[Owasp-o2-platform] CAT.NET

Erlend Oftedal erlend at oftedal.no
Tue Dec 1 10:20:46 EST 2009


It might very well be because it's scanning one file at the time. Can I 
have it scan them all at the same time from the O2 Cat.net scanner? I've 
used "Scan a dll or a precompiled website", and then dropped the web site 
folder into the left hand box. But when I hit the "scan all targets" 
button, it seems to analyse the two dlls seperately.

I put the project here: http://erlend.oftedal.no/blog/dropbox/ Basically 
it's just a simple page with one XSS directly in the code behind and one 
through an assembly.

Scripting is definitely interesting. In the long run I want to run the 
scanner as a part of the continuous integration so I can have new reports 
ready each morning, and maybe also parts some of the contents to hav it 
break the build if there are any serious issues.

Regarding the conversion, the names seem a bit weird. It says stack1 := 
stack1.{System.Web.HttpRequest}.getParams() I might just be me not 
understanding how this is to be used, but it would probably be easier to 
get an overview if "stack1" was replace with the class name or something a 
bit more contextual.

I haven't been able to bring up the visualization graphs. How do I do 
that?

I have not yet manipulated the rules or looked at the .NET 4.0 version 
(I'm still on .NET 3.5).

Erlend



On Tue, 1 Dec 2009, Dinis Cruz wrote:

> Hi Erland
>
> Can you resend that solution file? I don't seem to have it? I want to see if
> I can replicate your problem (it could be due to only scanning one file at
> the time)
>
> Have you tried to script O2 & Cat.NET? The new XRule module (
> http://deploy.o2-ounceopen.com/O2_Tool_XRules/) will make this very easy :)
>
>
> Do you have any feedback on the conversion from Cat.NET results into
> O2Finding format? I am going to use very soon CAT.NET on a project and if
> you have any ideas/requests about O2 & Cat.Net, now would be the best time
> :)
>
> Also have you looked and manipulated Cat.NET rules? What about its
> visualization graphs?
>
> Finally , what does the new version (.NET 4.0 dependent)  results look like?
> Are they much better than the previous version?
>
> Dinis Cruz
>
> On Tue, Dec 1, 2009 at 9:48 AM, Erlend Oftedal <erlend at oftedal.no> wrote:
>
>>
>> Hi Dinis
>>
>> I just tested it with CAT.NET 1.1.1.9, and it seems to work as well as
>> with the old version.
>> I still have a problem though. I sent you a small solution earlier. The
>> solution had two XSS-errors, and CAT.NET finds both errors if I run it in
>> Visual Studio, but if I use the O2 Scanner, it only finds one of
>> them.
>> I am able to work around it by importing the VS CAT.NET report into the
>> ozasmt converter. Then I can see them both of them in findings viewer.
>>
>> Erlend
>>
>>
>>
>> On Wed, 25 Nov 2009, Erlend Oftedal wrote:
>>
>>
>>> Thanks! I'll check it out, and also test it with the new CAT.NET version
>>> if can get it working.
>>> I'll get back to you once I have any results.
>>>
>>> Erlend
>>>
>>> On Wed, 25 Nov 2009, Dinis Cruz wrote:
>>>
>>>  Hi Erlend
>>>>
>>>> Are you talking about the just released version of CAT.NET or the
>>>> previous
>>>> version (v1)
>>>>
>>>> For the previous version of CAT.NET (download it from
>>>> here<
>>>> http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
>>>>> )
>>>> your can use the "O2 Scanner - MsCatNet" Module to trigger the scans and
>>>> run
>>>> the conversion of its results into O2 Finding's format. For reference
>>>> here
>>>> is how you can get this mode
>>>>
>>>>  - ClickOnce (web install)
>>>>  http://deploy.o2-ounceopen.com/O2_Scanner_MsCatNet/
>>>>  - MSI (offline install):
>>>>
>>>> http://deploy.o2-ounceopen.com/_O2_MSI_Installers/O2_Scanner_MsCatNet.msi
>>>>  - All O2 Binaries:
>>>>
>>>> http://deploy.o2-ounceopen.com/_O2_MSI_Installers/_Bin_(O2_Binaries)%20%2009-Nov-09.zip<http://deploy.o2-ounceopen.com/_O2_MSI_Installers/_Bin_%28O2_Binaries%29%20%2009-Nov-09.zip>
>>>>
>>>> A nice feature of that O2 Module is that you can just point it to a
>>>> directly
>>>> (for example the "Temporary ASP.NET files" folder) and fire an
>>>> CAT.NETscanner on all assemblies found :)
>>>>
>>>> I have not completed my tests of using O2 with the latest version of
>>>> CAT.NET.
>>>> As anybody here used this latest CAT.NET release? If so what is the
>>>> current
>>>> capabilities parity with the previous version?
>>>>
>>>> Dinis
>>>>
>>>> On Mon, Nov 23, 2009 at 7:38 PM, Erlend Oftedal <erlend at oftedal.no>
>>>> wrote:
>>>>
>>>>
>>>>> Hi
>>>>>
>>>>> Can someone help me get started with O2 and CAT.NET?
>>>>> In the previous version I could invoke the scanner from an O2 module,
>>>>> but
>>>>> this module does not seem to be included anymore.
>>>>>
>>>>> I guess the main question is: How do I import the CAT.NET results into
>>>>> O2?
>>>>>
>>>>> Best regards
>>>>> Erlend Oftedal
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-o2-platform mailing list
>>>>> Owasp-o2-platform at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>>>>
>>>>>
>>>>  _______________________________________________
>>> Owasp-o2-platform mailing list
>>> Owasp-o2-platform at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>>
>>>
>


More information about the Owasp-o2-platform mailing list