[Owasp-o2-platform] More FVDL scripting and example of (O2 created).NET Taint Flow trace

Alvaro alvaro.picapau at gmail.com
Fri Jul 29 11:46:43 EDT 2011

Thats great Dinis! I will have a look at thoses examples. The idea is not to
trace the full taint flow in the source code but to connect a sink defined
in the controller with a source defined in the view (both of them in the
FVDL file). The relation between these controllers and views is done via
some configuration xml files. So the idea is to create a mapping table from
these xml files that links controllers and views, and bridge the existing
sinks and sources in the FVDL.


On Fri, Jul 29, 2011 at 2:49 AM, dinis cruz <dinis.cruz at owasp.org> wrote:

> Here is a reply I just sent to a new O2 user that is trying to get his head
> around O2 Scripting (to parse, filter and visualize FVDL Files) , which also
> includes a link to a blog post with an example of what the O2 .NET Static
> Analysis engine is able to create:
> *"...I've pushed another blog post that should give you more ideas on what
> you can do with O2 scripting and FVDL files:
> http://o2platform.wordpress.com/2011/07/29/creating-the-the-util-view-fvdl-traces-h2-script-lots-of-data-analysis-code-samples (I
> wrote this last week, but run out of time to publish it then)
> Question: what do you mean by "connecting some related issues..an
> unsupported MVC pattern breaks the data flow from the controller to the
> view" ? Are you trying to connect the tain-flow traces? (for example a trace
> that starts in a Controller and continues on a View?)
> If so, you need to take a look at what I was doing with the traces I used
> to get from the Ounce Labs engine. I was doing exactly that.
> There is quite a lot of scripts and code in O2 to support the joining of
> traces (from simple to complex use cases), so let me know if this is what
> you are trying to do (note that to really take advantage of O2, we should
> expand the current FVDL parser to create IO2Findings objects, since once we
> have that, we can use the existing O2 tools for Finding's viewing and
> Trace's joining (including Drag&Drop trace creation support)).
> To see an example of the kind of traces you can do in O2, check this out
> .NET HacmeBank SQL Injection vulnerability trace example:
> http://o2platform.wordpress.com/2011/07/29/o2-net-ast-scanner-hacmebank-sql-injection-poc
>  .
> Note how that 'O2 created trace':
>    - starts on a URL (the real Source of tainted data),
>    - then follows the taint flow into a server-side Textbox,
>    - and into the WebService's call on the WebSite code
>    - and into the WebServices' method on the WebService's code (this was a
>    separate trace that was joined with the first one),
>    - and continues the taint follow until it reaches the Sql Injection
>    Sink
> *..."
> Dinis Cruz
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110729/88d344cf/attachment.html 

More information about the Owasp-o2-platform mailing list