Sunday 25 January 2009

Training Course: Real World WAST (Web Application Security Testing)

Next week I will be delivering a 2-day training course in Central London which is a preview of the courses I want to start delivering regularly in London/UK.

Ping me if you are interested in attending the next one(s).


Title: Real World WAST (Web Application Security Testing)

Course description: Two day hands-on training course focused on how to test web applications in a fast, efficient and
comprehensive way.

The course will show how a mixture of external assessment techniques (aka BlackBox) with source code analysis (aka White Box) creates the perfect environment to evaluate the security risk profile of the targeted application.

In addition to showing how to find vulnerabilities and write exploits for them, the course will also show how to:
  1. use threat modeling to identify the attack surface,
  2. use WAFs (Web Application Firewalls) to 'patch' & mitigate the vulnerabilities discovered, and
  3. package the findings into 'insecurity patterns' which can be easily 'consumed' by C-level execs, project managers, product architects and developers.
To try the techniques shown, each student will be given remote access to a Windows Virtual Image which will contain the test applications and all tools presented

Technologies covered: ASP.Net and J2EE

Pre-Requesits: Laptop to connect to remote virtual image

Instructor: Dinis Cruz

Dates: 27 & 28 January

Location: Thistle Westminster Hotel, 49 Buckingham Palace Road, London, SW1W 0QT (

  • Part I: Tools and Security Principles
    • Creating the assessment environment
    • Threat Modeling
    • Tools of the the trade (from open source to commercial tools)
    • Case study: "What are the threats of an Airline's web infrastructure?"
    • Case study: Spring Framework and its security implications
    • What can OWASP do for you (from books, to documents, to tools, to community)
  • Part 2 : Exploiting Web Apps
    • Exploiting the test applications: HacmeBank, WebGoat, Open Source App A , Open Source Web Part B
    • Finding vulnerabilities using automated tools
    • Finding vulnerabilities manually
    • Writing exploits

  • Part 3: Root Causes and Insecurity patterns
    • Find the root causes of the issues discovered and package your findings into 'insecurity patterns'
    • How to present your findings to C-level execs, project managers, product architects and developers.

  • Part 4: Fix and Patching vulnerabilities
    • How WAFs can save the day (when used for 'Virtual Patching')
    • Case study: Using HacmeBank's Validator.NET
    • Case study: Using Microsoft's IAG (Intelligent Application Gateway)

Thursday 22 January 2009

O2 related post to WebAppSec mailing list

(just posted the message below to the WebAppSec mailing list)

....I would like to call your attention to a research project I have been working on for the past 12 months, which recently have been released under an Open Source license.

As some of you know, I have been contracting for a while at Ounce Labs as a security consultant to perform advanced security analysis/reviews of real-world applications. Well, as it is also widely known in the web app sec security industry, tools like Ounce, Fortify, Cat.Net (& others) don't always provide the answers and visibility required by knowledgeable security consultants.

Although the Ounce GUI has some of those limitations, its core engine is REALLY powerful, so what I did, was to build a number of tools that allow power users to REALLY gain visibility into what is going on. Basically I wrote these modules to answer the questions that I had during those engagements. And while buliding those tools, I found a way to 'automate my brain' :)

I called this toolkit O2 (for Ounce Open) and I really credit Ounce Labs for: a) paying me to develop it, and b) release it under an Open Source license. The main O2 website is at and the source code is hosted at CodePlex (

Now, at the moment, these tools are still in a very 'early beta' state, and they are really customized to the way I (Dinis) like to work. So that the rest of the community can use it, I'm working hard at the moment to break part a lot of the O2 modules and on documenting how it works.

I have to admit that analyzing applications with O2 is VERY addictive and empowering, since finally I am able to 'script my brain' and really gain visibility what is going on.

See this screen shoot for a good example of 'O2 goodness'

This screenshot represents what I call a 'complete trace' , i.e. a trace that goes from the 'begining of the attack surface' all the way to the' exit point' of the application (in ths example, the trace starts on the web layer (with an Asp.Net page load event) goes though the web services invocation (note how I 'glued two traces together': the web layer invoke with the web services [webmethod]) and ends up on an SQL execute.

That screen shot is from the O2 presentation I posted here:

To test O2, just open the following links to install (via .NET's Click-Once technology) the main O2 modules:

Lack of documentation is a real problem today, and I'm working hard at the moment to write down detailed how-to guides for O2. Here is a preview of what I am doing SAR (Search Assessment Run) (contains screenshots of the main features of that module)

For more background info on O2's history and what it can do, please read:
A note on O2 and Cat.Net. If you install and run the O2 Will It Scan module you will notice that it already contains support for triggering Cat.Net scans via that GUI (just drag and drop a *.dll of VS solution file and click scan). Currently I'm working on a little 'converter' that will transform/convert Cat.Net XML 'saved assessment file' format into Ounce's XML 'saved assessment file' format. This way Cat.Net users will be able to take advantage of O2's amazing findings filtering, post-scan analysis and scripting capabilities.

I am also working with Paolo and Stephen from OWASP's Orizon project to be able to used O2's modules on top of Orizon's results (there is also a 'secret' project to find a way to convert Fortify's XML results into Ounce's XML format)

So yes, in the short term, the plan is that you will be able to use to use O2 on top of Ounce's, Cat.Net, OWASP's Orizon or even Fortify's scanning engine :)

So please give O2 a test drive and give me feedback on what you would like it do to.

If you are not a current Ounce customer, you can use the demo files I posted on the O2 website or, if you want to take Ounce 6.x for a test-drive, please create an account on the O2 website and make a request here (the requests from this form go directly to me, so that I can trigger the eval process for you at Ounce)

Looking forward to your comments

Best regards