Thursday, 22 January 2009

O2 related post to WebAppSec mailing list

(just posted the message below to the WebAppSec mailing list)

....I would like to call your attention to a research project I have been working on for the past 12 months, which recently have been released under an Open Source license.

As some of you know, I have been contracting for a while at Ounce Labs as a security consultant to perform advanced security analysis/reviews of real-world applications. Well, as it is also widely known in the web app sec security industry, tools like Ounce, Fortify, Cat.Net (& others) don't always provide the answers and visibility required by knowledgeable security consultants.

Although the Ounce GUI has some of those limitations, its core engine is REALLY powerful, so what I did, was to build a number of tools that allow power users to REALLY gain visibility into what is going on. Basically I wrote these modules to answer the questions that I had during those engagements. And while buliding those tools, I found a way to 'automate my brain' :)

I called this toolkit O2 (for Ounce Open) and I really credit Ounce Labs for: a) paying me to develop it, and b) release it under an Open Source license. The main O2 website is at and the source code is hosted at CodePlex (

Now, at the moment, these tools are still in a very 'early beta' state, and they are really customized to the way I (Dinis) like to work. So that the rest of the community can use it, I'm working hard at the moment to break part a lot of the O2 modules and on documenting how it works.

I have to admit that analyzing applications with O2 is VERY addictive and empowering, since finally I am able to 'script my brain' and really gain visibility what is going on.

See this screen shoot for a good example of 'O2 goodness'

This screenshot represents what I call a 'complete trace' , i.e. a trace that goes from the 'begining of the attack surface' all the way to the' exit point' of the application (in ths example, the trace starts on the web layer (with an Asp.Net page load event) goes though the web services invocation (note how I 'glued two traces together': the web layer invoke with the web services [webmethod]) and ends up on an SQL execute.

That screen shot is from the O2 presentation I posted here:

To test O2, just open the following links to install (via .NET's Click-Once technology) the main O2 modules:

Lack of documentation is a real problem today, and I'm working hard at the moment to write down detailed how-to guides for O2. Here is a preview of what I am doing SAR (Search Assessment Run) (contains screenshots of the main features of that module)

For more background info on O2's history and what it can do, please read:
A note on O2 and Cat.Net. If you install and run the O2 Will It Scan module you will notice that it already contains support for triggering Cat.Net scans via that GUI (just drag and drop a *.dll of VS solution file and click scan). Currently I'm working on a little 'converter' that will transform/convert Cat.Net XML 'saved assessment file' format into Ounce's XML 'saved assessment file' format. This way Cat.Net users will be able to take advantage of O2's amazing findings filtering, post-scan analysis and scripting capabilities.

I am also working with Paolo and Stephen from OWASP's Orizon project to be able to used O2's modules on top of Orizon's results (there is also a 'secret' project to find a way to convert Fortify's XML results into Ounce's XML format)

So yes, in the short term, the plan is that you will be able to use to use O2 on top of Ounce's, Cat.Net, OWASP's Orizon or even Fortify's scanning engine :)

So please give O2 a test drive and give me feedback on what you would like it do to.

If you are not a current Ounce customer, you can use the demo files I posted on the O2 website or, if you want to take Ounce 6.x for a test-drive, please create an account on the O2 website and make a request here (the requests from this form go directly to me, so that I can trigger the eval process for you at Ounce)

Looking forward to your comments

Best regards