[Owasp-o2-platform] Help with loading and consolidating data from AppScan 7.9

Dinis Cruz dinis at ddplus.net
Mon Aug 30 02:29:57 EDT 2010


Hi Aaron (or other AppScan 7.9 users)

Can you find a way to translate the following O2 Web Automation script into
pyscan?

public void vulnerability_Sql_Injection_in_Login_page()
{
	setup();
	Browser.open(StartUrl);
	Browser.field("txtUserName").value("jv ' aaa");
	Browser.field("txtPassword").value("jv789");
	Browser.button("Submit").click();
}

This is an HacmeBank vulnerability (SQL Injection on Login Page) written in
O2 (the StartUrl variable points to the main login page).  For more examples
of code samples see
http://www.o2platform.com/wiki/HacmeBank%5CUnit_Tests_for_Vulnerabilities

Dinis

On Sat, Aug 28, 2010 at 11:59 PM, Aaron Clark <noyesterday at gmail.com> wrote:

> For programmatically dealing with a running instance of AppScan (the
> dynamic versions of the tool, not Source) there's an extension SDK and a
> python programmatic interface called pyscan.
>
> http://www.ibm.com/developerworks/rational/downloads/08/appscan_ext_framework/#N1017C
>
> There's a separate api for working with Source too, but Dinis already knows
> all about it.
>
> Thanks,
> Aaron
>
> Just as a disclaimer, I work on the AppScan Source team (and Ounce befor
> the acquisition)
>
> On Sat, Aug 28, 2010 at 3:31 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> now ... on the on the topic of merging AppScan results ... is there any
>> guidance on how to do it?
>>
>> I'm assuming most of those db keys are not unique on all assessments, and
>> when merging results one will need to fix a bunch of those XRefs
>>
>> Any other side effects we should be aware?
>>
>> I wonder if we can manipulate the db in real time and use it to
>> communicate with a running instance of AppScan 7.9?
>>
>> Dinis Cruz
>>
>>
>> On 28 August 2010 23:23, dinis cruz <dinis.cruz at owasp.org> wrote:
>>
>>> I just created a video (using O2 :)  ) with this script in action.
>>>
>>> You can see it on YouTube http://www.youtube.com/watch?v=BAp6M6FZda8 or
>>> in the script documentation page http://www.o2platform.com/index.php/AppSscan
>>> 7.9 - Results Viewer (FireBird Database).h2<http://www.o2platform.com/index.php/AppSscan%207.9%20-%20Results%20Viewer%20%28FireBird%20Database%29.h2>
>>>
>>> Dinis Cruz
>>>
>>>
>>> On 28 August 2010 23:05, dinis cruz <dinis.cruz at owasp.org> wrote:
>>>
>>>> OK, I just added support to O2 for reading FireBird databases and more
>>>> specifically for loading and viewing AppScan 7.9 *.ResultsDB.FBD file (which
>>>> is inside the *.scan file)
>>>>
>>>> Here is a documentation page with tons of screenshots (and the script I
>>>> just wrote):
>>>>
>>>>
>>>> http://www.o2platform.com/wiki/AppSscan_7.9_-_Results_Viewer_(FireBird_Database).h2<http://www.o2platform.com/wiki/AppSscan_7.9_-_Results_Viewer_%28FireBird_Database%29.h2>
>>>> .
>>>>
>>>> Here is a good example of how in O2, once we can 'read/consume the
>>>> native files, the rest is easy :)
>>>>
>>>> Dan, Thanks for the help
>>>>
>>>> Dinis Cruz
>>>>
>>>>
>>>>
>>>> On 28 August 2010 19:22, Dan Cornell <dan at denimgroup.com> wrote:
>>>>
>>>>>   An O2 user sent me this request:
>>>>>
>>>>>
>>>>>
>>>>> *"...I need some help writing an 02 script that will collect multiple
>>>>> IBM appscan projects and convert them into one big project combining all of
>>>>> the vulnerabilities.*
>>>>>
>>>>>
>>>>>
>>>>> *The use case is that I have a huge web site that has 40 seperate
>>>>> "mini website" branched off of the main url.  Some of them require
>>>>> credentials some of them don't.   I have 20 app scan files that I would like
>>>>> to combine into one big app scan file.   The version of IBM app scan is
>>>>> 7.9..."*
>>>>>
>>>>>
>>>>>
>>>>> I have a sample assessment file from a scan of
>>>>> http://demo.testfire.net in the form of an *.scan file. This file is a
>>>>> zip file and inside of it here are a bunch of *.PDB , *.FPT and *.DBF files
>>>>> which are clearly database files.
>>>>>
>>>>>
>>>>>
>>>>> Anybody as idea of what these are and where I can get an C#, Python or
>>>>> Java reader for it?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> There is some Java code to read XML AppScan files in VulnManager –
>>>>> http://vulnerabilitymanager.denimgroup.com/  I have an updated version
>>>>> of that in the upcoming release but that code isn’t quite ready for
>>>>> distribution yet.
>>>>>
>>>>>
>>>>>
>>>>> I can probably also dredge up some other Java code to read the .scan
>>>>> files.
>>>>>
>>>>>
>>>>>
>>>>> Those use what is basically a Firebird DB format:
>>>>>
>>>>> http://www.firebirdsql.org/
>>>>>
>>>>>
>>>>>
>>>>> If this is just a one-off you could probably take your .scan files, use
>>>>> the Firebird ODBC driver to set up each files as a database and do some
>>>>> goofy query/join-y stuff to lump them all together in one big DB.
>>>>>
>>>>>
>>>>>
>>>>> Or to integrate it into O2 you could use the Firebird .NET data
>>>>> provider and attach that to the .scan files.
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>>
>>>>>
>>>>> Dan
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20100830/7e63a19a/attachment.html 


More information about the Owasp-o2-platform mailing list