Wednesday, November 11, 2009 at 9:53PM The latest version of O2 has a new DI (Dependency Injection) feature which can be used to configure internal O2 static properties
In the example below (screenshot) I'm using this feature to configure the Ounce's Core and MySql login details and IPAddress : Port
;)
Thursday, September 17, 2009 at 4:42PM Another WebEx on 'O2 Spring Mvc Module' at tomorrow 18 Sep today (London time):
Topic: O2 Spring Mvc Module -18 Sep
Date: Friday, 18 September 2009
Time: 18:00, GMT Summer Time (London, GMT+01:00)
Meeting Number: 680 216 664
Meeting Password: O2Platform
-------------------------------------------------------
To join the online meeting (Now from iPhones too!)
-------------------------------------------------------
1. Go to https://ouncelabs.webex.com/ouncelabs/j.php?ED=116328347&UID=0&PW=NZjZkMGJmZmFm&RT=MTgjMjE%3D
2. Enter your name and email address.
3. Enter the meeting password: O2Platform
4. Click "Join Now".
To view in other time zones or languages, please click the link:
https://ouncelabs.webex.com/ouncelabs/j.php?ED=116328347&UID=0&PW=NZjZkMGJmZmFm&ORT=MTgjMjE%3D
-------------------------------------------------------
To join the audio conference only
-------------------------------------------------------
To receive a call back, provide your phone number when you join the meeting, or call the number below and enter the access code.
Call-in toll-free number (US/Canada): 866-469-3239
Call-in toll number (US/Canada): 1-650-429-3300
Global call-in numbers: https://ouncelabs.webex.com/ouncelabs/globalcallin.php?serviceType=MC&ED=116328347&tollFree=1
Access code:680 216 664
-------------------------------------------------------
For assistance
-------------------------------------------------------
1. Go to https://ouncelabs.webex.com/ouncelabs/mc
2. On the left navigation bar, click "Support".
Wednesday, September 16, 2009 at 4:20PM WebEx on 'O2 Spring Mvc Module' at 6pm today (London time, i.e. in 1h 40m) open http://bit.ly/2i1R6m and use the password O2Platform
Monday, September 14, 2009 at 4:31PM I receved last week a great set of OSA/O2 questions which are better answered here (see also the code samples at the end which are a good examples of the powerful O2 Finding's filtering capabilities)
Question #1: Security knowledgebase and algorithm – more specific, detailed description of covered vulnerabilities and implementation is required to discover and analyze the gaps. For example, what kinds of SQL injections are covered by OSA? How are more general vulnerabilities, such as access control found?
OSA (which stands for Ounce Security Analysis and is part of the commercial products sold by Ounce Labs, soon to be an IBM Rational AppScan product) is a tool that for .NET and JAVA primarily finds Source-to-Sink data-flow vulnerabilities (it does more but this is where it really adds value).
You can think of Ounce's engine as 'somebody' that will try to calculate ALL data paths between a Source of Taint data (Taint = malicious) and a Vulnerable Sink (i.e. a method that does something with security implications). Once you can really get your head around this concept, and see HOW POWERFUL it is to have an engine that does that, you will be able to think creatively about the engine's capabilities and REALLY get a LOT of value from it (I went from only using the Ounce engine and the materials it created in the beggining of my security review engagements, to using it (engine and materials) ALL the time). Just for reference IBM has another (Java only) Source Code Analysis engine called AppScan Developer Edition which although not as complete as Ounce+OSA already performs full data-flow analysis (and even has a couple extra goodies like dynamic+static analysis and support for global variables)
So, for on the question of SQL Injection, Ounce Engine (as long at it knows where are the database methods and the sources of malicious (tainted) data are) will/should find all types of SQL Injection (from direct, to blind, to reflected). The problems usually occour of that 'small' caveat of the requirement of the Ounce (& other Code Analyzers) to know what are the Sources and Sinks. In fact a good number of O2 modules exist specifically to solve this problem.
Regarding Access Control vulnerabilities, they are hard to find 'out of the box' with OSA (& others) but using an OSA+O2 combination, in the past I have been able to sucessfully find them on real-world apps.
This question is quite general, so I think the answers below will help to answer it further.
Question #2: What functionality does O2 provide in addition to OSA capabilities?
There is quite a lot of extra funcionality provided by O2 for OSA users (i.e. users that have access to an Ounce Scanning engine). Here are the main areas O2 extends OSA capabilities (via powerful GUIs and Scriptable objects)
see OWASP O2 Platform - London Chapter - 3rd Sep 2009 and O2 Modules presentation for more details about the different O2 modules
Question #3: What tasks can be performed in O2 without OSA installation?
The main 'asset' that it is lost without OSA is the ability to create the data-flow traces (O2 has a PoC 'call-flow from CIR' trace generation engine which works well for small projects) and the CIR creation for ASP Classic, VB 6, C++ and PHP (since O2 alreadyO2 already supports the creation of CIR for .NET and Java).
There is a very strong air-gap between O2 and the other commercial products O2 supports, where Command Line tools/scripts are used to trigger the scans and only the tools generated materials (for example the *.ozamst files) are imported/converted into O2's own data representation objects (which should be soon be OWASP Schema Standards). One exception is the Ounce's MySql Rules database, which in the current version of O2 is directly manipulated when creating Ounce's rules.
In practice this means that you are able to use O2 without Ounce installed, and:
One O2 Module that doesn't require the Ounce engine to create its main outputs is the Spring MVC module which uses Jython & Jassist to parse the *.class files and map the Spring MVC controllers.
Question #4: Can data and control flows be analyzed by means of O2 only?
Data flows: NO (you need an engine like Ounce's, AppScan DE, Fortify or Cat.NET) to perform data-flow analysys. Unfortunately there are NO open source tool that matches the capabilities and ease-of-use of the commercial tools, BUT, I have been looking at WALA (from IBM research and the basis of AppScan DE) and there is a lot of potential in there.
Control flow: the short answer is NO. That said, this will probably depend on what you mean by 'control flow'. If you are talking about (using WIKIPEDIA) "...refers to the order in which the individual statements, instructions, or function calls of an imperative or functional program are executed or evaluated..." then I don't think even the current commercial engines will do that (some try to figure out some of it, but none (to my understanding) does it very well)). On the other hand if you are trying to finding control-flow-type vulnerabilities, for example like Access Control where method X should be called before Method Y then I have sucessfully in the past been able to find and report these using a combination of "OSA Scans + CIR + Custom Scritps" (in fact, in quite a lot of cases I didn't need the OSA scans since the CIR had all the information/metadata required )
Question #5: Is O2 API documentation available?
Not really :(
At the moment the source code and the O2 Tools are the best sources to understand O2's APIs. The most up-to-date information about O2 modules is here O2 Modules presentation (but even that doesn't include details about the O2 APIs)
To be honest, part of the problem is lack of requests for the O2 API to be documented, so if you have specific requirements, please ask and put pressure and we'll get it done
Question #6: Is it possible to scan source code prior compilation?
No, Ounce's scanner works at bytecode level (for both .NET and Java), so in fact compiled code (*.dll or *.class / *.jar) are more important than source code (at least since Ounce released its version 6.x). That said, for the analysis phase, it is very important to have the source code references.
Note: one of my favorite O2 modules is the O2_Tool_SearchEngine which works at source code (but that O2 module is just a RegEx tool)
Question #7: Some applications, such as ASP.NET Web sites do not have DLL or solution files available. How can such applications be scanned?
You will need to precompile them. If you scan an ASP.NET solution file from OSA the scanning engine will (before the scan starts) run the built-in .ASP.NET tool aspnet_compiler to create those DDLs (the resulting files are currently placed inside the Ounce Bin folder). I have already added this (ASP.Net compile) capability to O2 APIs but have not mapped it to a GUI (let me know if you want that).
The same happens for Java's JSP files.
The problem is when the application uses a VIEW technology that DOESN'T create *.class files (for example java Velocity of JSF (which is why I have started the development of custom O2 modules to handle those cases)
Question #8: Does OSA or O2 support scanning of configuration files (like Web.Config or web.xml)?
If by scanning you mean parsing those files and understanding its content in context with the data-flow findings generated, then for OSA the answer is NO
If by scanning you mean running a regex on those files and finding cases where Debug is enabled or there is an hard-coded password in a web.config file, then the answer for OSA is YES
On O2, although there is NOT a tool to automatically parse web.config or web.xml files (again we just need a strong case to develop it), parsing config files is something I do ALL THE TIME. In fact for some Spring MVC configurations, that is the only way to find the controllers.
What I would really like to see happening in the short term, is the the development of a number of 'add-ons' to a (not developed yet) O2 Config Files module which would be able to 'understand' the security implications of the config files used
Question #9: Can express editions of Microsoft Visual Studio be used along with OSA and O2?
You can't import Express edition solution files into OSA (which is annoying since importing *.sln files is a great feature), BUT you can scan the *.dlls created by them.
A cool little O2 tool would be one that grabed these VS Express *.sln files and automatically created the *.paf (ounce project application) files (the plumming is already in O2, and there are a number of very cool .NET parsing capabilites it suports (thx to Mono Cecil))
Question #10: What is the required combination of OSA and O2 usage for the following assessment use case: It is required to write script that finds all instances of string variables with name “password” in the application so that these variables are accepted as user input and are written to the database.
There are multiple ways you could write this script today using multiple o2 modules.
I've used Ounce OSA's webgoat scan results (which you can download from here) , and (so that I have results to show you) I modified your question to (changes in bold): "find all instances of string variables or getParameters with "address" in the name so that these variables are accepted as user input and are written to the database."
Here are a couple examples:
using the O2_Tool_FindingsQuery O2 Module
from O2Finding finding in o2Findings where (finding.SourceContext.IndexOf('address') > -1 && finding.Sink.IndexOf('sql') > -1) select finding
using the O2_Tool_FindingsViewer O2 Module
using the O2_Tool_Python to write a Pyhton script:
print "**************************************************************"
print "This is an IronPhyton O2 Script"
print " that will load webgoat.ozast, filter it and create a new *.ozamst file "
print " with the results "
print "**************************************************************"
import clr
import sys
sys.path.append(r"C:\O2\_Bin_(O2_Binaries)")
clr.AddReference("O2_Kernel")
clr.AddReference("O2_DotNetWrappers")
clr.AddReference("O2_ImportExport_OunceLabs")
from O2.Kernel.Interfaces.Ozasmt import *
from O2.DotNetWrappers.O2Findings import *
from O2.ImportExport.OunceLabs.Ozasmt_OunceV6 import *
from System.Collections.Generic import *
targetAssessmentFile = u"C:\O2\O2 Data\Saved assessment files\WebGoat.ozasmt"
def filterFindings_usingForEachLoop():
print " ... in filterFindings_usingForEachLoop ..."
o2Assessment = O2Assessment(O2AssessmentLoad_OunceV6(), targetAssessmentFile)
print "Assessment file loaded with %s findings" % o2Assessment.o2Findings.Count
results = List[IO2Finding]()
for o2Finding in o2Assessment.o2Findings:
if o2Finding.SourceContext.find("address") > -1 :
results.Add(o2Finding)
print "There are %s findings that match filter" % results.Count
newAssessmentFile = O2Assessment(results);
savedFile = newAssessmentFile.save(O2AssessmentSave_OunceV6())
print "Filtered results saved to: %s" % savedFile
filterFindings_usingForEachLoop()
print "... all done ..."
using the O2_Tool_Python to write a C# script: (the first method is the same as the Python script above (loads, filters and saves) , the 2nd uses C# Linq (loads, filters and shows results in O2 GUI))
using System;
using System.Linq;
using System.Collections.Generic;
using O2.DotNetWrappers.O2Findings;
using O2.Kernel.Interfaces.O2Core;
using O2.Kernel.Interfaces.Ozasmt;
using O2.ImportExport.OunceLabs.Ozasmt_OunceV6;
using O2.Views.ASCX.O2Findings;
namespace O2.Views.ASCX.SourceCodeEdit.ScriptSamples
{
public class FilterFindingExample
{
public static IO2Log log = O2.Kernel.PublicDI.log;
public static string targetAssessmentFile = @"C:\O2\O2 Data\Saved assessment files\WebGoat.ozasmt";
public static void filterFindings_usingForEachLoop()
{
string message = string.Format("Hello O2 World");
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), targetAssessmentFile);
log.info("Assessment file loaded with {0} findings", o2Assessment.o2Findings.Count);
var results = new List<IO2Finding>();
foreach(O2Finding o2Finding in o2Assessment.o2Findings)
if (o2Finding.SourceContext.IndexOf("address") > -1)
results.Add(o2Finding);
log.info("There are {0} findings that match filter", results.Count);
var newAssessmentFile = new O2Assessment(results);
var savedFile = newAssessmentFile.save(new O2AssessmentSave_OunceV6());
log.info("Filtered results saved to: {0}", savedFile);
}
public static void filterFindings_usingLinq()
{
string message = string.Format("Hello O2 World");
var o2Assessment = new O2Assessment(new O2AssessmentLoad_OunceV6(), targetAssessmentFile);
log.info("Assessment file loaded with {0} findings", o2Assessment.o2Findings.Count);
var results = from O2Finding finding in o2Assessment.o2Findings
where finding.SourceContext.IndexOf("address") > -1
select (IO2Finding)finding;
log.info("There are {0} findings that match filter", results.ToList().Count);
ascx_FindingsViewer.openInFloatWindow(results.ToList());
}
}
}
Saturday, September 5, 2009 at 10:57AM Just posted the (65 slide) OWASP O2 Framework presentation I delivered last Thursday @ the London OWASP Chapter event: OWASP O2 Platform - London Chapter - 3rd Sep 2009.pdf (5.9M)
Lots of new content and ideas.
Let me know what you think