[Owasp-o2-platform] More FVDL scripting and example of (O2 created).NET Taint Flow trace

dinis cruz dinis.cruz at owasp.org
Fri Jul 29 12:24:56 EDT 2011


I think we are exactly on the same page, and welcome to the wonderful world
of 'Framework behaviour mapping' :)

I've done this quite a lot in the past, so let see if I can help you here.

The first thing you must do is to make sure that you have 'scriptable'
access to ALL required artifacts. Since you will need to be doing a lot
'automagically' glueing, you have to make sure that you can programatically
access the data you need.

>From what I understand you already have the traces for the controllers and
the views. So what about the config files? Is everything on those config
files, or will you also need to parse the java/class files for more
metadata. Btw, this is J2EE right?

The next thing you need to do, is to figure out the exact formula that maps
the controllers to the views. And before you go any further you need to have
a visualization of this (which can be as simple as a treeview, or as complex
as a full blow graph model (which you can also do with O2 :)  ).

After that, you will need to look at your sinks and sources and see if they
are easy to match (this has to be done after you matched the controllers
with the view, or you will get a huge amount of mappings, most of which will
never happen in the real-world). One of the beauties of the IO2Finding and
O2Trace format is that I was able to join traces by simple doing string
matches (there are even helper methods to do that).

The idea/concept for Joining traces, is that you rewrite the Sinks and
Sources so that they match:

For example, if you had a *Controller 'Sink'* with

      setAttribute("*A_KEY*", {taint value"})

and a *View 'Source' *with

    getAttribute("*A_Key*")

Then I would rewrite them (in-memory or in disk (if there is a large number
of findings)) as:

   *Controller 'Sink'*  ->   getset_Attribute_*A_KEY*()
*   View 'Source'    * ->*   * getset_Attribute_*A_KEY*()

and then just:

   - do a direct string Sink-to-Source match,
   - glue them with a one-to-many traces/finding generation mode (i.e you
   will need to create a new trace for each unique Sink-to-Source mapping),
   - look at the created findings (and finally you will be able to gain a
   better picture of what is going on)


This actually works very well, and scales spectacularly.

I have used this on lots of different 'glue' locations: Session/Global
Variables, Interfaces, Database layers, Controllers->Views, Reflection,
Aspect PointCuts, Validation routines, etc...

A good way forward is probably if we work together on doing this for Spring
MVC's JPetstore, since I've already started this process and it is a great
case study. See the posts at
http://o2platform.wordpress.com/category/java/spring-mvc/jpetstore/ , and my
next step on this JPetStore security analysis is exactly to create a mapping
for the JSPs (check out this post which talks about that: Finding the JSP
views that are mapped to controlers in JPetStore (Spring
MVC)<http://o2platform.wordpress.com/2011/07/15/finding-the-jsp-views-that-are-mapped-to-controlers-in-jpetstore-spring-mvc>
 )

Does this make sense?

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 29 July 2011 16:46, Alvaro <alvaro.picapau at gmail.com> wrote:

> Thats great Dinis! I will have a look at thoses examples. The idea is not
> to trace the full taint flow in the source code but to connect a sink
> defined in the controller with a source defined in the view (both of them in
> the FVDL file). The relation between these controllers and views is done via
> some configuration xml files. So the idea is to create a mapping table from
> these xml files that links controllers and views, and bridge the existing
> sinks and sources in the FVDL.
>
> Cheers,
> Alvaro
>
>
> On Fri, Jul 29, 2011 at 2:49 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> Here is a reply I just sent to a new O2 user that is trying to get his
>> head around O2 Scripting (to parse, filter and visualize FVDL Files) , which
>> also includes a link to a blog post with an example of what the O2 .NET
>> Static Analysis engine is able to create:
>>
>> *"...I've pushed another blog post that should give you more ideas on
>> what you can do with O2 scripting and FVDL files:
>> http://o2platform.wordpress.com/2011/07/29/creating-the-the-util-view-fvdl-traces-h2-script-lots-of-data-analysis-code-samples (I
>> wrote this last week, but run out of time to publish it then)
>>
>> Question: what do you mean by "connecting some related issues..an
>> unsupported MVC pattern breaks the data flow from the controller to the
>> view" ? Are you trying to connect the tain-flow traces? (for example a trace
>> that starts in a Controller and continues on a View?)
>>
>> If so, you need to take a look at what I was doing with the traces I used
>> to get from the Ounce Labs engine. I was doing exactly that.
>>
>> There is quite a lot of scripts and code in O2 to support the joining of
>> traces (from simple to complex use cases), so let me know if this is what
>> you are trying to do (note that to really take advantage of O2, we should
>> expand the current FVDL parser to create IO2Findings objects, since once we
>> have that, we can use the existing O2 tools for Finding's viewing and
>> Trace's joining (including Drag&Drop trace creation support)).
>>
>> To see an example of the kind of traces you can do in O2, check this out
>> .NET HacmeBank SQL Injection vulnerability trace example:
>> http://o2platform.wordpress.com/2011/07/29/o2-net-ast-scanner-hacmebank-sql-injection-poc
>>  .
>>
>> Note how that 'O2 created trace':
>>
>>    - starts on a URL (the real Source of tainted data),
>>    - then follows the taint flow into a server-side Textbox,
>>    - and into the WebService's call on the WebSite code
>>    - and into the WebServices' method on the WebService's code (this was
>>    a separate trace that was joined with the first one),
>>    - and continues the taint follow until it reaches the Sql Injection
>>    Sink
>>
>> *..."
>>
>> Dinis Cruz
>>
>> _______________________________________________
>> Owasp-o2-platform mailing list
>> Owasp-o2-platform at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110729/7c609c20/attachment.html 


More information about the Owasp-o2-platform mailing list