Here is an example of a simple Unit Test written in the Write and Execute Unit Tests v1.0.exe tool which will check for XSS on AltoroMutual website
The idea is that when the Red Boxes go Green, the vulnerability is fixed.
Friday 30 November 2012
Write and Execute Unit Tests v1.0.exe
Here is a nice util to quickly write NUnit tests. This is designed for fast prototyping of UnitTests, which when stable can be moved into a wider set of tests (executed by NUnit)
You can download this tool from: Write and Execute Unit Tests v1.0.exe
You can download this tool from: Write and Execute Unit Tests v1.0.exe
Write technical content for SI's SME course development and TeamMentor
Just got this request from SI's Chris Williams (cwilliams@securityinnovation.com) which some of you might be interested in:
--------------------
As the SI course catalog and Team Mentor continue to grow, so does our need for SMEs to write outlines, create PowerPoint decks, review draft content, and write TM articles.
--------------------
As the SI course catalog and Team Mentor continue to grow, so does our need for SMEs to write outlines, create PowerPoint decks, review draft content, and write TM articles.
Thursday 29 November 2012
Showing Chrome, Eclipse, IBM AppScan Standard and VisualStudio in the same Process/Window
UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for another powerful example of consuming Chrome (and IE and Firefox) window in another process
Using the control shown in Util - Win32 Window Handle Hijack (4x host panels) I was able to create a process that has windows from:
- Chrome (top left)
- Eclipse (top right)
- IBM AppScan Standard (bottom left)
- VisualStudio (bottom right)
Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe
Using the exact same control used in Util - Win32 Window Handle Hijack (simple) v1.0 here is a 4x Panel version of it (i.e. using 2 rows and 2 columns)
This allows for the hijack of a multiple Windows into a common (external) process/GUI
You can download this 1Mb tool from Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe
This allows for the hijack of a multiple Windows into a common (external) process/GUI
You can download this 1Mb tool from Util - Win32 Window Handle Hijack (4x host panels) v1.0.exe
Util - Win32 Window Handle Hijack (simple) v1.0.exe
After Util - Windows Handles Viewer (with Child Windows), I created a tool that allows the easy hijacking (or borrowing) of any Window/Control (that is running in the same Logged-in user Window's Desktop )
This is possible due to Win32 SetParent's capability to allow a Win32 Window/Control to have a parent from a different process (see first examples of this technique in action in: IBM AppScan Source's and AppScan Standard's TreeViews running side-by-site in the same GUI and in Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)
You can download the 1 Mb tool from: Util - Win32 Window Handle Hijack (simple) v1.0.exe
This is possible due to Win32 SetParent's capability to allow a Win32 Window/Control to have a parent from a different process (see first examples of this technique in action in: IBM AppScan Source's and AppScan Standard's TreeViews running side-by-site in the same GUI and in Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)
You can download the 1 Mb tool from: Util - Win32 Window Handle Hijack (simple) v1.0.exe
Util - Windows Handles Viewer (with Child Windows) v1.0.exe
Following from the tool shown in Util - Windows Handles - View Handle Screenshot v1.0, the next step was to create a tool that shows (for the selected Win32 Window) the handle's children structure (i.e. what 'child windows' exists for the selected window/control)
You can download the 1 Mb tool from Util - Windows Handles Viewer (with Child Windows) v1.0.exe
Here is what the tool looks like (with the 'target icon' used to select the control):
Here is the Pdf with the 'how the script was created' step-by-step guide:
You can download the 1 Mb tool from Util - Windows Handles Viewer (with Child Windows) v1.0.exe
Here is what the tool looks like (with the 'target icon' used to select the control):
Here is the Pdf with the 'how the script was created' step-by-step guide:
Disabling DWM.exe in Windows 7 (for performance reasons)
I noticed that I had a dwm.exe process running in my dev VM that had 230Mb which is not good.
After a quick search I found that it belonged to the Windows Desktop Manager service, which is responsible for the fancy animations in Windows 7 and can safely be disabled (using the Services):
After a quick search I found that it belonged to the Windows Desktop Manager service, which is responsible for the fancy animations in Windows 7 and can safely be disabled (using the Services):
Monday 26 November 2012
Free one-day 'Advanced O2' Training at BeNeLux OWASP Day 2012 (29th November)
In case you missed this one (and are somewhere in Europe), I'm delivering an 1 day 'Advanced O2' training at BeNeLux OWASP Day 2012. So if you want to learn more about the O2 Platform, this is the place to come :)
The training is on Thursday 29th and you can register here
The training is on Thursday 29th and you can register here
Saturday 24 November 2012
Why doesn't VisualStudio (or .NET) have StackOverflow Detection?
It's crazy the fact that one simple mistake in one thread (a recursive call to itself) will bring the entire .Net process down!!!
Friday 23 November 2012
Util - Windows Handles - View Handle Screenshot v1.0.exe
Following from Util - Windows Handles Viewer (Simple GUI with REPL) here is nice utility that takes a screenshot of the target handle's window (when the target process doesn't use the the Win32 Windows controls, you will get a screenshot of the main Window)
You can download the 868 Kb tool from: Util - Windows Handles - View Handle Screenshot v1.0.exe
You can download the 868 Kb tool from: Util - Windows Handles - View Handle Screenshot v1.0.exe
Including/Reusing an H2 script inside another H2 Script
Here is a cool technique that I use to include *.H2 scripts into other scripts, and the environment that I create during its development:
Formatting code for readability
On the theme of making things better and caring about the parts that can't be seen, here is an example of how I like to format large groups of .Net methods (so that they are easier to read and to look at)
Here is what a .Net Class usually looks like (if you allow VisualStudio to format it)
Another VS 2010 crash
It should not be possible to crash apps like VisualStudio. That kind of mission critical app should have a number of anti-crash protections.
But VisualStudio is a massive salad of technologies (see images at the end), and amazingly (bad) it allows its extension's errors to crash the whole app (which again should not happen).
During my regular use of VisualStudio, I get all sorts of errors/crashes, for example here is the latest one (without any other extensions installed):
But VisualStudio is a massive salad of technologies (see images at the end), and amazingly (bad) it allows its extension's errors to crash the whole app (which again should not happen).
During my regular use of VisualStudio, I get all sorts of errors/crashes, for example here is the latest one (without any other extensions installed):
11 O2 stand-alone tools (with a lot more created but not blogged about)
As part of the new design of this blog, I just cleaned up a bit the O2 Platform Tools Label/Page, and here are the 11 that have been published so far:
- Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
- Util - Windows Handles Viewer (Simple Gui) v1.0.exe
- Util - Java Decompiler (JAD based) v1.0.exe
- AppScan Source Findings in Ozasmt files (and O2 tools to View, Filter, Join, Stitch and Script them)
- O2 tools to view and script J2EE, Struts and Tiles xml config files
- TM - Library Manager (with REPL) v1.2.3.exe
- Util - Cir Viewer (with C# DLL converter) v1.0
- WinDbg, Cdb, Sun-Of-Strike and Util - Start SoSNet (O2 Version).exe
- Util - O2 Java Tools (IKVM Based) v1.0
- Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe
- Util - View CheatSheets at devcheatsheet.com v1.0.exe
The 'Sync Design Problem' of adding images to this blog
I still don't have a good solution to upload images to this blog.
Here is my current workflow (as just happened for the image I just on my last blog entry)
Here is my current workflow (as just happened for the image I just on my last blog entry)
Google Drive #Fail and DropBox #Win
For a company that is 'just a feature' DropBox keeps delivering the goods.
(for the past week or so) I tried to use Google Drive to backup about 7Gb of images I had from an older iPhone.
(for the past week or so) I tried to use Google Drive to backup about 7Gb of images I had from an older iPhone.
New design for this blog
I just spent a little bit applying a new design to this blog and cleaning up the layout a bit (hopefully it will make it easier to use and to find the best bits)
Thursday 22 November 2012
Tool to view (and unload) the AppDomains in the current .Net Process
As I was trying to execute an script/app in a separate AppDomain, I realized that there wasn't an easy way to look at the details of the currently loaded AppDomains
Wednesday 21 November 2012
Use FluentSharp to create ToolStrips items (buttons, textbox, checkboxes) with icons
Based on the 215 Tango Library Icons added to FluentsSharp.BCL , here is how to use the FluentSharp.BCL APIs to easily create ToolStrips
Improved script to compile and show an modified UserControl inside VisualStudio
Here is an updated version of the example described in the Real-time Programming C# WinForms Controls in VisualStudio's IDE (i.e. without using F5) post.
Windows Shatter attacks (research links)
Following on my research on Win32 Messaging and the O2's Util - Windows Handles Viewer tool, I just started the day by (re)reading about the Windows Shatter attacks (since it used Windows Messages)
Tuesday 20 November 2012
Two 6-months contract to work on TeamMentor (QA and Dev)
Here is a heads up for an official 'SI job hiring' post that should be published asap (i.e. when we get it done).
Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
Based on the Util - Windows Handles Viewer (Simple Gui) v1.0.exe tool, here is a bigger version (5Mbs) which contains a C# REPL Script editor (with the detected handle provided as a parameter).
You can get this version from Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
You can get this version from Util - Windows Handles Viewer (Simple GUI with REPL) v1.0.exe
Util - Windows Handles Viewer (Simple Gui) v1.0.exe
Following my research into Win32 Messaging APIs that allowed me to put both IBM AppScan Source and Standard working side by side and to connect TeamMentor with AppScan Source, here is a pretty sweet Windows Handles Viewer which allows the easy discovery (and in some cases modification) of the Window's Handle of a particular Win32's Button, TextBox, Menu, Window, etc...
You can download this (857kb) .NET 4.0 app from Util - Windows Handles Viewer (Simple Gui) v1.0.exe
You can download this (857kb) .NET 4.0 app from Util - Windows Handles Viewer (Simple Gui) v1.0.exe
Saturday 17 November 2012
Good resources on User32.dll windows messaging
Here are a number of good resources I found went I was researching the solution that allowed me to Inject a .NET REPL into an Unmanaged/C++ Application
Making Java, .Net and C++ apps work together
This past week I was in the 'zone' (coding 16h a day) and as you can see by the links below, I was able to (finally) find a way to make Java, .Net and C++ apps work together.
I've 'only' been trying to do this for the past 5 years.
There are two key technological concepts at play here (which can work together or isolation)
I've 'only' been trying to do this for the past 5 years.
There are two key technological concepts at play here (which can work together or isolation)
IBM AppScan Source's and AppScan Standard's TreeViews running side-by-site in the same GUI
Using the technique described in Injecting a .NET REPL into an Unmanaged/C++ application (Notepad) I was able to create this PoC (below) where you can see both IBM AppScan Source (Java) and IBM AppScan Standard (.NET) TreeViews hosted inside a 3rd party C# based Form:
Using Jni4Net (Part 4) - Integrating AppScan with TeamMentor (first PoC)
Using the Jni4Net based Eclipse plugin shown in the Using Jni4Net (Part 3) - Writing and Invoking O2 Methods from Java and Eclipse post, I was able to create a PoC of showing TeamMentor Guidance when a particular security finding is selected (in AppScan Source):
Injecting a .NET REPL into an Unmanaged/C++ application (Notepad)
Using Windows Messages (and some O2 Platform glue) I found a way to 'inject' a window (i.e. a windows control) from one process into another one.
Its is actually quite easy, the key is to use the user32.dll setParent API call to change the location (and rendering) of a particular control.
Here is an example of injecting an .NET TextBox into Notepad (on the left is the .NET Textbox and on the right is the Notepad's Textbox)
Its is actually quite easy, the key is to use the user32.dll setParent API call to change the location (and rendering) of a particular control.
Here is an example of injecting an .NET TextBox into Notepad (on the left is the .NET Textbox and on the right is the Notepad's Textbox)
Using Jni4Net (Part 3) - Writing and Invoking O2 Methods from Java and Eclipse.pdf
After Using Jni4Net (Part 1) - To C# REPL a java process (ZAP Proxy) and Using Jni4Net (Part 2) - Controling OWASP ZAP remotely (via Java BeanShell REPL in .Net) the next step was to see if we could consume (and code) the .NET APIs from Java.
And again Jni4Net really worked!
Here is a .NET WinForms control, coded and executed from the (Eclipse written) Java code:
And again Jni4Net really worked!
Here is a .NET WinForms control, coded and executed from the (Eclipse written) Java code:
Using Jni4Net (Part 2) - Controling OWASP ZAP remotely (via Java BeanShell REPL in .Net)
Once I was able to Use Jni4Net (Part 1) - To C# REPL a java process (ZAP Proxy) I was able to use the ZAP BeanShell support to start controlling and manipulating ZAP's GUI from the .Net C# REPL.
Here is an example of adding a new 'Site' (i.e. a TreeNode) to the main ZAP 'Site's window (i.e. TreeView)
Here is an example of adding a new 'Site' (i.e. a TreeNode) to the main ZAP 'Site's window (i.e. TreeView)
Using Jni4Net (Part 1) - To C# REPL a java process (ZAP Proxy)
Last week I discovered the Jni4Net FOSS project which provides the foundation blocks to create a Java bridge to .Net (and vice-versa).
To try Jni4Net, and see if it was really possible to have .Net and Java code running on the same process (with the CLR and JVM being able to invoke each other's methods), I decided to see if I could connect the O2 Platform with the OWASP ZAP project (with both running on the same process)
My first step was to use the Injecting C# DLLs into Managed (C#) and Unmanaged (C++) processes O2 capabilities to inject an C# REPL into the ZAP process.
And here they are in action:
To try Jni4Net, and see if it was really possible to have .Net and Java code running on the same process (with the CLR and JVM being able to invoke each other's methods), I decided to see if I could connect the O2 Platform with the OWASP ZAP project (with both running on the same process)
My first step was to use the Injecting C# DLLs into Managed (C#) and Unmanaged (C++) processes O2 capabilities to inject an C# REPL into the ZAP process.
And here they are in action:
- the foreground window is the (CLR based) C# REPL
- the background window is the (JVM based) ZAP process.
Managing website's content via GitHub edits (which are auto-committed and push into AppHarbor)
Based on the test site created by TM Fork into stand-alone Sales and Marketing site , here is an example of how to can manage the content of that 'AppHarbor published site' using GitHub
Here is the workflow that is going to be shown below:
- Edit a file in a GitHub Repository (using GitHub's website edit interface)
- Save it (which GitHub will auto-create a Commit with the changes)
- The Commit will trigger a build request to AppHarbor
- AppHarbor will receive the request and do a Git Pull from GitHub
- Once the new code is pulled, AppHarbor will build it
- And if the build is successful, AppHarbor will deploy the built files into to a live server
Great O2 Platform Presentation from Michael (final draft)
Michael Hidalgo sent me a copy of his presentation called "The O2 Platform : Exploiting and Fixing Microsoft ASP.net MVC Vulnerabilities" that he is going to present on the 21st Nov 2012 at OWASP's Latam conference in Uruguay :)
TM Fork into stand-alone Sales and Marketing site
After Coming up with a name for TeamMentor's public site (which resulted in the getsecure name being chosen) it was time to create that site.
After spending some time refactoring TeamMentor's (TM) main code-based (to only use the needed bits) here is a stand-alone TM site which will hold the TM Sales and Marketing pages.
If you have a couple cycles, please take it for a test drive (and try not to break it too much since the SI guys are also looking at it at the moment (that said if you break it, I can fix it with a simple git push :) ))
This is what it looks like (with a design based on ThemeForest AirStream):
And here are the details:
After spending some time refactoring TeamMentor's (TM) main code-based (to only use the needed bits) here is a stand-alone TM site which will hold the TM Sales and Marketing pages.
If you have a couple cycles, please take it for a test drive (and try not to break it too much since the SI guys are also looking at it at the moment (that said if you break it, I can fix it with a simple git push :) ))
This is what it looks like (with a design based on ThemeForest AirStream):
And here are the details:
- The live QA site at: https://getsecure.apphb.com (hosted at AppHarbor)
- by default the / root will redirect to the https://getsecure.apphb.com/xml/Eval page
- also available is the https://getsecure.apphb.com/notepad/Customer page
- The git hub repository is: https://github.com/TMClients/Site_getsecure.teammentor.net
- You can edit the content online using:
- http://getsecure.apphb.com/notepad/Eval
- http://getsecure.apphb.com/notepad/Customer
- login with
- admin : !!tmbeta
- You can run this site locally by downloading the zip from here (or cloning) and
- unzipping the files to a local folder (which can be a USB stick)
- executing the _LocalWebServer/start TeamMentor.bat which will start Cassini locally on http://127.0.0.1/12150
- This is now an example of a real fork of TM's engine
- All content (apart from the youtube videos) is served from this site (I moved the Animation.html files that where coming from SI.com into getsecure.tm)
- The TM engine is consumed by its compiled dlls (which will retrieved from NuGet (once 3.2.4 is released), so the backend code is not there (i.e. this site uses the latest released version of TM)
- 90% of TM's website Html/Javascript/Images content is NOT there (I only added the required files so that it is possible to Login and Edit the pages (using the Notepad editor))
- Nice case-study on how to create stand-alone websites based on TM's engine and APIs
- The AppHarbor is synchronised with GitHub, which means that there will be a new deployment on every commit to the https://github.com/TMClients/Site_getsecure.teammentor.net repository
Important note: although the content changes will be shown on the site (the ones done via the 'notepad' editor) this data will be lost on every new publish.
There are two ways to make persistent changes:
- get a local clone of the Site_getsecure.teammentor.net, change the content locally, commit those changes locally, and do a push to GitHub (which will trigger a publish to AppHarbor)
- edit the desired file on GitHub's web edit interface (for example the Eval page or the Customer page), which when saved, GitHub will auto-create a Commit with the changes (which will trigger a publish to AppHarbor).
Let me know how it goes, and again, please don't break it too much :)
Friday 16 November 2012
Lovely 'post help' email from Wikipedia
After 'helping' Wikipedia (see Improved Wikipedia funding page... for details) I received a really nice 'Thank you from the Wikimedia Foundation' email from Sue
And since she asked so nicely for me to share her words, here they are verbatim:
--------------------------------------------------------------------------------------------------
Dear dinis,
Thank you for donating to the Wikimedia Foundation. You are wonderful!
It's easy to ignore our fundraising banners, and I'm really glad you didn't. This is how Wikipedia pays its bills --- people like you giving us money, so we can keep the site freely available for everyone around the world.
People tell me they donate to Wikipedia because they find it useful, and they trust it because even though it's not perfect, they know it's written for them. Wikipedia isn’t meant to advance somebody's PR agenda or push a particular ideology, or to persuade you to believe something that's not true. We aim to tell the truth, and we can do that because of you. The fact that you fund the site keeps us independent and able to deliver what you need and want from Wikipedia. Exactly as it should be.
You should know: your donation isn’t just covering your own costs. The average donor is paying for his or her own use of Wikipedia, plus the costs of hundreds of other people. Your donation keeps Wikipedia available for an ambitious kid in Bangalore who’s teaching herself computer programming. A middle-aged homemaker in Vienna who’s just been diagnosed with Parkinson’s disease. A novelist researching 1850s Britain. A 10-year-old in San Salvador who’s just discovered Carl Sagan.
On behalf of those people, and the half-billion other readers of Wikipedia and its sister sites and projects, I thank you for joining us in our effort to make the sum of all human knowledge available for everyone. Your donation makes the world a better place. Thank you.
Most people don't know Wikipedia's run by a non-profit. Please consider sharing this e-mail with a few of your friends to encourage them to donate too. And if you're interested, you should try adding some new information to Wikipedia. If you see a typo or other small mistake, please fix it, and if you find something missing, please add it. There are resources here that can help you get started. Don't worry about making a mistake: that's normal when people first start editing and if it happens, other Wikipedians will be happy to fix it for you.
I appreciate your trust in us, and I promise you we'll use your money well.
Thanks, Sue
--------------------------------------------------------------------------------------------------
This is how to do it, well done Wikipedia
Notice the nice touch (in bold) to encourage participation in creating Wikipedia content.
And since she asked so nicely for me to share her words, here they are verbatim:
--------------------------------------------------------------------------------------------------
Dear dinis,
Thank you for donating to the Wikimedia Foundation. You are wonderful!
It's easy to ignore our fundraising banners, and I'm really glad you didn't. This is how Wikipedia pays its bills --- people like you giving us money, so we can keep the site freely available for everyone around the world.
People tell me they donate to Wikipedia because they find it useful, and they trust it because even though it's not perfect, they know it's written for them. Wikipedia isn’t meant to advance somebody's PR agenda or push a particular ideology, or to persuade you to believe something that's not true. We aim to tell the truth, and we can do that because of you. The fact that you fund the site keeps us independent and able to deliver what you need and want from Wikipedia. Exactly as it should be.
You should know: your donation isn’t just covering your own costs. The average donor is paying for his or her own use of Wikipedia, plus the costs of hundreds of other people. Your donation keeps Wikipedia available for an ambitious kid in Bangalore who’s teaching herself computer programming. A middle-aged homemaker in Vienna who’s just been diagnosed with Parkinson’s disease. A novelist researching 1850s Britain. A 10-year-old in San Salvador who’s just discovered Carl Sagan.
On behalf of those people, and the half-billion other readers of Wikipedia and its sister sites and projects, I thank you for joining us in our effort to make the sum of all human knowledge available for everyone. Your donation makes the world a better place. Thank you.
Most people don't know Wikipedia's run by a non-profit. Please consider sharing this e-mail with a few of your friends to encourage them to donate too. And if you're interested, you should try adding some new information to Wikipedia. If you see a typo or other small mistake, please fix it, and if you find something missing, please add it. There are resources here that can help you get started. Don't worry about making a mistake: that's normal when people first start editing and if it happens, other Wikipedians will be happy to fix it for you.
I appreciate your trust in us, and I promise you we'll use your money well.
Thanks, Sue
--------------------------------------------------------------------------------------------------
This is how to do it, well done Wikipedia
Notice the nice touch (in bold) to encourage participation in creating Wikipedia content.
Improved Wikipedia funding page, why OWASP needs something similar, and who buys OWASP Corporate Memberships
Just went to Wikipedia and saw this:
Coming up with a name for TeamMentor's public site
I'm moving the current TM Eval and Customer pages into its own server, and I was struggling to come up with a name that worked (in the xxxxxx.teammentor.net DNS name format).
So I jumped on Skype and after a couple minutes bouncing some names with Roman (who I have no idea where in the world he is) and we come up with: novulns.teammentor.net
as in:
So I jumped on Skype and after a couple minutes bouncing some names with Roman (who I have no idea where in the world he is) and we come up with: novulns.teammentor.net
as in:
- http://novulns.teammentor.net/Eval
- http://novulns.teammentor.net/Customer
- http://novulns.teammentor.net/Buy
- http://novulns.teammentor.net/Support
What do you think? does it work?
For reference here are the other names we come up with (by order of appearance):
- sales.teammentor.net
- marketing.teamentor.net
- live.teammentor.net
- customerzone.teammentor.net
- get.teammentor.net
- clientportal.teammentor.net
- clietsite.teammentor.net
- xss.teammentor.net
- bazzar.teammentor.net
- sqli.teammentor.net
- stopxss.teammentor.net
- getsecure.teammentor.net
- novulns.teammentor.net
Note how looking at this list, it's possible to see the chain-of-ideas that lead us to the last one (which just clicked for us)
Monday 12 November 2012
Util - Java Decompiler (JAD based) v1.0.exe
If you want to take a quick look at the Java code inside a Jar file, here is a simple Java/Jar Decompiler (based on the JAD tool)
You can download the tool from: Util - Java Decompiler (JAD based) v1.0.exe (stand-alone O2 Platform script)
You can download the tool from: Util - Java Decompiler (JAD based) v1.0.exe (stand-alone O2 Platform script)
Friday 9 November 2012
AppScan Source Findings in Ozasmt files (and O2 tools to View, Filter, Join, Stitch and Script them)
If you are using AppScan Source (previously called OunceLabs) you will find these O2 Tools really useful:
- Util - Simple Findings Viewer v1.1.exe (4.8Mb)
- Util - Simple Findings Viewer (with code viewer) v1.1.exe (4.8Mb)
- Util - Filter Findings by Source and Sink (RegEx) v1.1exe (4.8Mb)
- PoC - Join Traces (on Attributes) - very basic version v1.0.exe (4.8Mb)
O2 tools to view and script J2EE, Struts and Tiles xml config files
If you are reviewing Java/J2EE applications, here are a number of mini O2 tools that will help you to understand what is going on:
- Util - View Struts Mappings v.1.0.exe (4.7Mb)
- Util - View struts-config.xml mappings v1.0.exe (817kb)
- Util - View tiles-def.xml mappings v1.0.exe (816kb)
- Util - View validation.xml mappings v1.0.exe (817kb)
- Util - View Web.Xml mappings v1.0.exe (817kb)
Viewing 'Console Out' messages created inside UserControls (when rendered by VisualStudio's Form Designer)
Now that we have the ability to Add 'Console Out' to VisualStudio IDE as a native Window the question is: "Where can we use Console.WriteLine inside VisualStudio?", in a way that the written lines/chars show in that Console Out window:
The key to understand the question is to visualize this:
And add that UserControl to the Form:
Write a Console.Write message and build the project (note the message shown in the Console Out window)
And the open it again:
Yet another option is to delete the UserControl1.cs from the Form1.cs:
And add it back again:
Basically, the UserControl1.cs constructor will be invoked every time that control is added (or shown), like in the image below, where another instance of UserControl1.cs was dragged into the Form1.cs:
The key to understand the question is to visualize this:
- The Console Out window is running inside VisualStudio (i.e. in the same process)
- The Console Out window script captured the VisualStudio process' Console Out (of which there is only one, and the reason why if you open multiple Console Out windows (as shown above) only the last one opened will capture the output
- To send a message to Console Out window the sender (i.e. the code executed) must be inside the same VisualStudio Process
- This means that (based on quick tests) VisualStudio scripting engines (like the Immediate Window or the F# interpreter) will not work (since they are running outside the VisualStudio process)
One easy way to trigger an Console.WriteLine is to write it in one of the C# REPL script GUIs (from the O2 VisualStudio Extension) :)
But what would be really useful would be to trigger Console.WriteLine debug messages during normal VisualStudio development, for example when programming WinForms Controls :)
To show how that is possible, lets start with an empty WinForms Application project:
Which comes with default WinForms Form:
Next add a UserControl with a Label:
And add that UserControl to the Form:
The interesting part of what just happened, is that VisualStudio invokes the constructor of the UserControl1.cs (in order to create a live instance of that Control) before adding it to the Form1.cs object.
And that (the UserControl1.cs constructor) is where we can trigger the Console.WriteLine calls.
Open the Code Behind file for the UserControl1.cs file:
Write a Console.Write message and build the project (note the message shown in the Console Out window)
The reason that happened, is because (after a successful build) VisualStudio needs to refresh the controls currently shown in the Form's Designer (for example to take into account any visual changes in those controls)
Here is another way to trigger the Console.WriteLine call (i.e. to trigger the UserControl.cs constructor).
Close Form1.cs from the Form Designer:
And the open it again:
Yet another option is to delete the UserControl1.cs from the Form1.cs:
And add it back again:
Basically, the UserControl1.cs constructor will be invoked every time that control is added (or shown), like in the image below, where another instance of UserControl1.cs was dragged into the Form1.cs:
Interestingly enough, this as a number of security implications, since a security payload/exploit can be triggered just by adding/viewing a UserControl inside the Form Designer. The problem is that the payload will run with the same privileges given to VisualStudio (not the privileges used to run the application)
Adding 'Console Out' to VisualStudio IDE as a native Window
Michael Hidalgo has posted two blog entries where he uses the O2's VisualStudio Extension to open an Console Out window inside VisualStudio, which is then used to help with a quick test on the DateTime object (and making his life easier)
Use the same add_ConsoleOut extension method on the Panel object (the one returned by the open_Panel extension method):
Next see the Viewing 'Console Out' messages created inside UserControls (when rendered by VisualStudio's Form Designer) for a practical example of using this technique during development.
- How to use the Console output in the C# REPL (in the O2 blog)
- Making Software Developers life easier : Using O2 Platform as a fast development framework (in his blog)
Now this Form object is a WinForms control and is not a native VisualStudio Window, which means that we can't add it to the VisualStudio Panes.
A better option is to make this a native VisualStudio Window, which is quite easy to do.
Open the C# REPL - VisualStudio 2010 API (from the REPL menu)
And with the VisualStudio_2010 object:
Create a native VisualStudio window (with a WinForms Panel inside it):
Use the same add_ConsoleOut extension method on the Panel object (the one returned by the open_Panel extension method):
And now the Console Out is now inside a native VisualStudio window, which we can access and manipulate.
Here is an example of changing the base window's width, height, top and left values:
Which of course we can now put anywhere inside VisualStudio's GUI
Next see the Viewing 'Console Out' messages created inside UserControls (when rendered by VisualStudio's Form Designer) for a practical example of using this technique during development.
Thursday 8 November 2012
LucidChart.com looks like a pretty good Visio online replacement
Although this visualisation of TeamMentor's GitHub dev workflow is pretty good, it was created using Visio, and I really don't want to use Visio again (I'm done using large desktop apps with no web integration/publishing).
The good news is that :
So I went to LucidChart.com to try it out :)
I have done a LOT of Visio diagrams (in the past), and I have to say that I found Lucid Chart's web interface really easy to use (and learn).
As a test, I imported an image from this blog, and was able to quickly create this:
The good news is that :
- Roman found LucidChart.com,
- he was able to import that complex Visio diagram into it, and
- the end-result looked good enough (after a couple import fixes).
So I went to LucidChart.com to try it out :)
I have done a LOT of Visio diagrams (in the past), and I have to say that I found Lucid Chart's web interface really easy to use (and learn).
As a test, I imported an image from this blog, and was able to quickly create this:
(csharp-repl.apphb.com GUI)
Not bad for a couple minutes work :)
Is the TeamMentor's OWASP Library content released under an open License?
Following the FLOSSHack TeamMentor thread, Jerry Hoff asked "Is the content in http://owasp.teammentor.net/teamMentor creative commons? Can we use it to freely fill out more of the cheat sheets and use in tutorial videos and so forth?"
And the answer is: YES
And the answer is: YES
Here is the repository for the XML files: https://github.com/TeamMentor-OWASP/Library_OWASP
FLOSSHack TeamMentor and the 'sausage making process' that is software/application development
OWASP's FLOSSHack events are a really powerful initiative.
"...Free/Libre Open Source Software Hacking (FLOSSHack) events are designed to bring together individuals interested in learning more about application security with open source projects and organizations in need of low cost or pro bono security auditing. FLOSSHack provides a friendly, but mildly competitive, workshop environment in which participants learn about and search for vulnerabilities in selected software. In turn, selected open source projects and qualified non-profit organizations benefit from additional quality assurance and security guidance...."
See FLOSSHack_One for the details (and vulnerabilities discovered) of the first event.
OWASP's FLOSSHack is one of those 'magical' spaces where the OWASP's community and its projects can come together and add a lot of value.
"...Free/Libre Open Source Software Hacking (FLOSSHack) events are designed to bring together individuals interested in learning more about application security with open source projects and organizations in need of low cost or pro bono security auditing. FLOSSHack provides a friendly, but mildly competitive, workshop environment in which participants learn about and search for vulnerabilities in selected software. In turn, selected open source projects and qualified non-profit organizations benefit from additional quality assurance and security guidance...."
See FLOSSHack_One for the details (and vulnerabilities discovered) of the first event.
OWASP's FLOSSHack is one of those 'magical' spaces where the OWASP's community and its projects can come together and add a lot of value.
The difference between being 'Appointed' and being 'Accepted' as an OWASP Leader (of its Fork)
OWASP is a community that really embraces new ideas, new contributors and projects.
For somebody motivated (and with time/energy) there are very few ‘real’ barriers on entry. Even the cases where it ‘feels’ like there are barriers of entry or ‘bureaucracy’, those are mainly artificial and easy bypassed (with the right level of energy and commitment)
The problem is Empowerment
What I found (by observing lots of OWASP projects starting, blossoming and dying) is that what makes the difference is how Empowered is an individual on a particular project/tasks.
For somebody motivated (and with time/energy) there are very few ‘real’ barriers on entry. Even the cases where it ‘feels’ like there are barriers of entry or ‘bureaucracy’, those are mainly artificial and easy bypassed (with the right level of energy and commitment)
The problem is Empowerment
What I found (by observing lots of OWASP projects starting, blossoming and dying) is that what makes the difference is how Empowered is an individual on a particular project/tasks.
Disabling PatchGuard V3 Pdf
Here is a good read (if you're into kernel dev or patching) from the guy who created EasyHook
I while back I did some kernel development where I used the Rasta Ring 0 Debugger to apply direct code patches to user-land dlls. One of the best PoCs was one where I was able to do MSIL patching on loaded .NET assemblies, which were completely invisible to user-land.
Patching the CLR was also very interresting :)
I while back I did some kernel development where I used the Rasta Ring 0 Debugger to apply direct code patches to user-land dlls. One of the best PoCs was one where I was able to do MSIL patching on loaded .NET assemblies, which were completely invisible to user-land.
Patching the CLR was also very interresting :)
Tuesday 6 November 2012
Zim-Wiki - a desktop wiki
Serge is using Zim Wiki to document some of his development experiences, and it looks quite an useful tool.
Zim is written in Python and has a nice/clean Gui.
Zim is written in Python and has a nice/clean Gui.
Here is the Windows installer:
Another similar tool is http://keepnote.org/
An interesting and powerful idea is to add TeamMentor Import/Export features to these products so that we (i.e. TM Users) can use these tools as Article creators/editors.
Cleaning Data with Google Refine
@austinogilvie posted this nice Cleaning Data with Google Refine entry where it shows the Google Refine (soon to be called OpenRefine) project in action.
Google Refine in their own words is: "...a power tool for working with messy data, cleaning it up, transforming it from one format into another, extending it with web services, and linking it to databases like Freebase...."
Google Refine in their own words is: "...a power tool for working with messy data, cleaning it up, transforming it from one format into another, extending it with web services, and linking it to databases like Freebase...."
Nice visualisation and animation of graph data (from NYTimes)
NYTimes 512 Paths to the White House is a very nice way to present complex data (I wonder if we could use something similar for TeamMentor, OWASP or O2 Platform's content)
Here is the default view:
Here is the default view:
Improving VisualStudio productivity by compiling and executing code from the IDE
The Real-time Programming C# WinForms Controls in VisualStudio's IDE (i.e. without using F5) blog entry shows how to use the VisualStudio C# REPL - O2 Platform extension to update/fix an existing WinForms control without going through the painful (and slow) process of VisualStudio GUI programming.
What you will see in that example is that I will dynamically compile and execute a WinForms Control, without using VisualStudio's Debug/Run capabilities to see the new changes in action. I was able to compile the modified Source Code file, and using reflection, was able to create a new instance of an WinForm's Control (without leaving the VisualStudio's IDE).
And the best part is that we can code our tests in an REPL environment (think Roslyn), which allows the support for complex (and unit-test like) scenarios.
I can't underestimate how powerful, fast and efficient it is to be able to have this type of REPL environment while coding.
This is what I would like to see on the next version of VisualStudio.
What you will see in that example is that I will dynamically compile and execute a WinForms Control, without using VisualStudio's Debug/Run capabilities to see the new changes in action. I was able to compile the modified Source Code file, and using reflection, was able to create a new instance of an WinForm's Control (without leaving the VisualStudio's IDE).
And the best part is that we can code our tests in an REPL environment (think Roslyn), which allows the support for complex (and unit-test like) scenarios.
I can't underestimate how powerful, fast and efficient it is to be able to have this type of REPL environment while coding.
This is what I would like to see on the next version of VisualStudio.
Real-time Programming C# WinForms Controls in VisualStudio's IDE (i.e. without using F5)
Here is an example of using the VisualStudio C# REPL - O2 Platform extension to update/fix an existing WinForms control without going though the painful (and slow) process of VisualStudio GUI programming, which usually goes something like this:
We start with the O2 Platform Solution loaded in VisualStudio 2010, with the projects from the O2.FluentSharp and O2.Platform.Projects repositories, and the VisualStudio C# REPL - O2 Platform extension installed (note the extra REPL menu)
From the REPL menu, chose the C# REPL - 'Hello World' menu option:
Which looks like this (it's a good idea to right-click on the code editor to open the context menu, and to select the show Log Viewer option:
Now here is the powerful part, this script:
Will create a new popup window with the ascx_Simple_Script_Editor WinForms Control (that was just dynamically compiled from the original source code (note: the ascx_Simple_Script_Editor Control is the one used to create the C# REPL environment))
What is happening is that the ascx_Simple_Script_editor.cs file (whose source code is shown in the background) was dynamically compiled and executed .... without leaving the VisualStudio's IDE.
Just to double-check that we are doing this in real time, lets make a small code change in the ascx_Simple_Script_editor.cs source code (using VisualStudio's code editor).
The code shown below will create two MessageBox(es). The first was created using the normal .Net MessageBox call syntax, and the 2nd uses O2's FluentSharp API (which should be easier to read)
Here is the 1st MessageBox:
Here is the 2nd MessageBox:
The ascx_Simple_Script_Editor WinForms Control will appear after the MessageBox(es):
Now that we've proven that we are able to change, compile and execute a C# WinForm's control in a REPL environment, let's do something more interesting.
Moving a ToolStrip Control
One of the O2 Platform user's feature requests that I have received for this control (the one that we are editing), is to move the ToolStrip Control (the one with the New, Open and Save As buttons) from the bottom of the Control, to the top (which is where usually ToolStrips are located).
Going back to the VisualStudio document with the ascx_Simple_Script_editor.cs source code, here is the addToolStrip method that 'inserts below' the commandsToExecute Control an ToolStrip Control (the rest of the addToolStrip method adds the TootlStrip items (3x Buttons, 1x Label and 1x TextBox)
To change the location of the ToolStrip Control, we will use the FluentSharp insert_Above Extension Method (vs the originally used insert_Below Extension Method) :
Once the change is saved, we can immediately see these changes in action, by using the REPL environment created via the gist script shown above..
Here is the updated version of the ascx_Simple_Script_editor Control with the ToolStrip Control at the top.
Note that I didn't use VisualStudio's Debug/Run capabilities to see the new changes in action. I was able to compile the modifed Source Code file, and using reflection, was able to create a new instance of that WinForm's Control (with everything done inside VisualStudio's IDE).
Adding a new Button
As a final example, lets add a Run button to the ToolStrip Control.
Here is the updated source code (note the new add_Button line)
Once saved , complied and executed (not by VisualStudio), we can see that there is a Run button on the ToolStrip.
Here is the button being used to execute a test REPL script:
VisualStudio power is still all there
Another benefit of this technique/workflow is that we still have access to the powerful VisualStudio Intellisense and Error detection:
Compiling and executing the Solution
The final step is to compile the Solution file (with the changes made)
And run the O2 Platform executable (now using VisualStudio's F5).
Note how the O2 Platform's native C# REPL editor now has the changes made to the ToolStrip Control (it is above the code-editor and has an extra Run button)
This technique will change the way you code (once you got your head around it)
I can't underestimate how powerful, fast and efficient it is to be able to have this type of REPL environment while coding (and how painful is the VisualStudio workflow in comparison).
In fact, this REPL environment is a curse, since once you tried it, there is no way back! :)
This is why I say that I develop O2 in O2 :)
- Coding + Compiling + F5 + Wait for App to Load + Going to Control + Testing it + Stopping
- Coding + Compiling + F5 + Wait for App to Load + Going to Control + Testing it + Stopping
- Coding + Compiling + ....
We start with the O2 Platform Solution loaded in VisualStudio 2010, with the projects from the O2.FluentSharp and O2.Platform.Projects repositories, and the VisualStudio C# REPL - O2 Platform extension installed (note the extra REPL menu)
From the REPL menu, chose the C# REPL - 'Hello World' menu option:
Here is a small text change to show the C# REPL environment in action
Now here is the powerful part, this script:
Will create a new popup window with the ascx_Simple_Script_Editor WinForms Control (that was just dynamically compiled from the original source code (note: the ascx_Simple_Script_Editor Control is the one used to create the C# REPL environment))
What is happening is that the ascx_Simple_Script_editor.cs file (whose source code is shown in the background) was dynamically compiled and executed .... without leaving the VisualStudio's IDE.
Just to double-check that we are doing this in real time, lets make a small code change in the ascx_Simple_Script_editor.cs source code (using VisualStudio's code editor).
The code shown below will create two MessageBox(es). The first was created using the normal .Net MessageBox call syntax, and the 2nd uses O2's FluentSharp API (which should be easier to read)
Here is the 2nd MessageBox:
The ascx_Simple_Script_Editor WinForms Control will appear after the MessageBox(es):
Now that we've proven that we are able to change, compile and execute a C# WinForm's control in a REPL environment, let's do something more interesting.
Moving a ToolStrip Control
One of the O2 Platform user's feature requests that I have received for this control (the one that we are editing), is to move the ToolStrip Control (the one with the New, Open and Save As buttons) from the bottom of the Control, to the top (which is where usually ToolStrips are located).
Going back to the VisualStudio document with the ascx_Simple_Script_editor.cs source code, here is the addToolStrip method that 'inserts below' the commandsToExecute Control an ToolStrip Control (the rest of the addToolStrip method adds the TootlStrip items (3x Buttons, 1x Label and 1x TextBox)
To change the location of the ToolStrip Control, we will use the FluentSharp insert_Above Extension Method (vs the originally used insert_Below Extension Method) :
Once the change is saved, we can immediately see these changes in action, by using the REPL environment created via the gist script shown above..
Here is the updated version of the ascx_Simple_Script_editor Control with the ToolStrip Control at the top.
Note that I didn't use VisualStudio's Debug/Run capabilities to see the new changes in action. I was able to compile the modifed Source Code file, and using reflection, was able to create a new instance of that WinForm's Control (with everything done inside VisualStudio's IDE).
Adding a new Button
As a final example, lets add a Run button to the ToolStrip Control.
Here is the updated source code (note the new add_Button line)
Once saved , complied and executed (not by VisualStudio), we can see that there is a Run button on the ToolStrip.
Here is the button being used to execute a test REPL script:
VisualStudio power is still all there
Another benefit of this technique/workflow is that we still have access to the powerful VisualStudio Intellisense and Error detection:
Compiling and executing the Solution
The final step is to compile the Solution file (with the changes made)
And run the O2 Platform executable (now using VisualStudio's F5).
Note how the O2 Platform's native C# REPL editor now has the changes made to the ToolStrip Control (it is above the code-editor and has an extra Run button)
This technique will change the way you code (once you got your head around it)
I can't underestimate how powerful, fast and efficient it is to be able to have this type of REPL environment while coding (and how painful is the VisualStudio workflow in comparison).
In fact, this REPL environment is a curse, since once you tried it, there is no way back! :)
This is why I say that I develop O2 in O2 :)
Subscribe to:
Posts (Atom)