[Owasp-o2-platform] Help with loading and consolidating data from AppScan 7.9

Aaron Clark noyesterday at gmail.com
Tue Aug 31 11:24:54 EDT 2010


Hi Dinis,

I spoke with one of the blackbox experts (Shawn Miller) and got the 411.
The set up in pyscan would look a little different, you work at the request
level rather than the browser level, but what you're describing below is
possible.  If you download pyscan the example that comes with it will
actually cover request creation and manipulation, which should hopefully
give you the information you need to create something like the example
below.

Thanks,
Aaron

On Sun, Aug 29, 2010 at 11:29 PM, Dinis Cruz <dinis at ddplus.net> wrote:

> Hi Aaron (or other AppScan 7.9 users)
>
> Can you find a way to translate the following O2 Web Automation script into
> pyscan?
>
> public void vulnerability_Sql_Injection_in_Login_page()
> {
> 	setup();
> 	Browser.open(StartUrl);
>
> 	Browser.field("txtUserName").value("jv ' aaa");
>
> 	Browser.field("txtPassword").value("jv789");
>
> 	Browser.button("Submit").click();
> }
>
> This is an HacmeBank vulnerability (SQL Injection on Login Page) written in
> O2 (the StartUrl variable points to the main login page).  For more examples
> of code samples see
> http://www.o2platform.com/wiki/HacmeBank%5CUnit_Tests_for_Vulnerabilities
>
> Dinis
>
>
> On Sat, Aug 28, 2010 at 11:59 PM, Aaron Clark <noyesterday at gmail.com>wrote:
>
>> For programmatically dealing with a running instance of AppScan (the
>> dynamic versions of the tool, not Source) there's an extension SDK and a
>> python programmatic interface called pyscan.
>>
>> http://www.ibm.com/developerworks/rational/downloads/08/appscan_ext_framework/#N1017C
>>
>> There's a separate api for working with Source too, but Dinis already
>> knows all about it.
>>
>> Thanks,
>> Aaron
>>
>> Just as a disclaimer, I work on the AppScan Source team (and Ounce befor
>> the acquisition)
>>
>> On Sat, Aug 28, 2010 at 3:31 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>
>>> now ... on the on the topic of merging AppScan results ... is there any
>>> guidance on how to do it?
>>>
>>> I'm assuming most of those db keys are not unique on all assessments, and
>>> when merging results one will need to fix a bunch of those XRefs
>>>
>>> Any other side effects we should be aware?
>>>
>>> I wonder if we can manipulate the db in real time and use it to
>>> communicate with a running instance of AppScan 7.9?
>>>
>>> Dinis Cruz
>>>
>>>
>>> On 28 August 2010 23:23, dinis cruz <dinis.cruz at owasp.org> wrote:
>>>
>>>> I just created a video (using O2 :)  ) with this script in action.
>>>>
>>>> You can see it on YouTube http://www.youtube.com/watch?v=BAp6M6FZda8 or
>>>> in the script documentation page http://www.o2platform.com/index.php/AppSscan
>>>> 7.9 - Results Viewer (FireBird Database).h2<http://www.o2platform.com/index.php/AppSscan%207.9%20-%20Results%20Viewer%20%28FireBird%20Database%29.h2>
>>>>
>>>> Dinis Cruz
>>>>
>>>>
>>>> On 28 August 2010 23:05, dinis cruz <dinis.cruz at owasp.org> wrote:
>>>>
>>>>> OK, I just added support to O2 for reading FireBird databases and more
>>>>> specifically for loading and viewing AppScan 7.9 *.ResultsDB.FBD file (which
>>>>> is inside the *.scan file)
>>>>>
>>>>> Here is a documentation page with tons of screenshots (and the script I
>>>>> just wrote):
>>>>>
>>>>>
>>>>> http://www.o2platform.com/wiki/AppSscan_7.9_-_Results_Viewer_(FireBird_Database).h2<http://www.o2platform.com/wiki/AppSscan_7.9_-_Results_Viewer_%28FireBird_Database%29.h2>
>>>>> .
>>>>>
>>>>> Here is a good example of how in O2, once we can 'read/consume the
>>>>> native files, the rest is easy :)
>>>>>
>>>>> Dan, Thanks for the help
>>>>>
>>>>> Dinis Cruz
>>>>>
>>>>>
>>>>>
>>>>> On 28 August 2010 19:22, Dan Cornell <dan at denimgroup.com> wrote:
>>>>>
>>>>>>   An O2 user sent me this request:
>>>>>>
>>>>>>
>>>>>>
>>>>>> *"...I need some help writing an 02 script that will collect multiple
>>>>>> IBM appscan projects and convert them into one big project combining all of
>>>>>> the vulnerabilities.*
>>>>>>
>>>>>>
>>>>>>
>>>>>> *The use case is that I have a huge web site that has 40 seperate
>>>>>> "mini website" branched off of the main url.  Some of them require
>>>>>> credentials some of them don't.   I have 20 app scan files that I would like
>>>>>> to combine into one big app scan file.   The version of IBM app scan is
>>>>>> 7.9..."*
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have a sample assessment file from a scan of
>>>>>> http://demo.testfire.net in the form of an *.scan file. This file is
>>>>>> a zip file and inside of it here are a bunch of *.PDB , *.FPT and *.DBF
>>>>>> files which are clearly database files.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Anybody as idea of what these are and where I can get an C#, Python or
>>>>>> Java reader for it?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> There is some Java code to read XML AppScan files in VulnManager –
>>>>>> http://vulnerabilitymanager.denimgroup.com/  I have an updated
>>>>>> version of that in the upcoming release but that code isn’t quite ready for
>>>>>> distribution yet.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I can probably also dredge up some other Java code to read the .scan
>>>>>> files.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Those use what is basically a Firebird DB format:
>>>>>>
>>>>>> http://www.firebirdsql.org/
>>>>>>
>>>>>>
>>>>>>
>>>>>> If this is just a one-off you could probably take your .scan files,
>>>>>> use the Firebird ODBC driver to set up each files as a database and do some
>>>>>> goofy query/join-y stuff to lump them all together in one big DB.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Or to integrate it into O2 you could use the Firebird .NET data
>>>>>> provider and attach that to the .scan files.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>>
>>>>>>
>>>>>> Dan
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-o2-platform mailing list
>>> Owasp-o2-platform at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>>
>>>
>>
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20100831/fd138328/attachment.html 


More information about the Owasp-o2-platform mailing list