Thursday 6 December 2012

ASP.NET Support in SAST and IBM F4F

At the moment (Dec 2012) my understanding is that all SAST tools struggle to scan/understand ASP.NET MVC apps.

The only way to really support/understand/scan ASP.NET MVC is to map how that framework works/behaves (I don't think any SAST vendor/tool does that),  and as with any Framework, there is a lot to map:
  • The controllers (equivalent to WebService's methods, which need to be marked as Tainted-Sources/Callbacks)
  • The controller's authorization/authentication mappings (done using Attributes)
  • The Autobinded Models
  • The Views mappings (i..e what views are connected to what controllers)
  • The MVC Execution life cycle
  • The auto-encoding (or not) of view controls (and new display engines like razor)

The core concept is that we need an 'ASP.NET MVC' aware parser/tool that will then be used to mass create the rules for the SAST scanners. 

The approach that I take with the O2 Platform is to do just that, and it all starts with trying to find out where the controllers are and the cases where Model-Attributes are used (I.e autobindings). 

That said, at the moment there is not a lot of support in the O2 Platform for ASP.NET MVC (specially when compared with Spring MVC). There are a couple ASP.NET MVC mini-tools in the O2 Scripts folder that help with ASP.NET MVC controllers visualization (which I plan to document and post about) and there is the CodeProject article: Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform

For reference see the Spring Framework posts (which show what we will need to do for ASP.NET MVC):
Back in ASP.NET MVC land, once we have the (for example) controller's mappings, they will need to 'communicated' to the SAST engine.

One way to do this is to mass create rules directly on the SAST engine database (like what I used to do with OunceLabs MySql database).

Another way (if you are an AppScan Source user) is to use the newly released IBM F4F (Framework for Frameworks) technology/concept.

If you don't know what F4F is, here are some IBM resources/papers:

I think F4F is a great idea and concept, since it is a way to mass create rules (and mappings) that tell the AppScan Source engine where are the source and sinks (and glues) of the app being scan.

But for F4F to really live to its potential, we will need a much better understanding of how it works and how it can be used (IBM will also need to release F4F under an open licence, but that is a topic for another post). The first step is to visualize what is already in the WAFL files (part of F4F) and how they can be created and manipulated.

There are already a couple WAFL related scripts in O2 but we need a lot more :)