Here is an example of a simple Unit Test written in the Write and Execute Unit Tests v1.0.exe tool which will check for XSS on AltoroMutual website
The idea is that when the Red Boxes go Green, the vulnerability is fixed.
Friday, 30 November 2012
Write and Execute Unit Tests v1.0.exe
Here is a nice util to quickly write NUnit tests. This is designed for fast prototyping of UnitTests, which when stable can be moved into a wider set of tests (executed by NUnit)
You can download this tool from: Write and Execute Unit Tests v1.0.exe
You can download this tool from: Write and Execute Unit Tests v1.0.exe
Write technical content for SI's SME course development and TeamMentor
Just got this request from SI's Chris Williams (cwilliams@securityinnovation.com) which some of you might be interested in:
--------------------
As the SI course catalog and Team Mentor continue to grow, so does our need for SMEs to write outlines, create PowerPoint decks, review draft content, and write TM articles.
--------------------
As the SI course catalog and Team Mentor continue to grow, so does our need for SMEs to write outlines, create PowerPoint decks, review draft content, and write TM articles.
Thursday, 29 November 2012
Showing Chrome, Eclipse, IBM AppScan Standard and VisualStudio in the same Process/Window
UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for another powerful example of consuming Chrome (and IE and Firefox) window in another process
Using the control shown in Util - Win32 Window Handle Hijack (4x host panels) I was able to create a process that has windows from:
- Chrome (top left)
- Eclipse (top right)
- IBM AppScan Standard (bottom left)
- VisualStudio (bottom right)
Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe
Using the exact same control used in Util - Win32 Window Handle Hijack (simple) v1.0 here is a 4x Panel version of it (i.e. using 2 rows and 2 columns)
This allows for the hijack of a multiple Windows into a common (external) process/GUI
You can download this 1Mb tool from Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe
This allows for the hijack of a multiple Windows into a common (external) process/GUI
You can download this 1Mb tool from Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe
Util - Win32 Window Handle Hijack (simple) v1.0.exe
After Util - Windows Handles Viewer (with Child Windows), I created a tool that allows the easy hijacking (or borrowing) of any Window/Control (that is running in the same Logged-in user Window's Desktop )
This is possible due to Win32 SetParent's capability to allow a Win32 Window/Control to have a parent from a different process (see first examples of this technique in action in: IBM AppScan Source's and AppScan Standard's TreeViews running side-by-site in the same GUI and in Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)
You can download the 1 Mb tool from: Util - Win32 Window Handle Hijack (simple) v1.0.exe
This is possible due to Win32 SetParent's capability to allow a Win32 Window/Control to have a parent from a different process (see first examples of this technique in action in: IBM AppScan Source's and AppScan Standard's TreeViews running side-by-site in the same GUI and in Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)
You can download the 1 Mb tool from: Util - Win32 Window Handle Hijack (simple) v1.0.exe
Util - Windows Handles Viewer (with Child Windows) v1.0.exe
Following from the tool shown in Util - Windows Handles - View Handle Screenshot v1.0, the next step was to create a tool that shows (for the selected Win32 Window) the handle's children structure (i.e. what 'child windows' exists for the selected window/control)
You can download the 1 Mb tool from Util - Windows Handles Viewer (with Child Windows) v1.0.exe
Here is what the tool looks like (with the 'target icon' used to select the control):
Here is the Pdf with the 'how the script was created' step-by-step guide:
You can download the 1 Mb tool from Util - Windows Handles Viewer (with Child Windows) v1.0.exe
Here is what the tool looks like (with the 'target icon' used to select the control):
Here is the Pdf with the 'how the script was created' step-by-step guide:
Disabling DWM.exe in Windows 7 (for performance reasons)
I noticed that I had a dwm.exe process running in my dev VM that had 230Mb which is not good.
After a quick search I found that it belonged to the Windows Desktop Manager service, which is responsible for the fancy animations in Windows 7 and can safely be disabled (using the Services):
After a quick search I found that it belonged to the Windows Desktop Manager service, which is responsible for the fancy animations in Windows 7 and can safely be disabled (using the Services):
Monday, 26 November 2012
Free one-day 'Advanced O2' Training at BeNeLux OWASP Day 2012 (29th November)
In case you missed this one (and are somewhere in Europe), I'm delivering an 1 day 'Advanced O2' training at BeNeLux OWASP Day 2012. So if you want to learn more about the O2 Platform, this is the place to come :)
The training is on Thursday 29th and you can register here
The training is on Thursday 29th and you can register here
Saturday, 24 November 2012
Why doesn't VisualStudio (or .NET) have StackOverflow Detection?
It's crazy the fact that one simple mistake in one thread (a recursive call to itself) will bring the entire .Net process down!!!
Friday, 23 November 2012
Util - Windows Handles - View Handle Screenshot v1.0.exe
Following from Util - Windows Handles Viewer (Simple GUI with REPL) here is nice utility that takes a screenshot of the target handle's window (when the target process doesn't use the the Win32 Windows controls, you will get a screenshot of the main Window)
You can download the 868 Kb tool from: Util - Windows Handles - View Handle Screenshot v1.0.exe
You can download the 868 Kb tool from: Util - Windows Handles - View Handle Screenshot v1.0.exe
Including/Reusing an H2 script inside another H2 Script
Here is a cool technique that I use to include *.H2 scripts into other scripts, and the environment that I create during its development:
Formatting code for readability
On the theme of making things better and caring about the parts that can't be seen, here is an example of how I like to format large groups of .Net methods (so that they are easier to read and to look at)
Here is what a .Net Class usually looks like (if you allow VisualStudio to format it)
Another VS 2010 crash
It should not be possible to crash apps like VisualStudio. That kind of mission critical app should have a number of anti-crash protections.
But VisualStudio is a massive salad of technologies (see images at the end), and amazingly (bad) it allows its extension's errors to crash the whole app (which again should not happen).
During my regular use of VisualStudio, I get all sorts of errors/crashes, for example here is the latest one (without any other extensions installed):
But VisualStudio is a massive salad of technologies (see images at the end), and amazingly (bad) it allows its extension's errors to crash the whole app (which again should not happen).
During my regular use of VisualStudio, I get all sorts of errors/crashes, for example here is the latest one (without any other extensions installed):
11 O2 stand-alone tools (with a lot more created but not blogged about)
As part of the new design of this blog, I just cleaned up a bit the O2 Platform Tools Label/Page, and here are the 11 that have been published so far:
- Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
- Util - Windows Handles Viewer (Simple Gui) v1.0.exe
- Util - Java Decompiler (JAD based) v1.0.exe
- AppScan Source Findings in Ozasmt files (and O2 tools to View, Filter, Join, Stitch and Script them)
- O2 tools to view and script J2EE, Struts and Tiles xml config files
- TM - Library Manager (with REPL) v1.2.3.exe
- Util - Cir Viewer (with C# DLL converter) v1.0
- WinDbg, Cdb, Sun-Of-Strike and Util - Start SoSNet (O2 Version).exe
- Util - O2 Java Tools (IKVM Based) v1.0
- Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe
- Util - View CheatSheets at devcheatsheet.com v1.0.exe
The 'Sync Design Problem' of adding images to this blog
I still don't have a good solution to upload images to this blog.
Here is my current workflow (as just happened for the image I just on my last blog entry)
Here is my current workflow (as just happened for the image I just on my last blog entry)
Google Drive #Fail and DropBox #Win
For a company that is 'just a feature' DropBox keeps delivering the goods.
(for the past week or so) I tried to use Google Drive to backup about 7Gb of images I had from an older iPhone.
(for the past week or so) I tried to use Google Drive to backup about 7Gb of images I had from an older iPhone.
New design for this blog
I just spent a little bit applying a new design to this blog and cleaning up the layout a bit (hopefully it will make it easier to use and to find the best bits)
Thursday, 22 November 2012
Tool to view (and unload) the AppDomains in the current .Net Process
As I was trying to execute an script/app in a separate AppDomain, I realized that there wasn't an easy way to look at the details of the currently loaded AppDomains
Wednesday, 21 November 2012
Use FluentSharp to create ToolStrips items (buttons, textbox, checkboxes) with icons
Based on the 215 Tango Library Icons added to FluentsSharp.BCL , here is how to use the FluentSharp.BCL APIs to easily create ToolStrips
Improved script to compile and show an modified UserControl inside VisualStudio
Here is an updated version of the example described in the Real-time Programming C# WinForms Controls in VisualStudio's IDE (i.e. without using F5) post.
Windows Shatter attacks (research links)
Following on my research on Win32 Messaging and the O2's Util - Windows Handles Viewer tool, I just started the day by (re)reading about the Windows Shatter attacks (since it used Windows Messages)
Tuesday, 20 November 2012
Two 6-months contract to work on TeamMentor (QA and Dev)
Here is a heads up for an official 'SI job hiring' post that should be published asap (i.e. when we get it done).
Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
Based on the Util - Windows Handles Viewer (Simple Gui) v1.0.exe tool, here is a bigger version (5Mbs) which contains a C# REPL Script editor (with the detected handle provided as a parameter).
You can get this version from Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
You can get this version from Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
Util - Windows Handles Viewer (Simple Gui) v1.0.exe
Following my research into Win32 Messaging APIs that allowed me to put both IBM AppScan Source and Standard working side by side and to connect TeamMentor with AppScan Source, here is a pretty sweet Windows Handles Viewer which allows the easy discovery (and in some cases modification) of the Window's Handle of a particular Win32's Button, TextBox, Menu, Window, etc...
You can download this (857kb) .NET 4.0 app from Util - Windows Handles Viewer (Simple Gui) v1.0.exe
You can download this (857kb) .NET 4.0 app from Util - Windows Handles Viewer (Simple Gui) v1.0.exe
Subscribe to:
Posts (Atom)