OWASP O2 Platform Blog

O2 .NET AST Scanner – HacmeBank – SQL Injection PoC

This example show a complete trace for one of HacmeBank’s SQL injection vulnerabilties.

This was created with O2’s .NET AST Scanner (23-May-10 version) which allows the creation of a complete trace via ‘joining up’ the partial traces (for the web layer and web services layer)

Graph with Big Picture (all nodes)

Part 1 – Exploit/Payload location

Part 2 – Web Layer trace

Part 3 – WebServices trace

Script used to ‘join’ the two traces

// add payload and link it to the first node
var urlNode = "<a href=""></a>";
var postPayload = "POST payload: txtUserName";
graph.add_Edge(urlNode, postPayload);
graph.add_Edge(postPayload, graph.nodes()[0]);
// join traces that match the "method.*Ws_UserManagement.Login" reg ex
// with a new node called "INTERNET"
var internetNode = "INTERNET";
foreach(var node in graph.nodes())
        graph.add_Edge(internetNode, node);
        graph.add_Edge(node, internetNode);

Source Code view of Web Layer code and trace


Source Code view of Web Services code and trace

July 29, 2011 - Posted by | .NET, HacmeBank

1 Comment »

  1. After installing Hacme Bank and O2, how do you go about doing this? Perhaps using the .Net Static Analysis view, then doing all this https://o2platform.wordpress.com/2011/04/10/o2-tool-ast-search-net-static-analysis/ and then???

    Comment by Lost in O2 | October 3, 2011 | Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: