[Owasp-o2-platform] Rough notes from call last night also on 02 blog http://www.o2-ounceopen.com/o2-power-users/

Dinis Cruz dinis at ddplus.net
Wed Nov 25 08:16:10 EST 2009


I asked Matt to post his rough notes since as I expected there are quite a
number of good snippets in there.

I just made a couple formating changes and added some links to the O2
modules he mentions:
https://www.o2-ounceopen.com/o2-power-users/2009/11/25/dinis-cruz-midnight-training-session.html

Dinis

On Wed, Nov 25, 2009 at 12:57 PM, Matt Parsons <mparsons1980 at gmail.com>wrote:

>  http://www.o2-ounceopen.com/o2-power-users/
>
>
>
>
>
>
>
>
>
> Last night I was able to attend most of Dinis midnight training call.  We
> had a few excited people on the call.   I learned something new with the web
> conference program dim dim.   These are some rough notes so feel free to
> edit and change.
>
> One of the aspects of 02 that we were discussing was using CIR and dragging
> and dropping DLLs to make a trace.   It has the calls and then switches to
> function info.    This is an example of a bigger tree.
>
> Xrules 02 was a hot topic last night.   This function was added by a graph
> of who calls.   In the use case example we had a web service.   In the
> findings there was a web service call all the way down.
>
> Dinis keeps on preaching that 02 is designed when consultant has a need.
> The workflow maybe from A to B to F.   We are also need to overhaul our
> documentation so more people see the value of 02 and then give them examples
> of work flows that you can use.
>
> I just got off the phone with 02 and Dinis vision is for 02 to be the tool
> that everyone uses for multiple problems.  If you use grep use 02 for a grep
> on steriods.
>
> Rules manager is when we can open up a file to scan and load hackme bank.
> CLR viewer is embedded in rules manager.
>
> For example look at any module like rules manager.   All of these projects
> start with a shell 02 GUI.   You can load the dll CIR data.   This can be
> created from Java.
>
> The rules manager main is call flow and tracking for reverse mapping.
>
>
>
>
>
>
>
> Xrules allows easy workflow with drag and drop dll based on call flow.
> Show how flow of code can happen.   This is another view of all the
> findings.   These are the steps to create a path of the application.
>
>
>
>
>
> Dinis showed an example of a rule for 02 and map calls vulnerable to SQL
> injection.   You could mark this as a sink type SQL injection.
>
>
>
> Do a call flow scanner.   ID of 02 scans is to give you a rule to apply to
> rules.   Have rules and apply them to source.   The source of tainted data
> place using.  What we want to do is create a new trace.   Sink save that
> Ounce tries to follow.   The pattern for source and sink have a lot of
> similarities.
>
>
>
> Trace tools does not work for a million line of code application.   There
> are a bunch of sources and sinks.   Apply sources and sinks to all traces.
>
>
>
>
> Lost sink has no marking for it.  We want to grab all of these guys.   Mark
> from data point of view.   We want to edit the rule with an 02 layer call.
> What 02 has done is create traces that start in one place and end somewhere
> else.
>
>
>
> I would like to define and look for potentially dangerous back it up to
> source.
>
>
>
> What flows produce vulnerabilities?  Have a default.  The rule associated
> with Ounce is closed.
>
>
>
> One of the questions posed was are there any legal ramifications of patents
> using 02?
>
>
>
> There is a massive air gap between 02 and Ounce.    The new generation of
> rules will create a lot more workflow.   Not really a tool process but
> intersecting rules and possibly selling rules.   We need to have an open
> community rule set that are downloaded and rocks authorization.   Find in 02
> the problem was solved by mapping all sinks and sources.
>
>
>
> Part problem going to be a lot slower rules definition not a hard level.
> Identify stuff to start with patterns.
>
>
>
> The first example is to find a call flow from that rule that we map from
> the outside.   Ounce you know the pattern you can run a script against it.
>
>
>
>
>
>
>
>
>
>
> O2 Spring MVC.
>
>
>
> Spring MVC is when you can grab a compiled class and drag and drop.   This
> file is converted using Jython.
>
>
>
> Dinis was showing the vulnerable code in Spring MVC with the get pet
> function.   Spring mvc controllers.   Load up the URL in the module and
> exploit Spring MVC.
>
>
>
> View data and invoke to pet objects over to owner object.   Edit edwardo.
> Pets[0], name NEW Name.  Dinis then put a pay load on name.  <IMG
> SRC=javascript:alert('XSS')>
>
>
>
>
>
> Betty Davis is user 2.   So we modify id and send pet.
>
>
>
>
> Rules manager.   Only module that has this functionality is spring mvc.
>
>
>
>
>
> Matt Parsons, MSM, CISSP
>
> 315-559-3588 Blackberry
>
> 817-294-3789 Home office
>
> mailto:mparsons1980 at gmail.com <mparons1980 at gmail.com>
>
> http://www.parsonsisconsulting.com
>
> http://www.o2-ounceopen.com/o2-power-users/
>
> http://www.linkedin.com/in/parsonsconsulting
>
>
>
> [image: CISSP_logo]
>
>
>
>
>
> *[image: mattcropped]*
>
>
>
> *From:* owasp-o2-platform-bounces at lists.owasp.org [mailto:
> owasp-o2-platform-bounces at lists.owasp.org] *On Behalf Of *dinis cruz
> *Sent:* Wednesday, November 25, 2009 6:20 AM
> *To:* owasp-o2-platform at lists.owasp.org
> *Subject:* [Owasp-o2-platform] 25-nov-09: Current Issues list
>
>
>
> Hi, I've started adding bugs/defects, features requests and documentation
> requests to the O2's Bug / Issue tracking system (see
> http://code.google.com/p/o2platform/issues/list).
>
>
>
> Here are the current open entries (with many more to come :)  ) , and
> remember that you should also be using this to log your problems, ideas or
> requests:
>
>
>
> *Defect*
>
>    - Issue 2 - O2 XRules : Findings Viewer doesn't allow Source Code
>    mappings resolution<http://code.google.com/p/o2platform/issues/detail?id=2>
>
>  *Feature*
>
>    - Issue 3 - O2 XRules : Unit test execution GUI tweeks<http://code.google.com/p/o2platform/issues/detail?id=3>
>    - Issue 5 - New O2 Module: Findings Manager<http://code.google.com/p/o2platform/issues/detail?id=5>
>    - Issue 7 - Submit O2 Bugs and Feature Requests directly from O2
>    modules <http://code.google.com/p/o2platform/issues/detail?id=7>
>    - Issue 8 - O2 GUI - Create Rohit's GUI PoC<http://code.google.com/p/o2platform/issues/detail?id=8>
>    - Issue 9 - Introduce O2 Wizards (and use it to replace some modules)<http://code.google.com/p/o2platform/issues/detail?id=9>
>
>  *Documentation*
>
>    - Issue 3 - How to: Traces joins on Get and Set pairs (O2 User Request)<http://code.google.com/p/o2platform/issues/detail?id=3>
>    - Issue 10 - Clarify O2's current relationship with Fortify, what
>    currently works and what is on the pipeline<http://code.google.com/p/o2platform/issues/detail?id=10>
>    - Issue 11 - Document the Spring MVC security vulnerabilities (namely
>    the examples presented at AppSecDC) <http://code.google.com/p/o2platform/issues/detail?id=11>
>    - Issue 12 - What was the rationale for creating a new GUI?<http://code.google.com/p/o2platform/issues/detail?id=12>
>
>  Issues closed this week:
>
>    - Issue 1 - O2 XRules: don't required recompilation before XRules cmd
>    line execution <http://code.google.com/p/o2platform/issues/detail?id=1>
>
>
>
> *Help request* I created the links above manually and it was pain. This
> means that I need an XRule that goes to the current lists page
> <http://code.google.com/p/o2platform/issues/list>(or CSV download<http://code.google.com/p/o2platform/issues/csv>),
> parses it and creates the HTML code. There are several O2 APIs that can be
> used here, so if you have some cycles, why don't you try to write an XRule
> that does this?
>
>
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/cca3cc9e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1922 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/cca3cc9e/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2509 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20091125/cca3cc9e/attachment-0003.jpe 


More information about the Owasp-o2-platform mailing list