OWASP O2 Platform Blog

Scripting “O2 Tool – AST Search” to find Null references (.NET Static Analysis)

This script will show how to use the control that builds up the O2 Tool – Search AST to perform a custom search for all variables that are assigned the value of ‘null’

Here is the execution result

And here is the source code:

var topPanel = O2Gui.open<Panel>("Custom filtering of 'Search AST' tool",700,400);
//var topPanel = panel.clear().add_Panel();
var ascxSearchAst = topPanel.add_Control<ascx_SearchAST>();

var sourceCodeFolder = @"C:\O2\Demos\HacmeBank\HacmeBank_v2.0 (7 Dec 08)\HacmeBank_v2_WS";

//Load ASTs from files (use cache data if available)
var astData = (O2MappedAstData)O2LiveObjects.get(sourceCodeFolder);
if (astData.isNull())
{
"loading AstData from: {0}".info(sourceCodeFolder);
astData = new O2MappedAstData();
astData.loadFiles(sourceCodeFolder.files(true,"*.cs","*.vb"));
O2LiveObjects.set(sourceCodeFolder,astData);
}
ascxSearchAst.buildGui(astData);


//Example #1
/*
ascxSearchAst.setINodeFilter("Attribute");
ascxSearchAst.setSearchOnSelectedINode("WebMethod");
*/
//Example #2

ascxSearchAst.setINodeFilter("Primitive");
ascxSearchAst.setSearchOnSelectedINode("Null");
//Example #3
/*
ascxSearchAst.setSearchOnAlINodes("password");
*/

return "ok";
//O2File:ascx_SearchAST.cs
//using O2.XRules.Database.Languages_and_Frameworks.DotNet
//O2Ref:O2_API_AST.dll
//using O2.API.AST.CSharp;

April 10, 2011 Posted by | .NET, .NET SAST | 1 Comment

O2 Tool – AST Search (.NET Static Analysis)

Here is a very useful tool built on top of O2‘s AST-base static analysis engine.

The tool is is called ‘Search AST’ and allows for ‘AST based’ searches of C# source code files.

How to use this tool

  • On main O2 Gui, in the ‘Custom O2s’ tab, click on the ‘DotNet Static Analysis’ button:

Image:4_10_2011_7_00_07_AM_tmp5801.jpg

  • Then on the ‘AST & PoCS’ tab , click on the ‘ascx_SearchAST’  button:

Image:4_10_2011_7_00_37_AM_tmpCB3E.jpg

  • This will open a gui that looks like this:

Image:4_10_2011_7_02_34_AM_tmp967A.jpg

  • Now find the folder with the C# source code to analyse and drag & Drop it into the rigth-left treeview

Image:4_10_2011_7_05_44_AM_tmp7A1B.jpg

  • Once that loads up, you can select on the INode types on the left to see the cases where they show up

Image:4_10_2011_7_06_43_AM_tmp616F.jpg

  • You can do searches on the selected INode type (in this find searching for WebMethod in the Attribute INodes)

Image:4_10_2011_7_10_52_AM_tmp29E2.jpg

  • and you can also do a global search on ALL INodes

Image:4_10_2011_7_12_07_AM_tmp513C.jpg

  • the list show on the Search Result TreeView is the unique list of string matches

Image:4_10_2011_7_13_00_AM_tmp1D18.jpg

  • and the list that is show on the ‘Source Code Lines’ Treeview is a list of the source code lines that match the current selected item

Image:4_10_2011_7_14_27_AM_tmp720B.jpg

April 10, 2011 Posted by | .NET, .NET SAST | 2 Comments

Unit Test for HttpModule using Moq to wrap HttpRequest

Using the Mocking HttpContext HttpRequest and HttpResponse for UnitTests (using Moq) API, here is a unit test that uses it to test if a method used inside an HttpModule is doing the right thing (in this case the HttpModule will set up the current HttpContext User’s roles to a mapping that is created from a summited token/Guid)

This script is done as an NUnit Test: 

[Test]
        public string TestSoapRequestUtils()
        {                   

first create out mock objects and do a basic test (i.e. write and read some text into the HttpRequest

            //**** testing SoapRequestUtils.GetPostDataAsXmlDocument
            var mockHttpContext = new API_Moq_HttpContext();       
            var httpContext = mockHttpContext.httpContext();               
            var requestText = "this is some text in Xml Format";
            httpContext.request_Write(requestText.serialize(false));
            var xmlDocument = SoapRequestUtils.GetPostDataAsXmlDocument(httpContext);
            Assert.That(xmlDocument.notNull());
            Assert.That(xmlDocument.OuterXml.contains(requestText), "requestText was not in the generated Xml string");

Now lets do a test where we submit a soap request and validate that the function that extracts a value is working as expected


            //**** testing SoapRequestUtils.GetPostDataElementValue
            var adminSessionID = "503d4cc3-be37-42ca-961b-8ee11e4f96eb";
            var soapRequest = "<?xml version=\"1.0\" encoding=\"utf-8\"?>"+
                              "<soap:Envelope xmlns:soap=\"<a href="http://schemas.xmlsoap.org/soap/envelope/\">http://schemas.xmlsoap.org/soap/envelope/\</a>" xmlns:xsi=\"<a href="http://www.w3.org/2001/XMLSchema-instance\">http://www.w3.org/2001/XMLSchema-instance\</a>" xmlns:xsd=\"<a href="http://www.w3.org/2001/XMLSchema\">http://www.w3.org/2001/XMLSchema\</a>">"+
                              "    <soap:Body>"+
                              "        <GetUserInformation xmlns=\"<a href="https://TeamMentor.securityinnovation.com:13415/\">https://TeamMentor.securityinnovation.com:13415/\</a>">"+
                              "            <AdminSessionID>{0}</AdminSessionID>".format(adminSessionID) +
                              "            <UserID>202</UserID>"+
                              "        </GetUserInformation>"+
                              "    </soap:Body>"+
                              "</soap:Envelope>";                             
                             
            mockHttpContext.request_Write_Clear()
                           .request_Write(soapRequest);                                                  
            Assert.That(adminSessionID ==  httpContext.GetPostDataElementValue("AdminSessionID") , "fetched adminSessionID didn't match");

The next tests checks that the roles in httpContext.User have been correcly set

            //**** testing RoleBaseSecurity.SetCurrentUserRoles
            var roles = (string[])httpContext.SetCurrentUserRoles(UserRole.Admin, UserRole.ManageUsers).field("m_roles");
           
            Assert.That(roles.size()==2 && roles[0] == "Admin" && roles[1]=="ManageUsers", "in SetCurrentUserRoles, m_roles did not had the right value");
           
            //**** testing UserRoleBaseSecurity.MapRolesBasedOnSessionGuid
            var sessionIdGuid = this.getGuidOfLoggedInUser();
           
            HttpContextFactory.Context = httpContext;       
            var userRole = sessionIdGuid.userType();
           
            new UserRoleBaseSecurity().MapRolesBasedOnSessionGuid(sessionIdGuid); 
            roles = (string[])System.Threading.Thread.CurrentPrincipal.field("m_roles");
           
            Assert.That(roles.size() == 3 && roles[0] == userRole.str(), "in MapRolesBasedOnSessionGuid, m_roles did not had the right value"); 

If all tests passed, return a message to the O2 Unit Test execution GUI

                        
            return "ok: TestSoapRequestUtils";
           
        }

April 10, 2011 Posted by | Moq | 1 Comment

Amazon EC2 Browser – Timer to Stop Instances

When using the new O2 Amazon EC browser tool (which works really well and is really helping me to better manage my EC2 usage), I reallized that what I really wanted was a way to stop instances after a certain period.

The problem is that Amazon EC2 can be quite expensive if we leave the instances running for a while (and in a lot of cases they are not needed to be up for longer periods of time). The lack of automatically stopping instances (after a while) was really preventing me from trying a couple ‘high performace’  instances (since they can be up to 11USD per day). 

The solution was to add a feature to the O2 Amazon EC browser where we could set-up a timer that would stop the instances after 1h (60m), with the ability to reset the clock if we wanted more time).

This feature is now availbale on the latest version of the  Tool – Amazon EC2 Browser.h2 O2 script (see ‘Stop Instances in 60 minutes panel on the bottom right):

This will also allow me to better manage the O2 images that I am providing to the O2 Subscribers

April 10, 2011 Posted by | EC2 | 4 Comments