visio diagram into it, and 
  • the end-result looked good enough (after a couple import fixes). 

So I went to LucidChart.com to try it out :)

I have done a LOT of Visio diagrams (in the past), and I have to say that I found Lucid Chart's web interface really easy to use (and learn).

As a test, I imported an image from this blog, and was able to quickly create this:


Not bad for a couple minutes work :)

Is the TeamMentor's OWASP Library content released under an open License?

Following the FLOSSHack TeamMentor thread,  Jerry Hoff asked "Is the content in http://owasp.teammentor.net/teamMentor creative commons?  Can we use it to freely fill out more of the cheat sheets and use in tutorial videos and so forth?"

And the answer is: YES

Here is the repository for the XML files: https://github.com/TeamMentor-OWASP/Library_OWASP

FLOSSHack TeamMentor and the 'sausage making process' that is software/application development

OWASP's FLOSSHack events are a really powerful initiative.

"...Free/Libre Open Source Software Hacking (FLOSSHack) events are designed to bring together individuals interested in learning more about application security with open source projects and organizations in need of low cost or pro bono security auditing. FLOSSHack provides a friendly, but mildly competitive, workshop environment in which participants learn about and search for vulnerabilities in selected software. In turn, selected open source projects and qualified non-profit organizations benefit from additional quality assurance and security guidance...." 

See FLOSSHack_One for the details (and vulnerabilities discovered) of the first event.

OWASP's FLOSSHack is one of those 'magical' spaces where the OWASP's community and its projects can come together and add a lot of value.

Pretty cool visualisation of the 'GitHub based' TeamMentor Development+QA+Release workflow

Roman created this nice Visio diagram with out current 'GitHub based' workflow for TeamMentor:




The difference between being 'Appointed' and being 'Accepted' as an OWASP Leader (of its Fork)

OWASP is a community that really embraces new ideas, new contributors and projects.

For somebody motivated (and with time/energy) there are very few ‘real’ barriers on entry. Even the cases where it ‘feels’ like there are barriers of entry or ‘bureaucracy’, those are mainly artificial and easy bypassed (with the right level of energy and commitment)

The problem is Empowerment

What I found (by observing lots of OWASP projects starting, blossoming and dying) is that what makes the difference is how Empowered is an individual on a particular project/tasks.

Disabling PatchGuard V3 Pdf

Here is a good read (if you're into kernel dev or patching) from the guy who created EasyHook

I while back I did some kernel development where I used the Rasta Ring 0 Debugger to apply direct code patches to user-land dlls. One of the best PoCs was one where I was able to do MSIL patching on loaded .NET assemblies, which were completely invisible to user-land.

Patching the CLR was also very interresting :)

Tuesday 6 November 2012

Zim-Wiki - a desktop wiki

Serge is using Zim Wiki to document some of his development experiences, and it looks quite an useful tool.

Zim is written in Python and has a nice/clean Gui.



Here is the Windows installer:



Another similar tool is http://keepnote.org/

An interesting and powerful idea is to add TeamMentor Import/Export features to these products so that  we (i.e. TM Users) can use these tools as Article creators/editors.