OWASP O2 Platform Blog

Real-time Vulnerability Creation Feedback inside VisualStudio

There is a really interesting video that shows how to perform static analysis of code at the compilation time on top of Visual Studio.Net.  The creation of this mechanism is really powerful , because at compilation time, you can find and correct most of the security holes we can create. Just imaging the valued added that this process can provide to a large software development projects?.

The complete information can be found at http://diniscruz.blogspot.com/2012/06/real-time-vulnerability-creation.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+DinisCruz+%28Dinis+Cruz+blog%29

And there is also a reddit thread if you want to get involved (I hope you are want).

June 22, 2012 Posted by | .NET, .NET SAST, VisualStudio | , | Leave a comment

New reddit community for OWASP O2 and Cat.Net

A new community has been created on Reddit  for supporting Cat.Net , the static analysis engine created by Microsoft (but in the last year it has lack of support). We see an opportunity here to involve OWASP O2 platform and add value to our project in this new path of source code analysis.

Join this community today!

Reddit community

For more information visit http://diniscruz.blogspot.com/2012/06/new-reddit-community-for-catnet.html

June 13, 2012 Posted by | .NET SAST, O2 Scripting | , , | Leave a comment

Scripting “O2 Tool – AST Search” to find Null references (.NET Static Analysis)

This script will show how to use the control that builds up the O2 Tool – Search AST to perform a custom search for all variables that are assigned the value of ‘null’

Here is the execution result

And here is the source code:

var topPanel = O2Gui.open<Panel>("Custom filtering of 'Search AST' tool",700,400);
//var topPanel = panel.clear().add_Panel();
var ascxSearchAst = topPanel.add_Control<ascx_SearchAST>();

var sourceCodeFolder = @"C:\O2\Demos\HacmeBank\HacmeBank_v2.0 (7 Dec 08)\HacmeBank_v2_WS";

//Load ASTs from files (use cache data if available)
var astData = (O2MappedAstData)O2LiveObjects.get(sourceCodeFolder);
if (astData.isNull())
{
"loading AstData from: {0}".info(sourceCodeFolder);
astData = new O2MappedAstData();
astData.loadFiles(sourceCodeFolder.files(true,"*.cs","*.vb"));
O2LiveObjects.set(sourceCodeFolder,astData);
}
ascxSearchAst.buildGui(astData);


//Example #1
/*
ascxSearchAst.setINodeFilter("Attribute");
ascxSearchAst.setSearchOnSelectedINode("WebMethod");
*/
//Example #2

ascxSearchAst.setINodeFilter("Primitive");
ascxSearchAst.setSearchOnSelectedINode("Null");
//Example #3
/*
ascxSearchAst.setSearchOnAlINodes("password");
*/

return "ok";
//O2File:ascx_SearchAST.cs
//using O2.XRules.Database.Languages_and_Frameworks.DotNet
//O2Ref:O2_API_AST.dll
//using O2.API.AST.CSharp;

April 10, 2011 Posted by | .NET, .NET SAST | 1 Comment

O2 Tool – AST Search (.NET Static Analysis)

Here is a very useful tool built on top of O2‘s AST-base static analysis engine.

The tool is is called ‘Search AST’ and allows for ‘AST based’ searches of C# source code files.

How to use this tool

  • On main O2 Gui, in the ‘Custom O2s’ tab, click on the ‘DotNet Static Analysis’ button:

Image:4_10_2011_7_00_07_AM_tmp5801.jpg

  • Then on the ‘AST & PoCS’ tab , click on the ‘ascx_SearchAST’  button:

Image:4_10_2011_7_00_37_AM_tmpCB3E.jpg

  • This will open a gui that looks like this:

Image:4_10_2011_7_02_34_AM_tmp967A.jpg

  • Now find the folder with the C# source code to analyse and drag & Drop it into the rigth-left treeview

Image:4_10_2011_7_05_44_AM_tmp7A1B.jpg

  • Once that loads up, you can select on the INode types on the left to see the cases where they show up

Image:4_10_2011_7_06_43_AM_tmp616F.jpg

  • You can do searches on the selected INode type (in this find searching for WebMethod in the Attribute INodes)

Image:4_10_2011_7_10_52_AM_tmp29E2.jpg

  • and you can also do a global search on ALL INodes

Image:4_10_2011_7_12_07_AM_tmp513C.jpg

  • the list show on the Search Result TreeView is the unique list of string matches

Image:4_10_2011_7_13_00_AM_tmp1D18.jpg

  • and the list that is show on the ‘Source Code Lines’ Treeview is a list of the source code lines that match the current selected item

Image:4_10_2011_7_14_27_AM_tmp720B.jpg

April 10, 2011 Posted by | .NET, .NET SAST | 2 Comments

Custom O2 for .NET Static Analysis

I just consolidated the current O2 .NET Static Analysis scripts/controls into a separate GUI called DotNet Static Analysis (Custom O2).h2 which you can invoke from the main O2 Gui (or directly from ‘C:\O2\O2Scripts_Database\_Scripts\_Custom_O2s’).

There are quite a lot of features exposed by this GUI: O2 Static Analysis engine (the Method Streams and Invocations), AST analysis, Reflection goodies,  ASP.NET MVC support, ASP.NET compilation tools, etc…)

This is how the GUI looks like (I call this an ‘Custom O2’)

Here is the full  list of Buttons/Features that is available in this CustomO2 (list created using an O2 script 🙂 ):

Method Streams and Invocations:

Method Streams:
MethodStreams Creator
MethodStreams Viewer

Method Invocations:
Util – Method Invocations Creator
Util – Method Invocations Viewer (Simple)
Util – Method Invocations Viewer (MethodStreams)
Util – Method Invocations (Findings Creator)

       AST & PoCs:

Ast Utils:
ascx_ViewAST
ascx_SearchAST
View SourceCode AST
Convert VB.Net to CSharp.h2

PoCs:
O2_DotNet_Ast_Engine
O2_DotNet_Ast_Scanner
Util – Debug AST Rules
Util – Edit AST Rules

       Asp.Net MVC , AntiXss:

Asp.Net MVC:
Tool – View Asp.NET MCV controllers
Tool – View Asp.NET MCV method streams and views
Tool – Map method streams interfaces

AntiXss Library:
AntiXSS – Test multiple Encodings

       .NET Utils:

Reflection:
View Assembly Attributes
Mono Decompiler
View .NET Assembly References Mappings

.Net debug utils:
SunOfStrikeApi

ASP.NET:
ViewState_Decoder (for ASP.NET 3.0)
Aspx PoC Builder
.Net AspNet Compiler
Decompile ASPX pages compiled code

Other:
HacmeBank – Vulnerable Web Application (Custom O2)
Visual Studio 2010 (Custom O2)
Copy Gac Dlls (Wizard)
       Misc Tools:

Media Tools:
open ScreenShot tool (Cropper)
save Image From Clipboard (to temp file)
save Image From Clipboard (to user’s location)

Media Tools:
Image Editor
Movie Creator

Files Utils:
Map Files by Extension
Quick File Search
Simple Text Editor
Search Engine

O2 Utils:
Execute Scripts
Quick development GUI
IE Automation
CSharp String Encoder

Windows Processes and Services:
Stop Processes
View Running Process Details
Stop Services

This Custom O2:
Edit this Custom O2 Script
Open a Log Viewer window

Finally here is the code that creates this GUI:

var title = ".Net Static Analysis";

var ribbon = CustomO2.create(title, 1000,300);         // stand alone version
//var ribbon = CustomO2.create(panel.clear().add_Panel(),title);         // use when inside 'Quick Development GUI'

var staticAnalysis  = ribbon.add_Tab("Method Streams and Invocations");
staticAnalysis.add_RibbonGroup("Method Streams")
.add_Script("MethodStreams Creator","Util - MethodStreams Creator.h2")
.add_Script("MethodStreams Viewer","Util - MethodStreams Viewer.h2");

staticAnalysis.add_RibbonGroup("Method Invocations")
.add_Script("Util - Method Invocations Creator","Util - Method Invocations Creator.h2")
.add_Script("Util - Method Invocations Viewer (Simple)","Util - Method Invocations Viewer (Simple).h2")
.add_Script("Util - Method Invocations Viewer (MethodStreams)","Util - Method Invocations Viewer (MethodStreams).h2")
.add_Script("Util - Method Invocations (Findings Creator)","Util - Method Invocations (Findings Creator).h2");

var ast  = ribbon.add_Tab("AST & PoCs");
ast.add_RibbonGroup("Ast Utils")
.add_Script("ascx_ViewAST","ascx_ViewAST.cs")
.add_Script("ascx_SearchAST","ascx_SearchAST.cs")
.add_Script("View SourceCode AST","ascx_View_SourceCode_AST.cs.o2")
.add_Script("Convert VB.Net to CSharp.h2", "Util - Convert VB.Net to CSharp.h2");

ast.add_RibbonGroup("PoCs")
.add_Script("O2_DotNet_Ast_Engine","O2_DotNet_Ast_Engine.h2")
.add_Script("O2_DotNet_Ast_Scanner","O2_DotNet_Ast_Scanner.h2")
.add_Script("Util - Debug AST Rules","Util - Debug AST Rules.h2")
.add_Script("Util - Edit AST Rules","Util - Edit AST Rules.h2");var mvcAntiXss  = ribbon.add_Tab("Asp.Net MVC , AntiXss");
mvcAntiXss.add_RibbonGroup("Asp.Net MVC")
.add_Script("Tool - View Asp.NET MCV controllers","Tool - View Asp.NET MCV controllers.h2")
.add_Script("Tool - View Asp.NET MCV method streams and views","Tool - View Asp.NET MCV method streams and views.h2");

mvcAntiXss.add_RibbonGroup("AntiXss Library")
.add_Script("AntiXSS - Test multiple Encodings", "AntiXSS - Test multiple Encodings.h2");
var dotNetUtils  = ribbon.add_Tab(".NET Utils");
dotNetUtils.add_RibbonGroup("Reflection")
.add_Script("View Assembly Attributes","ascx_AssemblyAttributes.cs.o2")
.add_Script("Mono Decompiler","ascx_MonoDecompiler.cs.o2")
.add_Script("View .NET Assembly References Mappings","Tool - View .NET Assembly References Mappings.h2");

dotNetUtils.add_RibbonGroup(".Net debug utils")
.add_Script("SunOfStrikeApi","SunOfStrikeApi.h2");

dotNetUtils.add_RibbonGroup("ASP.NET")
.add_Script("ViewState_Decoder (for ASP.NET 3.0)","Util - ViewState_Decoder_ASP.NET 3.0.h2")
.add_Script("Aspx PoC Builder","Util - Aspx PoC Builder.h2")
.add_Script(".Net AspNet Compiler","DotNet_AspNet_Compiler.cs")
.add_Script("Decompile ASPX pages compiled code","Util - Decompile ASP.NET ASPX pages compiled code.h2");

dotNetUtils.add_RibbonGroup("Other")
.add_Script("HacmeBank - Vulnerable Web Application (Custom O2)", "HacmeBank - Vulnerable Web Application (Custom O2).h2")
.add_Script("Visual Studio 2010 (Custom O2)", "Visual Studio 2010 (Custom O2).h2")
.add_Script("Copy Gac Dlls (Wizard)", "Wizard - CopyGacDlls.cs");


ribbon.add_Tab_MiscTools();
return ribbon;

//O2File:CustomO2.cs

//O2Ref:WindowsFormsIntegration.dll
//O2Ref:RibbonControlsLibrary.dll

March 9, 2011 Posted by | .NET, .NET SAST | Leave a comment