OWASP O2 Platform Blog

O2 .NET AST Scanner – HacmeBank – SQL Injection PoC

This example show a complete trace for one of HacmeBank’s SQL injection vulnerabilties.

This was created with O2′s .NET AST Scanner (23-May-10 version) which allows the creation of a complete trace via ‘joining up’ the partial traces (for the web layer and web services layer)

Graph with Big Picture (all nodes)

Part 1 – Exploit/Payload location

Part 2 – Web Layer trace

Part 3 – WebServices trace

Script used to ‘join’ the two traces

// add payload and link it to the first node
var urlNode = "<a href="http://127.0.0.1:57096/HacmeBank_v2_Website/aspx/login.aspx">http://127.0.0.1:57096/HacmeBank_v2_Website/aspx/login.aspx</a>";
var postPayload = "POST payload: txtUserName";
 
graph.add_Node(urlNode);
graph.add_Node(postPayload);
graph.add_Edge(urlNode, postPayload);
graph.add_Edge(postPayload, graph.nodes()[0]);
 
// join traces that match the "method.*Ws_UserManagement.Login" reg ex
// with a new node called "INTERNET"
 
var internetNode = "INTERNET";
graph.add_Node(internetNode);
 
foreach(var node in graph.nodes())
    if(node.str().regEx("method.*Ws_UserManagement.Login"))
    {       
        graph.add_Edge(internetNode, node);
        graph.add_Edge(node, internetNode);
    }</pre>
&nbsp;

Source Code view of Web Layer code and trace

 

Source Code view of Web Services code and trace

July 29, 2011 - Posted by | .NET, HacmeBank

1 Comment »

  1. After installing Hacme Bank and O2, how do you go about doing this? Perhaps using the .Net Static Analysis view, then doing all this http://o2platform.wordpress.com/2011/04/10/o2-tool-ast-search-net-static-analysis/ and then???

    Comment by Lost in O2 | October 3, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: