[Owasp-o2-platform] Rough notes from call last night also on 02 blog http://www.o2-ounceopen.com/o2-power-users/

Matt Parsons mparsons1980 at gmail.com
Wed Nov 25 07:57:40 EST 2009


http://www.o2-ounceopen.com/o2-power-users/

 

 

 

 

Last night I was able to attend most of Dinis midnight training call.  We
had a few excited people on the call.   I learned something new with the web
conference program dim dim.   These are some rough notes so feel free to
edit and change.   

One of the aspects of 02 that we were discussing was using CIR and dragging
and dropping DLLs to make a trace.   It has the calls and then switches to
function info.    This is an example of a bigger tree.  

Xrules 02 was a hot topic last night.   This function was added by a graph
of who calls.   In the use case example we had a web service.   In the
findings there was a web service call all the way down.  

Dinis keeps on preaching that 02 is designed when consultant has a need.
The workflow maybe from A to B to F.   We are also need to overhaul our
documentation so more people see the value of 02 and then give them examples
of work flows that you can use.   

I just got off the phone with 02 and Dinis vision is for 02 to be the tool
that everyone uses for multiple problems.  If you use grep use 02 for a grep
on steriods.  

Rules manager is when we can open up a file to scan and load hackme bank.
CLR viewer is embedded in rules manager.  

For example look at any module like rules manager.   All of these projects
start with a shell 02 GUI.   You can load the dll CIR data.   This can be
created from Java.  

The rules manager main is call flow and tracking for reverse mapping. 

 

 

 

Xrules allows easy workflow with drag and drop dll based on call flow.
Show how flow of code can happen.   This is another view of all the
findings.   These are the steps to create a path of the application.   

 

 

Dinis showed an example of a rule for 02 and map calls vulnerable to SQL
injection.   You could mark this as a sink type SQL injection.   

 

Do a call flow scanner.   ID of 02 scans is to give you a rule to apply to
rules.   Have rules and apply them to source.   The source of tainted data
place using.  What we want to do is create a new trace.   Sink save that
Ounce tries to follow.   The pattern for source and sink have a lot of
similarities.   

 

Trace tools does not work for a million line of code application.   There
are a bunch of sources and sinks.   Apply sources and sinks to all traces.


 

Lost sink has no marking for it.  We want to grab all of these guys.   Mark
from data point of view.   We want to edit the rule with an 02 layer call.
What 02 has done is create traces that start in one place and end somewhere
else.   

 

I would like to define and look for potentially dangerous back it up to
source.  

 

What flows produce vulnerabilities?  Have a default.  The rule associated
with Ounce is closed.   

 

One of the questions posed was are there any legal ramifications of patents
using 02?   

 

There is a massive air gap between 02 and Ounce.    The new generation of
rules will create a lot more workflow.   Not really a tool process but
intersecting rules and possibly selling rules.   We need to have an open
community rule set that are downloaded and rocks authorization.   Find in 02
the problem was solved by mapping all sinks and sources.   

 

Part problem going to be a lot slower rules definition not a hard level.
Identify stuff to start with patterns.    

 

The first example is to find a call flow from that rule that we map from the
outside.   Ounce you know the pattern you can run a script against it.   

 

 

 

 

O2 Spring MVC.    

 

Spring MVC is when you can grab a compiled class and drag and drop.   This
file is converted using Jython.   

 

Dinis was showing the vulnerable code in Spring MVC with the get pet
function.   Spring mvc controllers.   Load up the URL in the module and
exploit Spring MVC.   

 

View data and invoke to pet objects over to owner object.   Edit edwardo.
Pets[0], name NEW Name.  Dinis then put a pay load on name.  <IMG
SRC=javascript:alert('XSS')>

 

 

Betty Davis is user 2.   So we modify id and send pet.   

 


Rules manager.   Only module that has this functionality is spring mvc. 

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

 <mailto:mparons1980 at gmail.com> mailto:mparsons1980 at gmail.com

 <http://www.parsonsisconsulting.com> http://www.parsonsisconsulting.com

 <http://www.o2-ounceopen.com/o2-power-users/>
http://www.o2-ounceopen.com/o2-power-users/

 <http://www.linkedin.com/in/parsonsconsulting>
http://www.linkedin.com/in/parsonsconsulting

 

CISSP_logo

 

 

mattcropped

 

From: owasp-o2-platform-bounces at lists.owasp.org
[mailto:owasp-o2-platform-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: Wednesday, November 25, 2009 6:20 AM
To: owasp-o2-platform at lists.owasp.org
Subject: [Owasp-o2-platform] 25-nov-09: Current Issues list

 

Hi, I've started adding bugs/defects, features requests and documentation
requests to the O2's Bug / Issue tracking system (see
http://code.google.com/p/o2platform/issues/list).

 

Here are the current open entries (with many more to come :)  ) , and
remember that you should also be using this to log your problems, ideas or
requests:

 

Defect


*	Issue 2 - O2
<http://code.google.com/p/o2platform/issues/detail?id=2>  XRules : Findings
Viewer doesn't allow Source Code mappings resolution

Feature 

*	Issue 3 - O2
<http://code.google.com/p/o2platform/issues/detail?id=3>  XRules : Unit test
execution GUI tweeks
*	Issue 5 - <http://code.google.com/p/o2platform/issues/detail?id=5>
New O2 Module: Findings Manager
*	Issue 7 - <http://code.google.com/p/o2platform/issues/detail?id=7>
Submit O2 Bugs and Feature Requests directly from O2 modules
*	Issue 8 - O2
<http://code.google.com/p/o2platform/issues/detail?id=8>  GUI - Create
Rohit's GUI PoC
*	Issue 9 - <http://code.google.com/p/o2platform/issues/detail?id=9>
Introduce O2 Wizards (and use it to replace some modules)

Documentation

*	Issue 3 - <http://code.google.com/p/o2platform/issues/detail?id=3>
How to: Traces joins on Get and Set pairs (O2 User Request)
*	Issue 10 - <http://code.google.com/p/o2platform/issues/detail?id=10>
Clarify O2's current relationship with Fortify, what currently works and
what is on the pipeline
*	Issue 11 - <http://code.google.com/p/o2platform/issues/detail?id=11>
Document the Spring MVC security vulnerabilities (namely the examples
presented at AppSecDC) 
*	Issue 12 - <http://code.google.com/p/o2platform/issues/detail?id=12>
What was the rationale for creating a new GUI?

Issues closed this week: 

*	Issue 1 - O2
<http://code.google.com/p/o2platform/issues/detail?id=1>  XRules: don't
required recompilation before XRules cmd line execution

 

Help request I created the links above manually and it was pain. This means
that I need an XRule that goes to the current
<http://code.google.com/p/o2platform/issues/list>  lists page (or CSV
<http://code.google.com/p/o2platform/issues/csv>  download), parses it and
creates the HTML code. There are several O2 APIs that can be used here, so
if you have some cycles, why don't you try to write an XRule that does this?

 

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/bad175ba/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/bad175ba/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/bad175ba/attachment-0003.jpe 


More information about the Owasp-o2-platform mailing list