[Owasp-codereview] ASP Code Review

dinis cruz dinis.cruz at owasp.org
Fri Mar 13 09:09:27 EDT 2009


<commercial plug>

  ...if you are looking for commercial solutions, OunceLabs code scanner
supports ASP Classic..

</commercial plug>

<opensource plug>

  .. the problem is that due to the architecture of the ASP Classic language
(as in no real support for classes and wide use of includes) these scanners
(Ounce's included) tend to find stupid amounts of real vulnerable paths ( as
in 15k+) which are technically correct, but tend to be most the same pattern
(same call flows using different files)

So, to deal with these findings and quickly identify the unique insecure
patters (which are usually only in the 10x number) you should use the
modules from open source toolkit that I have been developing for the last
year which is called O2 and you can get from http://www.o2-ounceopen.com (for
example my latest filtering module 'Ozamst Query' is able to load 300mb of
assessments in minutes and run dynamic user created Lambda queries in
seconds :)  )

Note, if you are aware of an open source ASP Classic scanner, please let me
know and I will integrate it with O2 (to see how other scanning engines can
be used and controled by O2, checkout the MsCatNet module which uses the
Microsolt Cat.Net security scanner to scan the code an then converts it's
results into Ounce/O2 saved findings assessment format (Ozasmt)

</opensource plug>

Dinis Cruz

On 12 Mar 2009, at 23:07, Andre Gironda <andreg at gmail.com> wrote:
>
>
>  On Thu, Mar 12, 2009 at 3:13 PM, Paul <lopo1 at hotmail.com> wrote:
>>
>>> I was hoping one could quickly point me to any tools for Classic ASP Code
>>> review (if any exist since I have already tried to find some).
>>>
>>
>> Depends on the deployment characteristics.  There were a lot of ISAPI
>> problems such as buffer overflows and information disclosures, but
>> these could usually easily be thwarted by making sure that you have
>> your unused ISAPI extensions unmapped.
>>
>> IISLockdown and URLScan were good tools to help.  I know that Dinis
>> Cruz had a long list once, filled with tasty items such as the IIS
>> Metabase tools: MetaAcl.exe and MtaEdt22.exe
>>
>> Nish Bhalla was a contributing author to Hacking Exposed Web App 2nd
>> Ed, where in Chapter 12, page 416, he demonstrates "An Example of
>> Binary Analysis" using OllyDbg.  Here is the code -
>> http://webhackingexposed.com/secret.zip
>>
>> Also see:
>>
>> http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/iisbook/c06_active_server_pages.mspx?mfr=true
>> http://w3schools.com/asp/
>>
>>  Additional, any other resources on ASP security are also welcome.
>>>
>>
>> how about owASP.org ?
>> e.g. http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection
>>
>> Cheers,
>> dre
>> _______________________________________________
>> Owasp-codereview mailing list
>> Owasp-codereview at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-codereview
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-codereview/attachments/20090313/8b15b8ed/attachment.html 


More information about the Owasp-codereview mailing list