[Owasp-o2-platform] Some info on O2's .NET Static Analysis engine

dinis cruz dinis.cruz at owasp.org
Tue Jul 6 07:29:13 EDT 2010


O2 has a working prototype of an Open Source Static Analysis engine. This
engine, is able to follow taint across multiple methods/classes and for
example, is able to be used (with a little bit of custom script at the top)
to create a trace for HacmeBank that:

   - starts on the HTTP Url,
   - goes into the respective Web.UI.TextBox source
   - passes trough the webservice's invoke call (at web layer)
   - continues at the webservices [WebMethod] (at webservice layer)
   - ends at the SqlCommand method (vulnerable to SQL Injection)

The key concept that powers this engine is what I call the 'MethodStream'
which is a dynamically created file that* "for a starting method X contains
all methods that are recursively called from that method"*

I have not documented the latest GUIs (see
http://www.o2platform.com/wiki/O2_Release/v1.1_Beta#Tab_.232:_Source-Code_Reviews),
but here are some links to get you started:

   - http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_Example
   -
   http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_-_SQL_Injection_PoC
   -
   http://o2platform.googlecode.com/svn/trunk/O2_Scripts/_Sample_Vulnerabilities/HacmeBank/HacmeBank_BlackBox_Exploits.cs(dynamically
executed script file with HacmeBank exploits)
   -
   http://o2platform.googlecode.com/svn/trunk/O2_Scripts/_Sample_Vulnerabilities/HacmeBank/API_HacmeBank.cs(dynamically
executed script file with HacmeBank API (including the custom
   code extensions required to create the method streams for HacmaBank)

A good place to start is if you give me a couple case studies or problems
you want to see a solution for, I can then send you back a script that shows
how that can be done.

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20100706/027626e8/attachment.html 


More information about the Owasp-o2-platform mailing list