OWASP O2 Platform Blog

Example of Custom O2 focused on a security consultant’s need

In sequence to the  Creating custom O2 Versions post, here is an example of a Custom O2 that is focused on a particular Security Consultant’s needs (in this case Matt Parsons which was doing some analysis using IBM’s AppScan Source Edition 7.x (previously known as Ounce 6.x))

 Screenshots of Gui:

Source code:

var title = "Matt Parsons";  
var currentScript = PublicDI.CurrentScript;  
var ribbon = CustomO2.create(title, 1024,300);   // stand alone version   
//var ribbon = CustomO2.create(panel.clear().add_Panel(),title);   // use when inside 'Quick Development GUI'
var appScanSource7Tab = ribbon.add_Tab("IBM AppScan Source 7.x");
var appScanSource6Tab = ribbon.add_Tab("IBM AppScan Source 6.x");
appScanSource7Tab.add_Group("Findings Viewer")
      .add_Script("7.x Findings Viewer", "Tool - Findings Viewer - IBM AppScan Source 7.0.h2");

appScanSource7Tab.add_Group("Support Files")
   .add_RibbonButton_ShowCodeFile("Schema File of *.ozasmt","xsd_Ozasmt_OunceV7_0.xsd".local())
   .add_RibbonButton_ShowCodeFile("CSharp file of Schema File","xsd_Ozasmt_OunceV7_0.cs".local());

appScanSource6Tab.add_Group("Findings Viewer(s)")
    .add_Script("6.x Findings Viewer (with code viewer)", "Util - Simple Findings Viewer (with code viewer).h2")
    .add_Script("6.x Findings Viewer (just viewer/editor)", "Util - Simple Findings Viewer.h2")
    .add_Script("6.x Findings Viewer (indexed by Source-Code viewer)", "Util - Findings Viewer (filtered by SourceCode).h2")
    .add_Script("6.x and others Findings Viewer (separate GUI)", "Findings Viewer.h2");    
var o2Scripting = ribbon.add_Tab("O2 Scripting");
o2Scripting.add_RibbonGroup("Custom O2")
      .add_RibbonButton("Edit this Custom O2 Script",
      () => O2Gui.open<Panel>("Custom O2",800,400)


return "done";



November 2, 2010 Posted by | O2 Internals | Leave a comment

Creating custom O2 Versions

With the latests changes to O2’s APIs  it is now possible to easily create new O2 GUIs (this was created to support the O2 Subscription model which is focused on creating/suporting Custom O2’s).

This is very useful when creating an O2 for a particular:

  • Project /Application
  • Security Consultant 
  • APIs, Websites, Frameworks or Tools.

When creating a new Custom O2, the _Scripts\_Custom_O2s\_template (Custom O2).h2 script file is a good template to start :


var title = "Custom O2"; 
var ribbon = CustomO2.create(title);   // stand alone version
//var ribbon = CustomO2.create(panel.clear().add_Panel(),title);   // use when inside 'Quick Development GUI'
var hacmeBankDemos = ribbon.add_Tab("Custom O2");
      .add_RibbonButton_Script("IE Automation","ascx_IE_ScriptExecution.cs");    




November 2, 2010 Posted by | O2 Internals | 1 Comment

Util – Font Viewer.h2

Here is a simple script that I wrote yesterday when I needed to quickly figure out how each Window’s font’s looked like.

It provides real-time preview of all existing fonts in both a TextBox and Label format.

The Gui looks like this:


Here is the source code (also included in O2 at: _Scripts\Utils\Windows\Util – Font Viewer.h2 )

//var topPanel = panel.add_Panel();
var bold = false;
var topPanel = O2Gui.open<Panel>("Font Viewer", 800,300); 
var leftPanel = topPanel.insert_Left<Panel>();
var listBox = leftPanel.add_ListBox();
var fontSizeValue = listBox.insert_Above<Panel>(40).add_TextBox("Font size","10");
var baseText = topPanel.add_GroupBox("Original Text").add_TextArea().wordWrap(false);

var textboxWithSelectedFont = topPanel.insert_Below<Panel>().add_GroupBox("Transformed Text (inside a TextBox and as a Label)").add_TextArea();
var labelWithSelectedFont = textboxWithSelectedFont.insert_Right<Panel>(topPanel.width()/2).add_Label("");

Action showTextWithSelectedFont = 
   var fontFamily = listBox.selectedItem<FontFamily>();
   if (bold)
fontSizeValue.parent().add_CheckBox("Bold", 20,0,
listBox.SelectedValueChanged+= (sender, e)=> showTextWithSelectedFont();
fontSizeValue.onTextChange((text)=> showTextWithSelectedFont());
//set demo data
baseText.set_Text("This is some text (with real time preview)");

return PublicDI.CurrentScript;

November 2, 2010 Posted by | Windows Tools | Leave a comment

IBM AppScan Source 7.0 Scripting: Viewing *.ozasmt file Contents

O2 supports filtering and scripting on top of IBM’s AppScan Source 7.0 (previously known as Ounce 6.x).

 This script shows the assessment file in a Notepad like textbox

var folder = @"C:\O2\DemoData\Sample Assessment Files\IBM AppScan Source";
var testFile = folder.pathCombine("Ounce 7_0 - WebGoat-5.1-1  8-24-10 910AM..xml");
var textArea = panel.add_TextArea().wordWrap(false);


this script shows the assessment in a source code viewer using XML color coding

var folder = @"C:\O2\DemoData\Sample Assessment Files\IBM AppScan Source";
var testFile = folder.pathCombine("Ounce 7_0 - WebGoat-5.1-1  8-24-10 910AM.ozasmt");
var sourceCodeViewer= panel.add_SourceCodeViewer();


November 2, 2010 Posted by | Interoperability | Leave a comment