Tuesday, 10 November 2009

New O2 Code Drop (09-Oct-09): Struts support, XRules, O2 Config, Search Engine, etc...

(email sent to the owasp-o2-platform (subscribe here))

Welcome to the OWASP O2 Platform mailing list (this is the first post to this list :) )

FYI, I just uploaded to the O2 website a new code drop of the latest updates:

There are a LOT of new features (which I will try document in follow-up posts), for example:
  • Almost complete Struts support: Import and visualization for web.xml, struts-config.xml, tiles-definition.xml, validation.xml (see the O2StrutsMapping visualizer and exporter)
  • New XRules engine. This is very BIG since for the first time it is possible to write complex rules in a fully dynamic way in O2. For example it was using the XRules module that I was able to create a trace that reads the struts configurations (i.e. the O2StrutsMapping object) and does all sort of mappings between the Action Controllers, the JSPs views and the Ounce's Traces
  • New O2-Config Gui which allows to set up internal config variables (like the Temp Folder). This also includes a sort-of DI (Dependency Injection) which can be used to set up (on load) any static property exposed by O2 Modules
  • Major changes to the O2 Search Engine tool , which makes it REALLY useful (I tend to use it all the time now). For example you can just drop an entire folder (with Gigs of data) and quickly find a file's location , or you can then filter by type of code (.NET or Java) , index it, and do a quick regex search on it
  • DotNet assembly patching using PostSharp. The current version already support a complete workflow of marking an assembly (via Cecil) with specific attributes which are there used by a custom PostSharp script that will Instrument (ala AOP) the dll and place it into the GAC. I have used this version to successfully apply a patch in a vulnerable AspNet application (by 'patching' the vulnerable function in the GAC deployed dll). This version also supports a basic Function Enter/Leave logger, which will be expanded on the next version to be able to create Findings based on the execution flow (just like the current version of the O2 Debugger does (exposed on via the O2 CSharpScripts module))
  • WebScarab: Added support to O2's Findings Viewer to import WebScarab log files (the original version of WebScarab , not the NG one)
  • O2 Findings module: Added ability to save & load the current O2Findings into a binary serialized format
  • O2 Join Traces module: Add GUI to join Ounce generated traces based on interfaces implementations
  • Number of bug fixes and minor changes (like exposing the Ounce MySql IP and address and Port on the Rules Manager)
  • Renamed a number of O2 Modules *.exe files (to make them easier to find)
  • .... I'm sure there is more but I can't remember... :)
Here are the main links:
Please try them, and let me know what you think of it

Dinis Cruz