Saturday 30 July 2011

Proposed workflow for breaking and analysing FVDL Files

Following the multiple blog entries prosted about O2's support for Fortify's FVDL, (sent to me by an O2 user) here is a description of a use-case that O2 should support:

I would shoot for the ability to disposition large *.fpr/*.fvdl files.

Here is a typical workflow:

1. Scan is run code base generating an *.fpr file
2. Code Reviews receive the file but because it is too large it cannot be opened by Fortify's tool.
3. Code reviewer uses O2 to open file and disposition or suppress issues by Category (XSS, SQL Injection, Path Tampering, etc.)
4. Code Reviewer then saves dispositions to *.fpr file.
5. The *.fpr is saved and on subsequent scan of the same application. The new.fpr file is merged with the old.fpr file.
6. The code reviewer works on the merged.fpr to disposition items.
7. Wash, rinse, repeat.

The data needs to be stored in the *.fpr file because most code assessment processes relies on merging the old fpr with the new *.fpr/*.fvdl on subsequent rereviews.


Next step(s) is to write a script(s) to implement this workflow, and try to figure the best GUIs to enable it.

Friday 29 July 2011

What needs to be done to map Static Analysis Traces from Controllers and Views

Here is a reply I just posted on the O2 Mailing list, which provides a number of ideas on how to map/glue partial traces (i.e. traces that have sinks on Controllers and Sources on Views)

------------------------------------------

I think we are exactly on the same page, and welcome to the wonderful world of 'Framework behaviour mapping' :)

More FVDL scripting and example of (O2 created).NET Taint Flow trace

Here is a reply I just sent to a new O2 user that is trying to get his head around O2 Scripting (to parse, filter and visualize FVDL Files) , which also includes a link to a blog post with an example of what the O2 .NET Static Analysis engine is able to create:

"...I've pushed another blog post that should give you more ideas on what you can do with O2 scripting and FVDL files: http://o2platform.wordpress.com/2011/07/29/creating-the-the-util-view-fvdl-traces-h2-script-lots-of-data-analysis-code-samples (I wrote this last week, but run out of time to publish it then) ..."

Question: what do you mean by "connecting some related issues..an unsupported MVC pattern breaks the data flow from the controller to the view" ? Are you trying to connect the tain-flow traces? (for example a trace that starts in a Controller and continues on a View?)

If so, you need to take a look at what I was doing with the traces I used to get from the Ounce Labs engine. I was doing exactly that. 

There is quite a lot of scripts and code in O2 to support the joining of traces (from simple to complex use cases), so let me know if this is what you are trying to do (note that to really take advantage of O2, we should expand the current FVDL parser to create IO2Findings objects, since once we have that, we can use the existing O2 tools for Finding's viewing and Trace's joining (including Drag&Drop trace creation support)).

To see an example of the kind of traces you can do in O2, check this out .NET HacmeBank SQL Injection vulnerability trace example: http://o2platform.wordpress.com/2011/07/29/o2-net-ast-scanner-hacmebank-sql-injection-poc .

Note how that 'O2 created trace':
  • starts on a URL (the real Source of tainted data), 
  • then follows the taint flow into a server-side Textbox, 
  • and into the WebService's call on the WebSite code
  • and into the WebServices' method on the WebService's code (this was a separate trace that was joined with the first one), 
  • and continues the taint follow until it reaches the Sql Injection Sink

Thursday 21 July 2011

101 O2 Platform Blog posts (by category) - on July 21st

If you are looking for info on O2 features and scripting capabilities, the best place to look is the O2 Blog (at http://o2platform.wordpress.com)

Here is the full list of the currently 101 entries (listed by category (the last post listed them by publish date)):

101 O2 Platform Blog posts (by publish date) - on July 21st

If you are looking for info on O2 features and scripting capabilities, the best place to look is the O2 Blog (at http://o2platform.wordpress.com)

Here are the full list of the currently 101 entries (here listed by publish date (next post will list them by category))

Tuesday 19 July 2011

Current O2 support for analyzing Spring MVC

During the past week I spent some time documenting O2's support for Spring MVC apps.

There is still quite a lot to do before we can do a proper security analysis of the JPetStore and PetClinic applications (for example 'mapping the JSPs to the controllers'), but hopefully these blog posts show the kind of analysis that is possible using O2:

O2 Platform Amazon EC2 Image (AMI)

I did this a while back, but somehow forgot to make reference to it.

If you have an Amazon AWS (EC2) account, you can now use it to fire up a preconfigured Windows Image with O2 on it :)

Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)

If you want to use O2 on Spring MVC apps that use Annotation-Based controllers, there is an O2 module that you can use which will allow you to view/test those controllers (including the Autobinding elements)

Here is a blog post that shows how it works: Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic's vulnerabilities)

This is quite an old O2 module (using the previous GUI), but what I really like about it, is that it shows how static analysis can be used to drive black box tests (which is the best way to perform blackbox reviews).

What we really need next, is to convert this code into the new 'O2 Script based world' and into the Spring MVC mappings classes (as shown in the JPetStore example).

Using O2 to Parse and Visualize Fortify's FVDL files

Following a request from an O2 user that needed to parse an 430Mb FVDL file (which Fortify's own tool couldn't open), during the last weekend I created a parser and couple visualizing tools so that now we can use O2 to consume FVDL files (as sample files, I used the data published by NIST SAMATE on its SATE 2008 project)

I took the time to document my process and workflow on a series of blogs posts. These posts show how to go from a raw XML file into a easily consumable and highly scalable solution/toolkit. They are a good example of the type of workflows that O2 has been designed to enable.

Here are the blog posts (with the newest on top since those are the ones with the final result)
I'm pretty happy with the end result, since it was quite easy to write the parser, and the end solution scales very nicely. Also as you will see, there is a LOT of great data that is included inside the original XML file, so the next step is to build a couple more tools to filter/view/visualize it (for example: a view that filters the vulnerabilities by type/severity and shows the traces using the included code-snippets)

If you have access to Fortify FVDL files, please give this tool a test-drive and see if you can spot any issues with the XSD that was created (we also will most likely need to create special parsing methods to deal with the variations between the multiple versions of FVDL files).

Saturday 16 July 2011

Another issue with the .NET Random class

OK, maybe it is just me, but I was not aware that the random class was not Thread Safe (I was aware that it is recommended that you don't create a new Random object on every use).

I just documented my findings/experience at the O2 Blog http://o2platform.wordpress.com/2011/07/16/humm-net-random-class-is-not-thread-safe/ and, I have to say that I have the feeling that there are a number of security vulnerabilities out there created by this behaviour (think of an multi-thread environment which receives a lot of traffic and uses the Random class for session/key/token/id generation).

And since it requires a certain number of requests/threads to trigger the problem, it might not be easy to detect, debug and/or replicate (note that Random doesn't fail safely... i.e. once the race condition is triggered, it will just return 0).

Here are a couple projects that (look like they) use the Random class: http://www.google.com/codesearch#search/&q=%22new%20Random%22%20lang:%5Ec%23$&type=cs

Friday 15 July 2011

New design for o2platform blog and links to post categories

UPDATE: See also New design for this blog

I just spent some time at the O2 Blog where I selected a new theme and categorized all 80 posts.

See image below for the new look, or visit http://o2platform.wordpress.com/ directly (please let me know what you think of).

Thursday 14 July 2011

Details of Today's O2 Spring-MVC focused webcast

Hi, in case you want to join in, here are the are the main links for today's event (Analysing a Spring MVC App (JPetStore) using the OWASP O2 Platform)

See you at the WebCast (via https://join.me/135-208-702)

Wednesday 13 July 2011

O2 Webcast: "Analysing a Spring MVC App (JPetStore) using the OWASP O2 Platform"

I just setup the following webcast at EventBrite: Analysing a Spring MVC App (JPetStore) using the OWASP O2 Platform

Couple more blog posts on JPetStore and additional Spring MVC Autobinding vulnerabilities

On the Spring MVC topic, I added a couple more blog posts and video to the O2 developer blog:
I also noticed that using the same autobinding vulnerability, it is possible to change the quantity of the item being purchased to a negative value which has interesting implications on the current purchase and more importantly on the global (to JPetStore) 'item stock quantity' value.

I have not scripted this latest issue, but if you want looking at trying these scripts, why don't you have a go at writing it?

:)

Tuesday 12 July 2011

Reaching out to Spring Developers

I just posted an entry on the Spring Framework forums http://forum.springsource.org/showthread.php?111901-Security-Vulnerabilities-with-JPetStore-and-visualization-of-the-AutoBinding-Issues which hopefully will get some tracking from their side.

I will reach out to my contacts over there (Spring Source), but if you know somebody at SpringSource (or at a heavy user of Spring MVC) please put them in touch.

Thanks

Finally ... here is how I have been analysing Spring MVC apps using O2

One of the greatest challenges I always had when reviewing Spring MVC applications, was to gain a full picture of its controllers, and more importantly its CommandClasses (i.e. the POJOs that are AutoBinded by Spring and who are a common source of high/critical vulnerabilities in Spring MVC apps).

The way I approach these problems (visualizing/understanding Spring, Struts, DWR, Sharepoint, etc...), is to write scripts that consume the Application's articfacts (web.xml, *-servlet.xml, source-code, class files) and then consolidate that information in 'easy' (or easier) to undersand visualizations.

Unfortunally most of the great examples that I had in the past were built on top of Client code, so I couldn't really share them. But finally, the O2 Scripts have reached a level of maturity that it was easy to create a generic version of them for Spring's MVC Demo application: JPetStore.

Monday 11 July 2011

"Two Security Vulnerabilities in the Spring Framework’s MVC" pdf (from 2008)

(update: see Finally ... here is how I have been analysing Spring MVC apps using O2 post for an update on how to exploit and visualize these issues using O2)

Since the Ounce website doesn't exist anymore, here is the link to the "Two Security Vulnerabilities in the  Spring Framework’s MVC" we published 3 years ago, which unfortunately it is still very relevant today.

Reaching out to .NET developers (in this case Nunit)

I just posted the text below to NUnit's main mailing list. This is something that I've wanting to do for a while, and finally I think that O2 is reaching a level of maturity that developers of other tools will find it interesting, and will adopt parts of it.

This is all part of the strategy of building bridges with developers, to add value to their world, and to allow us to speak the same language.

In this case, if we can get a good dialog with the NUnit folks, I would love to add 'security focussed Unit Tests' to the NUnit Community

"...
Hi, I'm the main developer of the OWASP O2 Platform (see http://o2platform.com and http://o2platform.wordpress.com) and I just wrote a blog post that you might find very interesting:


O2 Platform is a .NET application that has a number of very powerful Reflection APIs. It also makes extensive use of Fluent APIs which you can see a published example here: fluentsharp.codeplex.com

As part of that PoC there is also an O2 Command Prompt that popups up which allows direct access to NUnit's Gui and memory objects. This would be very useful for NUnit developers since it would allow them to have direct access to the GUi controls without needing to recompile and execute the application.

Feel free to contact me if you have further questions or want to see a demo of this in action

Dinis
..."

Thursday 7 July 2011

Injecting O2 into another .NET Process (in this case NUnit.exe)

Here is an O2 script that I wrote while delivering O2 Training to a Company in Phoenix (as a PoC of how O2 could be further integrated into their SDL).

Check out this blog post for screenshots and the code that make this happen: http://o2platform.wordpress.com/2011/07/07/injecting-o2-into-another-net-process-in-this-case-nunit-exe/
In the past I also did the same for Fiddler, where I was able to modify its GUI and decouple a bunch of its windows.

Just to make this clear, with this technique you can take control of any .NET app and (from an O2 Script) completely manipulate its GUI (and features)

Dinis Cruz

Friday 1 July 2011

IronJS looks very interresting

Need to take this for a test drive:
Javascript related and also interesting:

If you are looking for an WebAppSec job in Boston...

...here are a couple cool positions from SecurityInnovation

Posted today (1st July 2011) in http://news.ycombinator.com/item?id=2719028 by Joe Basirico ...

"...
Security Innovation's (http://securityinnovation.com) team of amazing hackers is hiring (Boston, MA).

I'm looking to hire a couple awesome security professionals for our Boston office.

We assess a wide range of really interesting technologies, from web apps to mobile to crypto. You have to have a true passion for security, most of the team does this on their off time and it's all we talk about.

If you dream in hex, clickjack for breakfast, exploit XSS, SQLi and CSRF for lunch, Buffer Overflows and Format String Vulns for Dinner and some AuthN/AuthZ hijacking for a midnight snack you're our kind of candidate.

You'll have time and budget to do research, go to and speak at conferences, and build tools that will change the internet (We helped develop Firesheep, if you remember that).

You can e-mail me directly: jbasirico at securityinnovation dot com for more information.

Check out our postings: