Wednesday 23 November 2011

Heads up on O2 WebProxy and WAF Simulator

For the more advanced O2 users out there, I just committed a new set of O2 scripts that implement two very powerful capabilities
  • O2 Web Proxy - native (to O2) web proxy that sits between the IE automation object and the rest of the world (although inside the same O2 .Net process). This was based on the code in and it givesO2 something that I have been wanting for years now: Programatically access to a Web Proxy. This opens up a LARGE number of testing/fuzzing capabilities and dramatically simplify IE analysis tasts (for example, something that is now simple to get is the full value of the Cookies (and Headers) sent to/from the IE browser (the http-only cookes for example were really hard to get) )
  • O2 WAF Simulator - built on top of the  O2 Web Proxy, I was able to quickly create a WAF simulator which uses the O2 Proxy's callbacks to fix a couple vulnerabilities in the test app I was looking at (great when talking to developers about the vulnerabilities discovered and its possible fixes)
I will shortly put more details about this on the O2 blog

What I like the most about these two new capabilities, is that this was all created/implemented in about 4h of focused-development (and shows how powerful O2's APIs and quick-prototyping development environment have become)