Thursday 24 November 2011

Please root these devices (project and customer awareness)

Here is a cool opportunity which also raises some interesting questions

I just got asked to see if I could recommend a good AppSec and Reverse Engineer person to spend one month breaking the security of a tablet (and another device) that is coming to a place near you next year.

The brief is quite an interesting one, since it basically says: '...please root this device, show how to install malicious apps on it without root, and/or show how to extract encrypted content...'  (so if you know somebody or are interested please ping me directly)

What is interesting about this gig is the company that it is from. Usually those corporate folks are bit more gentle and politically correct, but this shows that these guys really want to know first the problems (which is a nice evolution in our market). I have to say that 'finally' I have seen more people/customers who want to be secure (vs being compliant or wanting to been seen doing something about it).

It also shows how interconnected out day-to-day devices are becoming, and how big a can of worms (from a security point of view) they can/will be.

Note how web app security is staring to be more and more dependent with the devices that use it, for example, there could be a number of vulnerabilities created by how the client/server exchanges occur (it would be cool to root the device by tricking it into installing something via an reflected exploit on the server, would we call that a 'Reflected Root' vulnerability? :)   ) . 

This also feels a lot like the 'return of the fat client', where the vendors have so much control over the client's device that they extend the attack surface to it (which could lead to a number of security decisions being made on the wrong location).

Wednesday 23 November 2011

Heads up on O2 WebProxy and WAF Simulator

For the more advanced O2 users out there, I just committed a new set of O2 scripts that implement two very powerful capabilities
  • O2 Web Proxy - native (to O2) web proxy that sits between the IE automation object and the rest of the world (although inside the same O2 .Net process). This was based on the code in and it givesO2 something that I have been wanting for years now: Programatically access to a Web Proxy. This opens up a LARGE number of testing/fuzzing capabilities and dramatically simplify IE analysis tasts (for example, something that is now simple to get is the full value of the Cookies (and Headers) sent to/from the IE browser (the http-only cookes for example were really hard to get) )
  • O2 WAF Simulator - built on top of the  O2 Web Proxy, I was able to quickly create a WAF simulator which uses the O2 Proxy's callbacks to fix a couple vulnerabilities in the test app I was looking at (great when talking to developers about the vulnerabilities discovered and its possible fixes)
I will shortly put more details about this on the O2 blog

What I like the most about these two new capabilities, is that this was all created/implemented in about 4h of focused-development (and shows how powerful O2's APIs and quick-prototyping development environment have become)

Help on running Cucumber via security tools and .NET

Hi, I need to integrate Cucumber into O2, so I was wondering if I could get some help.

Here is my first set of challenges:
  • I need a couple Cucumber scripts (running on top of Ruby) that do some kind of web actions (ideally on a vuln app like webgoat,, hacmebank, etc...) so that we can test the following scenarios:
    • Trigger this tests directly from O2 (including seeing its results). This could be as simple as triggering Cucumber from the command line
    • Run those same tests via a security proxy/tool/scanner so that we can 'teach it' how to app works. This should work for any tool that can act like a proxy, but to start, I would like to run it on
      • OWASP ZAP
      • NetSparker
      • AppScan Standard
      • Burp
  • Use IronPython to run cucumber tests/features directly in .NET/O2 so that I can create a solid two way communication and instrumentation between those scripts and O2 (i.e. O2 to consume them directly, and the scripts being able to access O2 APIs)

Friday 11 November 2011

Comment on reply to post: Mark on 'Models for Better Security Communities'

(comment I made on the OWASP mailing list last week which contains some ideas on where I see OWASP going next)

Stephen, you absolutely shouldn't feel guilty of 'only' contributing to OWASP through your regular bursts of energy (I put 'only' in quotes, since you are one of my favorite OWASP stories, and a talent that I'm very proud to have helped to attract to OWASP) . Your type of contributions is one of the things that have built OWASP and it is one of its most amazing characteristics.

In fact, my view, the job of OWASP 'the organization' is to make sure that when you do focus and want to commit some energy, there is an environment (or ecosystem) that will make that process as productive, enjoyable and efficient as possible.

In that light, OWASP 'the organization' should be much more like an event organizer (think 'music production company') than a big 'we have the vision and know it all' type of org.

Please don't be to hard on Mark since his heart is absolutely on the right place (and let's not really judge Microsoft's ethics since most large companies these days wont get a clean bill of health :)  ). 

One think I learned from playing music is that you have to listen to the audience's comments, and most of the times they say (from your point of view of course) the right thing the wrong way (or not the same way you would articulate it).

Mark wants a more professional and focused approach to OWASP, where there is energy and commitment in the creation of very professional, high-quality, well presented, easy to use/adopt and community-friendly deliveries (tools, books, guides, dev outreach, etc...). 

Which is exactly what I also want.
  • That doesn't mean that we stop supporting the grassroots movements and activities that allowed OWASP to be want is it today (and empower its contributors to 'just get on with it and try to find a solution'). It means instead that we need to put a lot more investment and effort into creating an operational machine that will support it (we have the talent at OWASP, what we don't have is the operational machine (which OWASP's leaders are not really good at, or have time to dedicated to it)).
Part of the problem is that there is still this view at OWASP that we need: 
  • a strong mission, vision, etc...
  • high level commitments/endorsements and 
  • centrally controlled activities
.... as if we had those anything would happen because of it :)

Part of the problem of this type of thinking, is that it creates an environment where Mark (correctly under that thinking) was expecting a level of support and endorsement for his ideas that is just not possible at OWASP. 

The irony is that there are lots of really great leaders inside OWASP that share Mark's wish for a more professional and dev-community-friendly OWASP. Unfortunately we (OWASP) still have not come up with an operational model that allow those groups to aggregate and flourish (I don't think the current Commitees structure are the right structure, but maybe the is a better one).

Btw, for me the only vision and mission that OWASP needs is three (or maybe two) words: Web Application Security or maybe just even two: Application Security

So please embrace Mark's ideas and comments, you might not like his style (like many don't like mine), but he is carrying a important message.

Think about this, we are lucky that Mark cared enough about OWASP that he spent his time documenting and talking about his issues and problems. We would be much worse if he had just ignored OWASP. In fact, I wish he blogged more about his ideas for OWASP since there are some great stuff in there :). He also talks to a lot of people about OWASP, specially from people who would like to be involved at OWASP but have not found their sweet spot. We need to hear those voices and find ways to connect to them.

Wednesday 9 November 2011

Solution for fixing Spring's JPetStore AutoBinding vulnerabilities

Here is an O2 blog post that describes my preferred solution for Fixing one of JPetStore's AutoBinding Vulnerabilities (changing the purchase price)

I have to say that as a developer doing the code fix, it was simply amazing and very powerful to have the complete web workflow of the shopping cart available as an automated O2 script .

This allowed me to quickly ensure that: 
  a) the app still behaved as it should (after the fix)
  b) the vulnerabilities identified where properly fixed

What do you think of the solution?

Tuesday 8 November 2011

Integrating Security into the User's Gui - In this case Rational AppScan Source in AppScan Standard

Based on an SI engagement I'm currently involved in, which is focused on the integration AppScan Source and Standard findings, here is a pretty cool PoC of what we are doing there:

Monday 7 November 2011

In ASP.NET, prevent XSS with automatic html encoding

Yesterday when looking for the ASP.NET XSS mappings I found an article that presents a solution that I have been looking for ages: Changing the behaviour of the ASP.NET <%= tag so that it encodes by default.

His technique of hooking the compilation step is absolutely brilliant

The future of secure code? Fixing/Encoding .NET code in real time (in this case Response.Write)

If we really want to help developers to fix they code, we ultimately need to move all the way into their IDEs and actually provide them code-fixes in context!

A while back somebody asked me how to perform actually .NET code changes and patches using O2's .NET Static Analysis engine, and I wrote a little PoC that clearly shows how that can be done (and a preview of what the future looks like).

I just wrote a O2 blog post about it which you can find here: (if you have O2 installed just run the Fixing Response.Write.h2 script)

Here is a 20 sec video that shows this script in action:

I really like this concept and it is sort of similar to what Spring is doing with Roo ( where the developer's code is automatically refactored in order to meet specific objectives

Sunday 6 November 2011

ASP.NET Anchor tag allows XSS payloads, is this a vulnerability on the .NET Framework?

I just posted a blog entry on an O2 script I wrote a couple days ago that checked if the HREF tag in ASP.NET HtmlAnchor control is vulnerable to XSS:

There are a number of really cool techniques on this script:
  • Render the Html Tag control in isolation (which will allow these tests to be run from vanilla UnitTests)
  • Quickly put Html content in a browser and see what it looks like
  • Quickly fire-up an .NET Webserver on a local directory, create a test *.aspx page, and see its contents (rendered from the ASP.NET server)
  • Test some payloads on the *.aspx page and confirm (or not) the exploitability of this control (a good follow-up script to write is to run the FuzzDB on this property and see which ones work)
Since it is safe to assume that the Href from an HtmlAnchor should not have " (and other dangerous chars) in its rendered text (it should be encoded), shouldn't this be classified as a vulnerability in the Asp.Net Framework? Specially since it bypasses the ASP.NET build-in validation.

Is this documented somewhere? I know there is (somewhere) a list of all ASP.NET mappings (so it should be there), but I just looked at the MS pages for the HtmlAnchor tag and there is no mention in there for the security implications of this:

Saturday 5 November 2011

New O2 main GUI (as 2.0 beta version)

I just pushed a new simpler GUI for O2 which will hopefully make it easier to quickly start using O2 and find useful scripts.

This is what it looks like:

Let me know what you think of it.

Do you like it?

Does it make it easier?

You can read mode details about this new GUI at Details of new O2 main GUI (as 2.0 beta version) and you can download the latest version of O2 from here

Wednesday 2 November 2011

Using O2 to help an AppScan Source (and Standard) user

Yesterday I had a great session with a potential SI customer where I was tasked to help them make the most out of AppScan Source resources.

The scenario is a very typical one for any SAST client (namely Ounce/AS.Source or Fortify):

Unit Tests to detect problems with site and content integrity

So with the public launch of TeamMentor Beta I now have a nice problem to solve:

"How to write UnitTests (Browser Automation and WS driven) that test for the valid state of the TM test websites ( and and ensure that they have not been spectacularly modified, modified or hacked :)"

Here is a list of what I would like to keep an eye on or do:

  • Is the website still up?
  • What about its response time?
  • Do the normal N user activities still work? (open page, view content, login, edit content)
  • Is there any malicious content on the TM websites? (namely on the changes recently changes)
  • Activity logs and detect malicious/weird activity?
  • How to automatically rebuild the server (maybe every day)?

All these should be written as UnitTest and executed on demand (or in a schedule). Sounds like a job for O2 :)

Humm, it looks like I really need to add AppSensor capabilities to TM, since that would allow some of these tests/activities to be detected in real time :)

TeamMentor v3.0 Beta is out of the bag (try it or download it now)

UPDATE (Oct 2012): THIS POST IS OUT-OF-DATE .The latest version of TeamMentor to test is at: Test and Hack TeamMentor server with 3.2 RC5 code and SI library

Last night SI (Security Innovation) released the public beta of the product I have been working for the past 7 months. It is called TeamMentor (TM) and it is a web based tool to create and distribute security knowledge.

There are lots that I want to talk about this project (specially since O2 was used for its development and there is product is a great case study of the power of O2 when used as a developer-helping tool). Also, SI is more than happy for me to talk about the internals of TM, how it evolved and its architecture (which is a rare thing in product companies)

So to kick start this, here are the main links:
Here are the login details (note that the editor role change change all content, so try to be gentle with the version online :)  )
  • Administrator - admin/changeme 
  • Reader - Reader/changeme 
  • Editor - Editor/changeme 
  • Developer - Developer/changeme
If you download the TM code and want to run it locally, once you unzip it:
  • Launch the server but runing either the "Start NET35.bat" file or the "Start  NET4.bat" file ( use the one that works for you). 
    •  Give it a couple of seconds to load. An icon in the system tray should appear, indicating that the "Cassandra" server is running.
    • Please, note that the "Cassandra" server does not bind to external interfaces by default, so it will only be available on the local machine when started from the bundled scripts. 
  • Open the site. A web browser should open automatically on the main page. 
  • Login to the application with one of the pre-defined user accounts (listed above)
If you find bugs or security issues, please add them here: (this is beta so I expect you guys to find good stuff in there :) )

Let me know what you think of TM :)