Saturday, 1 December 2012

Using a .Net/CLR, a Java/JVM and a C++ Window in another process (to show consolidated security findings)

UPDATE (Jan/13): See PoC - Selenium - Gui with 3 Hijacked Browser Windows.h2 post for another powerful example of consuming Chrome (and IE and Firefox) window in another process

Here is the video presented at OWASP BeNeLux conference, which shows how I used the O2 Platform to create a consolidated view of 3 different window's processes (one from .Net/CLR, one from Java/JM and one from C++ applications). Note that these windows are hosted by a 4th (.Net) process and are fully functional.

The objective of this 'consolidated multi-process window view', is to give developers a really strong 'vulnerability fixing environment'.

Instead of having to use multiple tools (each containing a piece of the info available about the vulnerability to fix), all information available about a specific vulnerability (in this case 'JSP File Include') is shown as an integrated view with:
  • the black box security exploit (top left) provided by IBM AppScan Standard (.Net/CLR)
  • the white box code analysis (top right) provided by IBM AppScan Source (Java/JVM)
  • a source code editor (bottom left) provided by Eclipse (Java/CLR)
  • the security guidance (bottom right) provided by Chrome (C++) showing TeamMentor 

For technical details on how this view was created (and how the windows were hijacked from its original owners) see: