OWASP O2 Platform Blog

Custom O2 for .NET Static Analysis

I just consolidated the current O2 .NET Static Analysis scripts/controls into a separate GUI called DotNet Static Analysis (Custom O2).h2 which you can invoke from the main O2 Gui (or directly from ‘C:\O2\O2Scripts_Database\_Scripts\_Custom_O2s’).

There are quite a lot of features exposed by this GUI: O2 Static Analysis engine (the Method Streams and Invocations), AST analysis, Reflection goodies,  ASP.NET MVC support, ASP.NET compilation tools, etc…)

This is how the GUI looks like (I call this an ‘Custom O2’)

Here is the full  list of Buttons/Features that is available in this CustomO2 (list created using an O2 script 🙂 ):

Method Streams and Invocations:

Method Streams:
MethodStreams Creator
MethodStreams Viewer

Method Invocations:
Util – Method Invocations Creator
Util – Method Invocations Viewer (Simple)
Util – Method Invocations Viewer (MethodStreams)
Util – Method Invocations (Findings Creator)

       AST & PoCs:

Ast Utils:
ascx_ViewAST
ascx_SearchAST
View SourceCode AST
Convert VB.Net to CSharp.h2

PoCs:
O2_DotNet_Ast_Engine
O2_DotNet_Ast_Scanner
Util – Debug AST Rules
Util – Edit AST Rules

       Asp.Net MVC , AntiXss:

Asp.Net MVC:
Tool – View Asp.NET MCV controllers
Tool – View Asp.NET MCV method streams and views
Tool – Map method streams interfaces

AntiXss Library:
AntiXSS – Test multiple Encodings

       .NET Utils:

Reflection:
View Assembly Attributes
Mono Decompiler
View .NET Assembly References Mappings

.Net debug utils:
SunOfStrikeApi

ASP.NET:
ViewState_Decoder (for ASP.NET 3.0)
Aspx PoC Builder
.Net AspNet Compiler
Decompile ASPX pages compiled code

Other:
HacmeBank – Vulnerable Web Application (Custom O2)
Visual Studio 2010 (Custom O2)
Copy Gac Dlls (Wizard)
       Misc Tools:

Media Tools:
open ScreenShot tool (Cropper)
save Image From Clipboard (to temp file)
save Image From Clipboard (to user’s location)

Media Tools:
Image Editor
Movie Creator

Files Utils:
Map Files by Extension
Quick File Search
Simple Text Editor
Search Engine

O2 Utils:
Execute Scripts
Quick development GUI
IE Automation
CSharp String Encoder

Windows Processes and Services:
Stop Processes
View Running Process Details
Stop Services

This Custom O2:
Edit this Custom O2 Script
Open a Log Viewer window

Finally here is the code that creates this GUI:

var title = ".Net Static Analysis";

var ribbon = CustomO2.create(title, 1000,300);         // stand alone version
//var ribbon = CustomO2.create(panel.clear().add_Panel(),title);         // use when inside 'Quick Development GUI'

var staticAnalysis  = ribbon.add_Tab("Method Streams and Invocations");
staticAnalysis.add_RibbonGroup("Method Streams")
.add_Script("MethodStreams Creator","Util - MethodStreams Creator.h2")
.add_Script("MethodStreams Viewer","Util - MethodStreams Viewer.h2");

staticAnalysis.add_RibbonGroup("Method Invocations")
.add_Script("Util - Method Invocations Creator","Util - Method Invocations Creator.h2")
.add_Script("Util - Method Invocations Viewer (Simple)","Util - Method Invocations Viewer (Simple).h2")
.add_Script("Util - Method Invocations Viewer (MethodStreams)","Util - Method Invocations Viewer (MethodStreams).h2")
.add_Script("Util - Method Invocations (Findings Creator)","Util - Method Invocations (Findings Creator).h2");

var ast  = ribbon.add_Tab("AST & PoCs");
ast.add_RibbonGroup("Ast Utils")
.add_Script("ascx_ViewAST","ascx_ViewAST.cs")
.add_Script("ascx_SearchAST","ascx_SearchAST.cs")
.add_Script("View SourceCode AST","ascx_View_SourceCode_AST.cs.o2")
.add_Script("Convert VB.Net to CSharp.h2", "Util - Convert VB.Net to CSharp.h2");

ast.add_RibbonGroup("PoCs")
.add_Script("O2_DotNet_Ast_Engine","O2_DotNet_Ast_Engine.h2")
.add_Script("O2_DotNet_Ast_Scanner","O2_DotNet_Ast_Scanner.h2")
.add_Script("Util - Debug AST Rules","Util - Debug AST Rules.h2")
.add_Script("Util - Edit AST Rules","Util - Edit AST Rules.h2");var mvcAntiXss  = ribbon.add_Tab("Asp.Net MVC , AntiXss");
mvcAntiXss.add_RibbonGroup("Asp.Net MVC")
.add_Script("Tool - View Asp.NET MCV controllers","Tool - View Asp.NET MCV controllers.h2")
.add_Script("Tool - View Asp.NET MCV method streams and views","Tool - View Asp.NET MCV method streams and views.h2");

mvcAntiXss.add_RibbonGroup("AntiXss Library")
.add_Script("AntiXSS - Test multiple Encodings", "AntiXSS - Test multiple Encodings.h2");
var dotNetUtils  = ribbon.add_Tab(".NET Utils");
dotNetUtils.add_RibbonGroup("Reflection")
.add_Script("View Assembly Attributes","ascx_AssemblyAttributes.cs.o2")
.add_Script("Mono Decompiler","ascx_MonoDecompiler.cs.o2")
.add_Script("View .NET Assembly References Mappings","Tool - View .NET Assembly References Mappings.h2");

dotNetUtils.add_RibbonGroup(".Net debug utils")
.add_Script("SunOfStrikeApi","SunOfStrikeApi.h2");

dotNetUtils.add_RibbonGroup("ASP.NET")
.add_Script("ViewState_Decoder (for ASP.NET 3.0)","Util - ViewState_Decoder_ASP.NET 3.0.h2")
.add_Script("Aspx PoC Builder","Util - Aspx PoC Builder.h2")
.add_Script(".Net AspNet Compiler","DotNet_AspNet_Compiler.cs")
.add_Script("Decompile ASPX pages compiled code","Util - Decompile ASP.NET ASPX pages compiled code.h2");

dotNetUtils.add_RibbonGroup("Other")
.add_Script("HacmeBank - Vulnerable Web Application (Custom O2)", "HacmeBank - Vulnerable Web Application (Custom O2).h2")
.add_Script("Visual Studio 2010 (Custom O2)", "Visual Studio 2010 (Custom O2).h2")
.add_Script("Copy Gac Dlls (Wizard)", "Wizard - CopyGacDlls.cs");


ribbon.add_Tab_MiscTools();
return ribbon;

//O2File:CustomO2.cs

//O2Ref:WindowsFormsIntegration.dll
//O2Ref:RibbonControlsLibrary.dll

March 9, 2011 Posted by | .NET, .NET SAST | Leave a comment