Friday 22 October 2010

New (Temp) O2 GUI based on my own version of O2

If you open O2 today and do the requested update (which should happen either on the first run or 2nd (depending if you are executing a script directly of if you are clicking on the "OWASP O2 Platform (ClickOnce version)" desktop/start-menu link)) , you should see this new GUI:




The reason I'm pushing this to be the main O2 GUI for now, is because I think it is a a better representation of O2 than the current v1.4 GUI (and I use this GUI every day, so it's starting to be quite solid :)  ).

The v1.5 of O2 is still under development and will be based on TiddlyWiki which is an awesome 1-page Wiki engine. You can see it in action if you click on the 'v1.5 GUI (TiddlyWiki based)' button of the 'Custom O2s' Tab, and it currently looks like this:

Having an O2 Epiphany - your turn next :)


After sending this reply to one of O2 users

[Dinis Cruz]
"...
Thanks man, I really appreciate your words :)

You are spot on that O2 is all about the automation (of pentesters, code reviews, etc...). 

In fact, that is what I'm trying to say with O2's tag line:

"O2 is designed to 
Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge." (from 
http://o2platform.com/wiki/Main_Page)


Another way to say it is 'Web Security UnitTests' or 'No more PDFs!!!" , but has you can see I still have not figured out the best way to communicate and present O2 :(  
..."
[/Dinis Cruz]

Wednesday 20 October 2010

(Can you help?) Updated CV and looking for 3-day-a-week Job

After 10 months of self funding O2 development, and although I have have solved the major technological and business-model problems with O2, the reality is that I still not able to generate enough revenue from the O2 Subscriptions, Pledges or Training services to financially support me (and the development resources I need to hire for O2).

This means that I will have to go to Plan B, which is to (ideally) get a '3 day a week' / '12 days a month' contract/job. This should give me enough cash-flow to spend the rest of the time on O2 (and servicing its subscription's clients).

I've just updated my CV at LinkedIn (http://uk.linkedin.com/in/diniscruz) and there is also an PDF version available here)

So if you are interested in hiring my services or know somebody who is, please get in touch at (dinis @ ddplus.net).

Thanks for the help

Dinis

Tuesday 19 October 2010

Quickly edit the OWASP WIKI (using O2)

One of my pet issues with the OWASP Wiki has always been its interface, more specifically how slow the workflow was when making updates and performing actions like (for example) image uploads.

Drupal security and "why security sucks from a user's point of view"

While trying to create a simple website for new O2 users I tested a couple packages and using the great EC2 solution from http://www.turnkeylinux.org  I settle on Drupal for try-o2.com.

This is what it looked like:
I was happy with the design and funcionality of this site and Drupal, BUT the problem happened when I recently logged in into the admin section of the website and saw this:

Ok, this doesn't sound good. I wonder what does 'One or more problems' really mean. Lets see what the 'status report' says:
OK, so it looks like I need to update the Drupal Core and some Module/Theme.

Let's try the 'available updates':
Now the problems start :(

I have to say that it is great that Drupal is already able to give me this level of alerts and information, BUT, their solution is now dependent on me downloading a bunch of of gz files (http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz and  http://ftp.drupal.org/files/projects/devel-6.x-1.22.tar.gz) and INSTALL them !!!!. 

WTF, I don't want to have to maintain this website, in fact I don't even know how it was created!! Remember that whole point of using something like Drupal 6 Appliance from TurnkeyLinux (http://www.turnkeylinux.org/drupal6) was to spend no time maintaining it (isn't the 'Applicance' concept supposed to be 'hands-free'!!!)

Just to make sure I was not missing something obvious I went to the 'Release Notes' for one of the updates
But it contained NO information on how to do the upgrade that I was asked to do. A quick browse on the website also didn't help!

And what is really infuriating from a user's point of view, is that I have NO information on:
  a) WHY this is even relevant to me, 
  b) what is the RISK impact, and 
  c) what other alternative (but as effective) mitigating strategies there are. 

How am I supposed to make a business decision to spend the time, money and resources to fix this issue if I don't know:

  • If my current deployment of Drupal is affected by the security vulnerabilities discovered
  • Where are the security vulnerabilities?
  • Can I disable the modules that have it and be done with it?
  • What is the impact of these vulnerabilities?
  • Have they been exploited in higher profile Drupal installations?
  • What does an attack looks like (i.e what are the early signs of exploitation)
  • How do I know if I have been exploited?
  • Are there other mitigating factors? For example can I use a WAF to protect the affected parts?
As a user I have to say that security really sucks. Because NOW I know there is a problem I have to do something about it (because I do care about security and don't want to deal with the mess of exploitation), BUT I have very little data in order to make a solid decision (and I'm an advanced 'security consumer' so I could handle/process quite a bit of 'security related data').

Since is bound to happen in the future, and Drupal's update mechanisms is equal to 'brain surgery' (remember that I didn't install it, so I would have a bit a learning curve to do it properly), I'm left with no choice but to KILL the website (i.e. the Amazon EC2 image that powers it) and move to WordPress.com since at least they maintain the web application for me

See you at http://o2platform.wordpress.com (with time I will move the try-o2.com domain to over there)

Final comment: Super Kudos to the Drupal team for at least exposing the version status information so clearly. Unfortunately that is not good enough, and as a user I was left in a very uncomfortable position (where what I wanted was a 1-click 'server-side' upgrade button (with a backup/restore capability))

Monday 18 October 2010

OWASP WebScarab - Custom O2

The latest version of the O2 Platform  has support for OWASP's WebScarb via a Custom O2 GUI that exposes a number of WebScarab's funcionality and allows its easy scripting and automation.

Here are the main features:
  • Install and uninstall WebScarab
  • Multiple Gui Automations
    • Switch Interface Modes (from "Advanced -> Lite" and "Lite->Advanced")
    • Save current Conversations
    • Load previously saved Conversations
  • IE Automation via dynamically compiled O2 Scripts (allowing the workflow where a dynamic script is executed by IE and the traffic captured by WebScarab)
  • Load and filter saved convertations
    • as a SQL-like dynamic query - and then using an GUI that allows the real-time execution of .NET LINQ Queries)
    • as O2Findings (via a special WebScarab->O2Findings converter)  - and then using O2 powerful Findings Filtering capabilities
For more details about this Custom O2 Tool/Script see:

Friday 15 October 2010

Example of Gui Automation: Controlling Notepad from O2

Here is a good example of the O2's GUI Automation capabilities that really allow the instrumentation of other Windows Applications and to perform client side application security reviews:
The API that powers this GUI Automation is the amazing CodePlex's White Project (http://white.codeplex.com) which is a big wrapper on top of Microsoft's UIAutomation library

Thursday 14 October 2010

Tool - Using OpenPgp to Encrypt or Decrypt.h2

I just published a new O2 script/gui that solves a long problem/pain that I had for a long, long time: the quick and easy PGPing of texts and files.

This O2 Tool (i.e. script) is already pushed to the SVN (available if you have the latest ClickOnce version) and has the  following features:
  • create PGP Keys
  • store PGP configuration on xml files (which are easy to move around
  • GUI to encrypt Text
  • GUI to decrypt Text
  • GUI to encrypt and decrypt Files
  • Supports workflow where the PassPhase is kept private and the Public + Private keys are sent unencrypted to the client
You can read more about it (including detaild screenshots) at the O2 Platform WIKI:
http://www.o2platform.com/wiki/O2_Script/Tool_-_Using_OpenPgp_to_Encrypt_or_Decrypt.h2

Here is the YouTube Video http://www.youtube.com/watch?v=_Cd8AfZyWMs (created with the new O2 Video creator tool which helps me to quicklly create this type of videos)

And here are a couple screenshots




Wednesday 6 October 2010

UnitTest for Twitter "XSS Vuln in ManageDomains"

This script is focused on a recently disclosed and patched XSS vulnerability in Twitter :

O2 Platform script to create Twitter accounts (with CAPTCHA support)

Part of the challenge of automating/scripting web application security vulnerabilities is the need to handle multi-stage data inputs.

A good example (and PoC) are account creation wizards, which these days (for example) include a captcha question.

To show how this can be done in O2, I've just coded a script that shows this in action:
Here is the code snippet that automates (except for the captcha question) the Twitter account creation using O2's Browser Automation API (WatiN based). The key design-goal of the O2's Browser Automation API  was to make it easier to read (and code):

Tuesday 5 October 2010

Using a MAC address to find your physical location (via Google Location Services)

If you see Samy's presentation "How I meet your Girlfriend" you will be shown a very good example of what I think is a "perfect storm". Amongst the multiple examples he give, he shows how from a MAC address (which he gets via a router XSS) he is able to discover the girlfriend's address.

And how does Samy does it? He uses Google's Location Services REST API, which returns a nice populated JSON response, filled with location information (longitude, latitude, address, accuracy, etc...), when provided a valid/known-to-Google MAC address. Google knows about MAC addresses from the data feeds provided either by Google's Street View cars or by passing-by pedestrians using Android phones.

After seeing a couple times Samy's presentation I was curious to see if it really worked that way, and unfortunately (for privacy) it does.

For more details on how this works see the O2 Platform script that I wrote in a couple hours yesterday which will find your local router and show you your current location. This wiki page has more technical details and screeshoots: Tool_-_Find_Physical_Location_via_MAC_Address_(using_Google's_APIs).h2 

Here are a couple screenshots of the script in action:




Saturday 2 October 2010

With O2, I am a Curator of Open Source Software

A couple days ago I saw the amazing and highly recomended Jason Fried Web 2.0 Keynote – Be a Software Curator video presentation (from 37 Signals) where Jason made the argument that as software developers we have to be curators (as in a Museum Curator) when selecting the features we chose to implement for the software or web applications we are developing.

In that presentation, one of his strongest analogies is the fact that Software has no physical properties (as in weight, shape, smell, transparency, etc...) which makes it very hard for its users to provide immediate feedback on the software/webapp they are about to use, and, more importantly, it denies the developers with valuable information on how well ‘designed’ their application is (not designed as in 'look-and-feel + graphics', but ‘designed’ as in ‘Design the experience’)

This means that we as software developers must be very disciplined on which customers/users we listen to, and what we decide to do with our limited development resources.

And this is exactly what Curators do in Museums. They understand what their target audience wants, they find the artists + exhibitions items that match his/hers (the Curator) vision and then finally he/she ‘Designs’ the user experience in order to maximize the user’s benefit from attending the exhibition.

After thinking about this concept for a while, I realized that it also fits very well with what I try to do in the O2 Platform when I:
  • have a particular problem (let’s say I want to automate a Browser workflow/exploit/UnitTest), 
  • do a research on the currently available Open Source tools that could address that problem (Selenium, WatiN, .NET Browser Control, multiple CodePlex projects, etc...), 
  • try a couple that look like the best fit (writing APIs to help consuming them) 
  • use these APIs in real work engagements 
  • based on the success use of the original API + O2 Customizations (and Extension Methods Wrappers), arrive at a conclusion on which one is the best Open Source API to use (in this case WatiN) 
  • Package the chosen API in easy to use modules that are then exposed to the wider O2 community 
And since just about everything in O2 is a Script, the added value provided by O2 is the fact that its dynamic scripting/packaging environment is able to dramatically simplify the use and consumption of the chosen Open Source API

Basically, I’m a Curator for Open Source with the responsibility to research, test, select and customize APIs to solve specific Web Application Security problems.

Friday 1 October 2010

Using O2 to Parse WSDL files and submit requests/payloads

The .NET's  SDK comes with a tool that creates a C# file from a WSDL (which is what Visual Studio uses when adding a Web Reference).

This file can can then be used to automatically enumerate methods + parameters, and provide nice C# stubs to send requests or fuzz payloads (and that is just a warm up on what you can do with it).

O2 has support for WSDL creation via this script: http://code.google.com/p/o2platform/source/browse/trunk/O2_Scripts/Languages_and_Frameworks/DotNet/DotNet_SDK_WSDL.cs

To see it in action here is a example of how to consume it using O2's C# Scripting Environment http://www.o2platform.com/index.php/DotNet/WSDL

Great Comments on the O2 Subscription Model

OWASP Leader Michael Coates had a some great comments on the O2 Subscription model when I asked a while back if it was compatible with OWASP's values and mission.

Here are his words (slightly edited since the original version was commenting on the previous version which had a couple extra OWASP membership related items):

"...To my knowledge, this is the first OWASP project that has attempted a financing model.  It is important for us (OWASP leaders) to be open and communicate the correct ways for OWASP projects to offer services that are not free.  Below I've included the OWASP principles and my thoughts on their relation to Dinis's idea.

OWASP Principles -
http://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project

Free & Open

As Dinis mentioned, his code is open to everyone at no charge.  The O2 tool can be downloaded and used without paying any of the subscription fees. No problem here.

Governed by rough consensus & running code

Not relevant to this issue except that the overall consensus of the OWASP leaders should be considered.

Abide by a code of ethics

No problems here

Not-for-profit

OWASP itself is not for profit. But what about individual projects? The O2 project is rightfully (in my opinion) charging for Dinis's time to offer premium support to commercial customers. Many of us, Dinis included, volunteer large amounts of time to OWASP. However, volunteering and providing commercial grade support or two totally different things. This is a fine move in my opinion.  Many companies will not adopt an open source software if a formal support policy cannot be established.  So although I don't personally have any problems here, how do we reconcile this situation with our principles?  Perhaps the answer is related to point #2 (rough consensus) and this sort of email discussion

Not driven by commercial interests

Although O2 technically would become "commercial" in a small way I don't see any problem here. This item is meant to address the overall objectivity of OWASP in always promoting the best security advice that is not tainted by a particular company's motivation.

Risk based approach
Not a problem. In fact
O2 reinforces this principle.


Overall I think Dinis's approach to a
subscription model for support is not a problem. This model is used by other open source organizations such as red hat (https://www.redhat.com/wapps/store/catalog.html). In fact, if we want OWASP to continue to grow then I think we need to support these types of initiatives. Otherwise our tools and processes may be ignored by many companies that require these types of formal relationships.

...

 
Conclusion

  • I support Dinis's plan to offer a subscription service for commercial support of O2 and believe this type of model is necessary to take OWASP projects to the next level
  • I believe this is inline with OWASP principles
  • ....

..."


Update on O2 Subscription Model

Following the feedback received when I pushed the first version of the O2 Subscription model , I've made a number of changes which should be a better fit for the community and target user base.

As before, there are 3 Subscription levels, but this time around there is much bigger focus on the creation and support of an customized version of O2 for each subscriber (and based on the comments made I removed the OWASP-related options)

Here is a table that represents the new model:


Currently there are 3 companies subscribed and I'm working with them on their custom version of O2.











For more details see this  O2 - Commercial Services presentation or visit the O2 Subscriptions page at the O2 Website
------------------------------------------------
Important note: this is NOT a service provided by OWASP and the OWASP foundation has no direct involvement or responsibility in the delivery or fulfillment of these subscriptions