Real-time Vulnerability Creation Feedback inside VisualStudio
There is a really interesting video that shows how to perform static analysis of code at the compilation time on top of Visual Studio.Net. The creation of this mechanism is really powerful , because at compilation time, you can find and correct most of the security holes we can create. Just imaging the valued added that this process can provide to a large software development projects?.
The complete information can be found at http://diniscruz.blogspot.com/2012/06/real-time-vulnerability-creation.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+DinisCruz+%28Dinis+Cruz+blog%29
And there is also a reddit thread if you want to get involved (I hope you are want).
New reddit community for OWASP O2 and Cat.Net
A new community has been created on Reddit for supporting Cat.Net , the static analysis engine created by Microsoft (but in the last year it has lack of support). We see an opportunity here to involve OWASP O2 platform and add value to our project in this new path of source code analysis.
Join this community today!
Reddit community
For more information visit http://diniscruz.blogspot.com/2012/06/new-reddit-community-for-catnet.html
Scripting “O2 Tool – AST Search” to find Null references (.NET Static Analysis)
This script will show how to use the control that builds up the O2 Tool – Search AST to perform a custom search for all variables that are assigned the value of ‘null’
Here is the execution result
And here is the source code:
var topPanel = O2Gui.open<Panel>("Custom filtering of 'Search AST' tool",700,400);
//var topPanel = panel.clear().add_Panel();
var ascxSearchAst = topPanel.add_Control<ascx_SearchAST>();
var sourceCodeFolder = @"C:\O2\Demos\HacmeBank\HacmeBank_v2.0 (7 Dec 08)\HacmeBank_v2_WS";
//Load ASTs from files (use cache data if available)
var astData = (O2MappedAstData)O2LiveObjects.get(sourceCodeFolder);
if (astData.isNull())
{
"loading AstData from: {0}".info(sourceCodeFolder);
astData = new O2MappedAstData();
astData.loadFiles(sourceCodeFolder.files(true,"*.cs","*.vb"));
O2LiveObjects.set(sourceCodeFolder,astData);
}
ascxSearchAst.buildGui(astData);
//Example #1
/*
ascxSearchAst.setINodeFilter("Attribute");
ascxSearchAst.setSearchOnSelectedINode("WebMethod");
*/
//Example #2
ascxSearchAst.setINodeFilter("Primitive");
ascxSearchAst.setSearchOnSelectedINode("Null");
//Example #3
/*
ascxSearchAst.setSearchOnAlINodes("password");
*/
return "ok";
//O2File:ascx_SearchAST.cs
//using O2.XRules.Database.Languages_and_Frameworks.DotNet
//O2Ref:O2_API_AST.dll
//using O2.API.AST.CSharp;
O2 Tool – AST Search (.NET Static Analysis)
Here is a very useful tool built on top of O2‘s AST-base static analysis engine.
The tool is is called ‘Search AST’ and allows for ‘AST based’ searches of C# source code files.
How to use this tool
- On main O2 Gui, in the ‘Custom O2s’ tab, click on the ’DotNet Static Analysis’ button:
- Then on the ‘AST & PoCS’ tab , click on the ‘ascx_SearchAST’ button:
- This will open a gui that looks like this:
- Now find the folder with the C# source code to analyse and drag & Drop it into the rigth-left treeview
- Once that loads up, you can select on the INode types on the left to see the cases where they show up
- You can do searches on the selected INode type (in this find searching for WebMethod in the Attribute INodes)
- and you can also do a global search on ALL INodes
- the list show on the Search Result TreeView is the unique list of string matches
- and the list that is show on the ‘Source Code Lines’ Treeview is a list of the source code lines that match the current selected item
Custom O2 for .NET Static Analysis
I just consolidated the current O2 .NET Static Analysis scripts/controls into a separate GUI called DotNet Static Analysis (Custom O2).h2 which you can invoke from the main O2 Gui (or directly from ‘C:\O2\O2Scripts_Database\_Scripts\_Custom_O2s’).
There are quite a lot of features exposed by this GUI: O2 Static Analysis engine (the Method Streams and Invocations), AST analysis, Reflection goodies, ASP.NET MVC support, ASP.NET compilation tools, etc…)
This is how the GUI looks like (I call this an ‘Custom O2′)
Here is the full list of Buttons/Features that is available in this CustomO2 (list created using an O2 script 
):
Method Streams and Invocations:
Method Streams:
MethodStreams Creator
MethodStreams Viewer
Method Invocations:
Util – Method Invocations Creator
Util – Method Invocations Viewer (Simple)
Util – Method Invocations Viewer (MethodStreams)
Util – Method Invocations (Findings Creator)
AST & PoCs:
Ast Utils:
ascx_ViewAST
ascx_SearchAST
View SourceCode AST
Convert VB.Net to CSharp.h2
PoCs:
O2_DotNet_Ast_Engine
O2_DotNet_Ast_Scanner
Util – Debug AST Rules
Util – Edit AST Rules
Asp.Net MVC , AntiXss:
Asp.Net MVC:
Tool – View Asp.NET MCV controllers
Tool – View Asp.NET MCV method streams and views
Tool – Map method streams interfaces
AntiXss Library:
AntiXSS – Test multiple Encodings
.NET Utils:
Reflection:
View Assembly Attributes
Mono Decompiler
View .NET Assembly References Mappings
.Net debug utils:
SunOfStrikeApi
ASP.NET:
ViewState_Decoder (for ASP.NET 3.0)
Aspx PoC Builder
.Net AspNet Compiler
Decompile ASPX pages compiled code
Other:
HacmeBank – Vulnerable Web Application (Custom O2)
Visual Studio 2010 (Custom O2)
Copy Gac Dlls (Wizard)
Misc Tools:
Media Tools:
open ScreenShot tool (Cropper)
save Image From Clipboard (to temp file)
save Image From Clipboard (to user’s location)
Media Tools:
Image Editor
Movie Creator
Files Utils:
Map Files by Extension
Quick File Search
Simple Text Editor
Search Engine
O2 Utils:
Execute Scripts
Quick development GUI
IE Automation
CSharp String Encoder
Windows Processes and Services:
Stop Processes
View Running Process Details
Stop Services
This Custom O2:
Edit this Custom O2 Script
Open a Log Viewer window
Finally here is the code that creates this GUI:
var title = ".Net Static Analysis";
var ribbon = CustomO2.create(title, 1000,300); // stand alone version
//var ribbon = CustomO2.create(panel.clear().add_Panel(),title); // use when inside 'Quick Development GUI'
var staticAnalysis = ribbon.add_Tab("Method Streams and Invocations");
staticAnalysis.add_RibbonGroup("Method Streams")
.add_Script("MethodStreams Creator","Util - MethodStreams Creator.h2")
.add_Script("MethodStreams Viewer","Util - MethodStreams Viewer.h2");
staticAnalysis.add_RibbonGroup("Method Invocations")
.add_Script("Util - Method Invocations Creator","Util - Method Invocations Creator.h2")
.add_Script("Util - Method Invocations Viewer (Simple)","Util - Method Invocations Viewer (Simple).h2")
.add_Script("Util - Method Invocations Viewer (MethodStreams)","Util - Method Invocations Viewer (MethodStreams).h2")
.add_Script("Util - Method Invocations (Findings Creator)","Util - Method Invocations (Findings Creator).h2");
var ast = ribbon.add_Tab("AST & PoCs");
ast.add_RibbonGroup("Ast Utils")
.add_Script("ascx_ViewAST","ascx_ViewAST.cs")
.add_Script("ascx_SearchAST","ascx_SearchAST.cs")
.add_Script("View SourceCode AST","ascx_View_SourceCode_AST.cs.o2")
.add_Script("Convert VB.Net to CSharp.h2", "Util - Convert VB.Net to CSharp.h2");
ast.add_RibbonGroup("PoCs")
.add_Script("O2_DotNet_Ast_Engine","O2_DotNet_Ast_Engine.h2")
.add_Script("O2_DotNet_Ast_Scanner","O2_DotNet_Ast_Scanner.h2")
.add_Script("Util - Debug AST Rules","Util - Debug AST Rules.h2")
.add_Script("Util - Edit AST Rules","Util - Edit AST Rules.h2");var mvcAntiXss = ribbon.add_Tab("Asp.Net MVC , AntiXss");
mvcAntiXss.add_RibbonGroup("Asp.Net MVC")
.add_Script("Tool - View Asp.NET MCV controllers","Tool - View Asp.NET MCV controllers.h2")
.add_Script("Tool - View Asp.NET MCV method streams and views","Tool - View Asp.NET MCV method streams and views.h2");
mvcAntiXss.add_RibbonGroup("AntiXss Library")
.add_Script("AntiXSS - Test multiple Encodings", "AntiXSS - Test multiple Encodings.h2");
var dotNetUtils = ribbon.add_Tab(".NET Utils");
dotNetUtils.add_RibbonGroup("Reflection")
.add_Script("View Assembly Attributes","ascx_AssemblyAttributes.cs.o2")
.add_Script("Mono Decompiler","ascx_MonoDecompiler.cs.o2")
.add_Script("View .NET Assembly References Mappings","Tool - View .NET Assembly References Mappings.h2");
dotNetUtils.add_RibbonGroup(".Net debug utils")
.add_Script("SunOfStrikeApi","SunOfStrikeApi.h2");
dotNetUtils.add_RibbonGroup("ASP.NET")
.add_Script("ViewState_Decoder (for ASP.NET 3.0)","Util - ViewState_Decoder_ASP.NET 3.0.h2")
.add_Script("Aspx PoC Builder","Util - Aspx PoC Builder.h2")
.add_Script(".Net AspNet Compiler","DotNet_AspNet_Compiler.cs")
.add_Script("Decompile ASPX pages compiled code","Util - Decompile ASP.NET ASPX pages compiled code.h2");
dotNetUtils.add_RibbonGroup("Other")
.add_Script("HacmeBank - Vulnerable Web Application (Custom O2)", "HacmeBank - Vulnerable Web Application (Custom O2).h2")
.add_Script("Visual Studio 2010 (Custom O2)", "Visual Studio 2010 (Custom O2).h2")
.add_Script("Copy Gac Dlls (Wizard)", "Wizard - CopyGacDlls.cs");
ribbon.add_Tab_MiscTools();
return ribbon;
//O2File:CustomO2.cs
//O2Ref:WindowsFormsIntegration.dll
//O2Ref:RibbonControlsLibrary.dll
About
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)
Download
Windows ClickOnce Installer:
Mailing List
The best place to keep updated with the lastest news and developers it to subscribe to the OWASP O2 Platform Mailing list (you can read its archives here)
