OWASP O2 Platform Blog

Visualizing the links in JPetStore (Spring MVC)

One of the pains of writing web automation scripts for JPetStore is its almost lack of HTML ID tags, which make it very hard to get strong references to the desired (for example) links.

The script below show an IE Automation sequence that will end up in a page where we will grab the links and visualize a possible analysis of its link data:

Here is the script that creates the GUI:

var topPanel = panel.clear().add_Panel();
var ie = topPanel.add_IE().silent(true);

ie.open("http://127.0.0.1.:8080/jpetstore");
ie.link("Enter the Store").click();

var mappings = new Dictionary<string, string>();

foreach(var url in ie.links().urls())
    if(url.contains("categoryId"))   
        mappings.add(url.split("=")[1], url);
       
ie.open(mappings["FISH"]);         
ie.link("FI-FW-01 ").click();

var tableList = topPanel.insert_Left(400).add_TableList();
var urls = from url in ie.links().urls()
              where url.contains("?")         
              select url.replace("?","=");
var results = from url in urls
              select new { address = url.split("=")[0],
                             action =  url.split("=")[1],
                             id = url.split("=")[2] };
             
tableList.show(results);

//ie.inject_jQuery(); 
//ie.inject_FirebugLite();
//return ie.fields();
return "ok";

//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll

Here is a follow-up script where we create a dictionary that maps the product type to a link:

var topPanel = panel.clear().add_Panel();
var ie = topPanel.add_IE().silent(true);

ie.open("http://127.0.0.1.:8080/jpetstore");
ie.link("Enter the Store").click();

var mappings = new Dictionary<string, string>();

foreach(var url in ie.links().urls())
    if(url.contains("categoryId"))   
        mappings.add(url.split("=")[1], url);
       
ie.open(mappings["FISH"]);         

ie.link("FI-FW-01 ").click();
//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll

July 15, 2011 Posted by | IE Automation, JPetStore, Spring MVC, WatiN | Leave a comment

Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC)

One of the topics that was discussed at yesterday’s O2 WebCast was ‘how to find the JSPs that are mapped to a controler?’

This is a very important piece of the puzzle since that is one of the few ways we can try to have a fell for the size of the Spring Auto-Binding vulnerabilities (since one of the analysis that needs to be done is the cross-check between what is on the *.jsps and what the Spring MVC engine will autobind into the assigned CommandClass POJO.

The first place to look is on the Spring config file, and here is a script that does exactly that:

var topPanel = panel.clear().add_Panel();
var springConfig = @"C:\O2\Demos\jPetStore - O2 Demo Pack\sourceCode\war\WEB-INF\petstore-servlet.xml";</pre>
&nbsp;

springConfig.showInCodeViewer();
//topPanel.add_SourceCodeViewer().open(springConfig);

var data = from controller in springConfig.springMvcMappings().Controllers
            from property in controller.Properties
            select new { controler = controller.HttpRequestUrl , key = property.Key, value = property.Value };
           
topPanel.add_TableList().show(data);
//return springConfig.springMvcMappings().Controllers[0].Properties[0]; 
//using O2.XRules.Database.Languages_and_Frameworks.J2EE
//using O2.XRules.Database.APIs.IKVM
//O2File:spring-servlet-2.0.xsd.cs
//O2File:SpringMvcMappings_v2.0.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll

When executed this script will open up the local petstore-servlet.xml config file and show a mapping the bean URLs and its property values

As the table created clearly shows, in this application (and this tend to be unique per app) we can’t use the spring config file to fully map the Controller’s views (there are a couple that can be resolved using this method, but there are a lot of missing mappings).

A quick look at one of the controlllers shows the most likely solution

Which is the fact that the view seems to be set by the contructor of the ModeAndView object:

        return new ModelAndView("ViewOrder", model);

The question now is: “How often was this pattern used in JPetStore?”.

A first look looks that is common


Which is confirmed when looking at the other ModelAndView constructors:

So to correctly map these Jsps we are going to have to programatically retrieve the first string value of the ModelAndView constructor and map it to the correct controller.

This can be done using the metadata that is exposed from the O2 Java Static Analysis Engine (in the screenshot below note the string value two instructions before the call to the ModelAndView constructor):

Once we have the Jsps we will need to find the fields that are used inside that Jsps.

At the moment O2 doesn’t have a JSP file parser, but this information should be also retrivable from the created *.class files, which in this case can be found in Tomcat’s temp folder  (C:\O2\Demos\jPetStore – O2 Demo Pack\apache-tomcat-7.0.16\work\Catalina\localhost\jpetstore\org\apache\jsp\WEB_002dINF\jsp\spring):

July 15, 2011 Posted by | Java, JPetStore, Spring MVC | Leave a comment

Using OpenPGP to Easily create temp PGP keys for secure file exchange

If you need to quickly create PGP keys that you can distribute for temporary use, take a look at the O2 Script ‘tool – using openpgp to encrypt and decrypt.h2’.

This is what the main GUI looks like:

Go to ‘Create or Edit Keys’ and click on ‘Create’ (this can take a couple seconds since OpenPgp needs to get enough entropy from the local system for key generation)

Now just go to the target folder and send the public key file to your receipient.

This Gui can also be used to encrypt text:

Decrypt text:

and Encrypt/Decypt files

July 15, 2011 Posted by | Interoperability, Windows Tools | Leave a comment