OWASP O2 Platform Blog

Custom O2 for .NET Static Analysis

I just consolidated the current O2 .NET Static Analysis scripts/controls into a separate GUI called DotNet Static Analysis (Custom O2).h2 which you can invoke from the main O2 Gui (or directly from ‘C:\O2\O2Scripts_Database\_Scripts\_Custom_O2s’).

There are quite a lot of features exposed by this GUI: O2 Static Analysis engine (the Method Streams and Invocations), AST analysis, Reflection goodies,  ASP.NET MVC support, ASP.NET compilation tools, etc…)

This is how the GUI looks like (I call this an ‘Custom O2’)

Here is the full  list of Buttons/Features that is available in this CustomO2 (list created using an O2 script 🙂 ):

Method Streams and Invocations:

Method Streams:
MethodStreams Creator
MethodStreams Viewer

Method Invocations:
Util – Method Invocations Creator
Util – Method Invocations Viewer (Simple)
Util – Method Invocations Viewer (MethodStreams)
Util – Method Invocations (Findings Creator)

       AST & PoCs:

Ast Utils:
ascx_ViewAST
ascx_SearchAST
View SourceCode AST
Convert VB.Net to CSharp.h2

PoCs:
O2_DotNet_Ast_Engine
O2_DotNet_Ast_Scanner
Util – Debug AST Rules
Util – Edit AST Rules

       Asp.Net MVC , AntiXss:

Asp.Net MVC:
Tool – View Asp.NET MCV controllers
Tool – View Asp.NET MCV method streams and views
Tool – Map method streams interfaces

AntiXss Library:
AntiXSS – Test multiple Encodings

       .NET Utils:

Reflection:
View Assembly Attributes
Mono Decompiler
View .NET Assembly References Mappings

.Net debug utils:
SunOfStrikeApi

ASP.NET:
ViewState_Decoder (for ASP.NET 3.0)
Aspx PoC Builder
.Net AspNet Compiler
Decompile ASPX pages compiled code

Other:
HacmeBank – Vulnerable Web Application (Custom O2)
Visual Studio 2010 (Custom O2)
Copy Gac Dlls (Wizard)
       Misc Tools:

Media Tools:
open ScreenShot tool (Cropper)
save Image From Clipboard (to temp file)
save Image From Clipboard (to user’s location)

Media Tools:
Image Editor
Movie Creator

Files Utils:
Map Files by Extension
Quick File Search
Simple Text Editor
Search Engine

O2 Utils:
Execute Scripts
Quick development GUI
IE Automation
CSharp String Encoder

Windows Processes and Services:
Stop Processes
View Running Process Details
Stop Services

This Custom O2:
Edit this Custom O2 Script
Open a Log Viewer window

Finally here is the code that creates this GUI:

var title = ".Net Static Analysis";

var ribbon = CustomO2.create(title, 1000,300);         // stand alone version
//var ribbon = CustomO2.create(panel.clear().add_Panel(),title);         // use when inside 'Quick Development GUI'

var staticAnalysis  = ribbon.add_Tab("Method Streams and Invocations");
staticAnalysis.add_RibbonGroup("Method Streams")
.add_Script("MethodStreams Creator","Util - MethodStreams Creator.h2")
.add_Script("MethodStreams Viewer","Util - MethodStreams Viewer.h2");

staticAnalysis.add_RibbonGroup("Method Invocations")
.add_Script("Util - Method Invocations Creator","Util - Method Invocations Creator.h2")
.add_Script("Util - Method Invocations Viewer (Simple)","Util - Method Invocations Viewer (Simple).h2")
.add_Script("Util - Method Invocations Viewer (MethodStreams)","Util - Method Invocations Viewer (MethodStreams).h2")
.add_Script("Util - Method Invocations (Findings Creator)","Util - Method Invocations (Findings Creator).h2");

var ast  = ribbon.add_Tab("AST & PoCs");
ast.add_RibbonGroup("Ast Utils")
.add_Script("ascx_ViewAST","ascx_ViewAST.cs")
.add_Script("ascx_SearchAST","ascx_SearchAST.cs")
.add_Script("View SourceCode AST","ascx_View_SourceCode_AST.cs.o2")
.add_Script("Convert VB.Net to CSharp.h2", "Util - Convert VB.Net to CSharp.h2");

ast.add_RibbonGroup("PoCs")
.add_Script("O2_DotNet_Ast_Engine","O2_DotNet_Ast_Engine.h2")
.add_Script("O2_DotNet_Ast_Scanner","O2_DotNet_Ast_Scanner.h2")
.add_Script("Util - Debug AST Rules","Util - Debug AST Rules.h2")
.add_Script("Util - Edit AST Rules","Util - Edit AST Rules.h2");var mvcAntiXss  = ribbon.add_Tab("Asp.Net MVC , AntiXss");
mvcAntiXss.add_RibbonGroup("Asp.Net MVC")
.add_Script("Tool - View Asp.NET MCV controllers","Tool - View Asp.NET MCV controllers.h2")
.add_Script("Tool - View Asp.NET MCV method streams and views","Tool - View Asp.NET MCV method streams and views.h2");

mvcAntiXss.add_RibbonGroup("AntiXss Library")
.add_Script("AntiXSS - Test multiple Encodings", "AntiXSS - Test multiple Encodings.h2");
var dotNetUtils  = ribbon.add_Tab(".NET Utils");
dotNetUtils.add_RibbonGroup("Reflection")
.add_Script("View Assembly Attributes","ascx_AssemblyAttributes.cs.o2")
.add_Script("Mono Decompiler","ascx_MonoDecompiler.cs.o2")
.add_Script("View .NET Assembly References Mappings","Tool - View .NET Assembly References Mappings.h2");

dotNetUtils.add_RibbonGroup(".Net debug utils")
.add_Script("SunOfStrikeApi","SunOfStrikeApi.h2");

dotNetUtils.add_RibbonGroup("ASP.NET")
.add_Script("ViewState_Decoder (for ASP.NET 3.0)","Util - ViewState_Decoder_ASP.NET 3.0.h2")
.add_Script("Aspx PoC Builder","Util - Aspx PoC Builder.h2")
.add_Script(".Net AspNet Compiler","DotNet_AspNet_Compiler.cs")
.add_Script("Decompile ASPX pages compiled code","Util - Decompile ASP.NET ASPX pages compiled code.h2");

dotNetUtils.add_RibbonGroup("Other")
.add_Script("HacmeBank - Vulnerable Web Application (Custom O2)", "HacmeBank - Vulnerable Web Application (Custom O2).h2")
.add_Script("Visual Studio 2010 (Custom O2)", "Visual Studio 2010 (Custom O2).h2")
.add_Script("Copy Gac Dlls (Wizard)", "Wizard - CopyGacDlls.cs");


ribbon.add_Tab_MiscTools();
return ribbon;

//O2File:CustomO2.cs

//O2Ref:WindowsFormsIntegration.dll
//O2Ref:RibbonControlsLibrary.dll

March 9, 2011 - Posted by | .NET, .NET SAST

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: