[Owasp-o2-platform] Major O2 Milestone: 'Complete Vulnerability Trace' for an HacmeBank Sql Injection vulnerability

dinis cruz dinis.cruz at owasp.org
Sun May 23 23:30:10 EDT 2010


Finally, after tons and tons of features, I was able to create a 'Complete
Vulnerability Trace' for an HacmeBank Sql Injection vulnerability.

And by 'Complete Vulnerability Traces' I mean a trace that:

   - starts on the Exploit Layer (i.e. the browser entry point),
   - then goes through the Web Layer code,
   - then does a jump over the 'internet' into the Web Services layer,
   - and ends up in the vulnerable .NET System.Data method :)

Using O2's MediaWiki API, I created the following '*draft with tons of
screenshots' *wiki page (containing details of what this trace looks like):
http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_-_SQL_Injection_PoC

The example is shown in the "O2 .NET Ast Engine" module,  and tomorrow I
will post details on how to consume (most of) it from the "O2 .NET Ast
Scanner" module (which will be easier to use)

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20100524/743f9f61/attachment.html 


More information about the Owasp-o2-platform mailing list