Dinis Cruz blog

Fixing broken Left-Mouse Click on VMWare fusion

noreply@blogger.com (Dinis Cruz) — Thu, 19 Jan 2012 15:31:00 +0000

After a reboot the right-click of my windows box running on Fusion (OSX) stopped working.

After finding similar reports online I was able to fix it by adding this line to the Image vmx file:

mouse.vusb.enable = "TRUE"

Here is the post that provided me the solution:

http://communities.vmware.com/message/790567

And here are a couple more posts talking about this problem:

"...O2 in Seattle..." and "...Please Hack TeamMentor (beta)..."

noreply@blogger.com (dinis) — Wed, 14 Dec 2011 20:50:00 +0000

I'm presenting an updated version of O2 at tonigth's OWASP Chapter meeting (https://www.owasp.org/index.php/Seattle).

There are a number of new O2 features that I will cover, but to make it relevant to the audience, I will present O2 as part of a challenge which is 'Please Hack TeamMentor'.

TeamMentor is the WebApp product (currently in Beta) I have been developing for Security Innovation with the help of O2 (you can download TeamMentor Beta and its source code from GitHub).

Showing O2 this way will allow me to:

present and discuss the architecture of a real world app and its security implications
how me (as a developer) see security and its position on the development/management food-chain (btw on this topic, if you haven't you should also see my 'Making Security Invisible by Becoming the Developer's Best Friends' presentation deliveled at OWASP AppSec Brazil and this amazing video response to it: A developer's rant about security professionals )
how O2 allows me to deal with real world problems such as:

creating Unit Tests for jQuery/Ajax/WebServices based websites,
dealing with automation problems that ALL current browser automation engines have (WatiN, WatiR, Selenium, Cucumber, WebKit, QUnit, etc...) , and visualizing the data created using custom GUIs (note that O2 has native support for WatiN, NUnit and QUnit and has access/control to all of .NET's WinForms/WPF)
creating cached versions of the site (controlled by a built-inside-O2 web proxy),
direcly invoke/compile specific parts/components of the application (this is used to create targeted Unit Tests & fuzzing),
running consolidated (i.e. all available) NUnit tests using NUnit's GUI, command line and O2 scripts
dealing with complex webservices
view, analyse and test the server side RoleBase Authorization mappings (created using .NET Attributes) which affects the exposed WebServices

how the APIs and tools created by O2 purely as 'developer aids' (i.e. not for security) are then massively important, useful and usable on the UnitTesting phase.

For the 'hands-on' part of the crowd, I want to use the following OWASP projects to help me with TeamMentor development and testing (and I really could do with some help here):

ESAPI (both .NET and Javascript) - Starting with the Encoding part to deal with XSS (needs to be integrated with .NET's AntiXSS)
AppSensor - to allow TeamMentor to modify its behaviour depending on its current 'attack' level
OpenSAMM - create a score card
ZAP Proxy - feed the existing O2 Browser automation scripts via ZAP's proxy and fire up its tests
Agnitio (not yet an OWASP) - map out to its check lists
OWASP Testing, Code Review and Developer Guides
... other OWASP projects? (if you are involved in an OWASP project that you think would be a good fit, please go for it)

What is interesting about TeamMentor is that it is a complex real world app (with legacy code), containing tons of WebServices and JavaScript/jQuery activity. This makes it very hard to test by today's tools (or even manual process).

Also very important, is the fact that we are dealing with a team/company that welcomes the 'Security' part of the SDL (which doesn't happen very often :) )

I'm very happy that SI is ok with this, and my hope is that this will allow us to have a number of interesting conversations/threads (hard to happen in test apps like WebGoat or HacmeBank, or apps where the main developers are not directly engaged in the process)

For the ones that can't come tonight, I will follow up later this week with more detailed instructions.

So here is your official invite: Go and HACK TeamMentor (GitHub) and report your findings as O2, NUnit, Python, Boo, etc. scripts.

Btw, since this is a Beta version, I'm sure that there are still a number of areas which have juicy security vulnerabilities! Good luck in finding then :)

Only one condition, I WILL NOT READ any findings reported in PDF format :)

Please root these devices (project and customer awareness)

noreply@blogger.com (dinis) — Thu, 24 Nov 2011 00:11:00 +0000

Here is a cool opportunity which also raises some interesting questions

I just got asked to see if I could recommend a good AppSec and Reverse Engineer person to spend one month breaking the security of a tablet (and another device) that is coming to a place near you next year.

The brief is quite an interesting one, since it basically says: '...please root this device, show how to install malicious apps on it without root, and/or show how to extract encrypted content...' (so if you know somebody or are interested please ping me directly)

What is interesting about this gig is the company that it is from. Usually those corporate folks are bit more gentle and politically correct, but this shows that these guys really want to know first the problems (which is a nice evolution in our market). I have to say that 'finally' I have seen more people/customers who want to be secure (vs being compliant or wanting to been seen doing something about it).

It also shows how interconnected out day-to-day devices are becoming, and how big a can of worms (from a security point of view) they can/will be.

Note how web app security is staring to be more and more dependent with the devices that use it, for example, there could be a number of vulnerabilities created by how the client/server exchanges occur (it would be cool to root the device by tricking it into installing something via an reflected exploit on the server, would we call that a 'Reflected Root' vulnerability? :) ) .

This also feels a lot like the 'return of the fat client', where the vendors have so much control over the client's device that they extend the attack surface to it (which could lead to a number of security decisions being made on the wrong location).

Heads up on O2 WebProxy and WAF Simulator

noreply@blogger.com (dinis) — Wed, 23 Nov 2011 14:14:00 +0000

For the more advanced O2 users out there, I just committed a new set of O2 scripts that implement two very powerful capabilities

O2 Web Proxy - native (to O2) web proxy that sits between the IE automation object and the rest of the world (although inside the same O2 .Net process). This was based on the code in http://www.codeproject.com/KB/IP/HTTPSDebuggingProxy.aspx and it givesO2 something that I have been wanting for years now: Programatically access to a Web Proxy. This opens up a LARGE number of testing/fuzzing capabilities and dramatically simplify IE analysis tasts (for example, something that is now simple to get is the full value of the Cookies (and Headers) sent to/from the IE browser (the http-only cookes for example were really hard to get) )
O2 WAF Simulator - built on top of the O2 Web Proxy, I was able to quickly create a WAF simulator which uses the O2 Proxy's callbacks to fix a couple vulnerabilities in the test app I was looking at (great when talking to developers about the vulnerabilities discovered and its possible fixes)

I will shortly put more details about this on the O2 blog

What I like the most about these two new capabilities, is that this was all created/implemented in about 4h of focused-development (and shows how powerful O2's APIs and quick-prototyping development environment have become)

Help on running Cucumber via security tools and .NET

noreply@blogger.com (dinis) — Wed, 23 Nov 2011 13:58:00 +0000

Hi, I need to integrate Cucumber into O2, so I was wondering if I could get some help.

Here is my first set of challenges:

I need a couple Cucumber scripts (running on top of Ruby) that do some kind of web actions (ideally on a vuln app like webgoat, http://google-gruyere.appspot.com, hacmebank, etc...) so that we can test the following scenarios:

Trigger this tests directly from O2 (including seeing its results). This could be as simple as triggering Cucumber from the command line
Run those same tests via a security proxy/tool/scanner so that we can 'teach it' how to app works. This should work for any tool that can act like a proxy, but to start, I would like to run it on

OWASP ZAP
NetSparker
AppScan Standard
Burp

Use IronPython to run cucumber tests/features directly in .NET/O2 so that I can create a solid two way communication and instrumentation between those scripts and O2 (i.e. O2 to consume them directly, and the scripts being able to access O2 APIs)

Thanks

Comment on reply to post: Mark on 'Models for Better Security Communities'

noreply@blogger.com (dinis) — Fri, 11 Nov 2011 11:15:00 +0000

(comment I made on the OWASP mailing list last week which contains some ideas on where I see OWASP going next)

Stephen, you absolutely shouldn't feel guilty of 'only' contributing to OWASP through your regular bursts of energy (I put 'only' in quotes, since you are one of my favorite OWASP stories, and a talent that I'm very proud to have helped to attract to OWASP) . Your type of contributions is one of the things that have built OWASP and it is one of its most amazing characteristics.

In fact, my view, the job of OWASP 'the organization' is to make sure that when you do focus and want to commit some energy, there is an environment (or ecosystem) that will make that process as productive, enjoyable and efficient as possible.

In that light, OWASP 'the organization' should be much more like an event organizer (think 'music production company') than a big 'we have the vision and know it all' type of org.

Please don't be to hard on Mark since his heart is absolutely on the right place (and let's not really judge Microsoft's ethics since most large companies these days wont get a clean bill of health :) ).

One think I learned from playing music is that you have to listen to the audience's comments, and most of the times they say (from your point of view of course) the right thing the wrong way (or not the same way you would articulate it).

Mark wants a more professional and focused approach to OWASP, where there is energy and commitment in the creation of very professional, high-quality, well presented, easy to use/adopt and community-friendly deliveries (tools, books, guides, dev outreach, etc...).

Which is exactly what I also want.

That doesn't mean that we stop supporting the grassroots movements and activities that allowed OWASP to be want is it today (and empower its contributors to 'just get on with it and try to find a solution'). It means instead that we need to put a lot more investment and effort into creating an operational machine that will support it (we have the talent at OWASP, what we don't have is the operational machine (which OWASP's leaders are not really good at, or have time to dedicated to it)).

Part of the problem is that there is still this view at OWASP that we need:

a strong mission, vision, etc...
high level commitments/endorsements and
centrally controlled activities

.... as if we had those anything would happen because of it :)

Part of the problem of this type of thinking, is that it creates an environment where Mark (correctly under that thinking) was expecting a level of support and endorsement for his ideas that is just not possible at OWASP.

The irony is that there are lots of really great leaders inside OWASP that share Mark's wish for a more professional and dev-community-friendly OWASP. Unfortunately we (OWASP) still have not come up with an operational model that allow those groups to aggregate and flourish (I don't think the current Commitees structure are the right structure, but maybe the https://www.owasp.org/index.php/Security_Ecosystem_Project is a better one).

Btw, for me the only vision and mission that OWASP needs is three (or maybe two) words: Web Application Security or maybe just even two: Application Security

So please embrace Mark's ideas and comments, you might not like his style (like many don't like mine), but he is carrying a important message.

Think about this, we are lucky that Mark cared enough about OWASP that he spent his time documenting and talking about his issues and problems. We would be much worse if he had just ignored OWASP. In fact, I wish he blogged more about his ideas for OWASP since there are some great stuff in there :). He also talks to a lot of people about OWASP, specially from people who would like to be involved at OWASP but have not found their sweet spot. We need to hear those voices and find ways to connect to them.

Solution for fixing Spring's JPetStore AutoBinding vulnerabilities

noreply@blogger.com (dinis) — Wed, 09 Nov 2011 15:23:00 +0000

Here is an O2 blog post that describes my preferred solution for Fixing one of JPetStore's AutoBinding Vulnerabilities (changing the purchase price)

I have to say that as a developer doing the code fix, it was simply amazing and very powerful to have the complete web workflow of the shopping cart available as an automated O2 script .

This allowed me to quickly ensure that:

a) the app still behaved as it should (after the fix)

b) the vulnerabilities identified where properly fixed

What do you think of the solution?

Integrating Security into the User's Gui - In this case Rational AppScan Source in AppScan Standard

noreply@blogger.com (Dinis Cruz) — Tue, 08 Nov 2011 16:09:00 +0000

Based on an SI engagement I'm currently involved in, which is focused on the integration AppScan Source and Standard findings, here is a pretty cool PoC of what we are doing there:

What you have in the screenshot above is a PoC of showing AltoroJ's findings from IBM Rational AppScan Source (a SAST/WhiteBox tool) inside the equivalent findings from AppScan Standard (a DAST/BlackBox tool).

The core idea is that we should be presenting and integrating the information that we are able to create from the multiple tools we use (+ human knowledge) into the tools that the user is more comfortable with.

So in this case we have an DAST user (typical pentester) being able to leverage the analysis created by a SAST (Static Analysis) tool.

It is also a much better way to show and present these findings to developers, since we can immediately talk about how to remediable the code.

Another massive benefit from performing security reviews this way is that it really highlights the best (and worse) of both tools (i.e. what SAST finds and DAST misses, and what DAST finds and SAST misses)

Ultimately both SAST and DAST results must match :)

If you want to see how that PoC was created inside AppScan Standard, take a look at these two blog posts:

In ASP.NET, prevent XSS with automatic html encoding

noreply@blogger.com (dinis) — Mon, 07 Nov 2011 11:03:00 +0000

Yesterday when looking for the ASP.NET XSS mappings I found an article that presents a solution that I have been looking for ages: Changing the behaviour of the ASP.NET <%= tag so that it encodes by default.

Steve is the man, check this out: http://blog.stevensanderson.com/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/

His technique of hooking the compilation step is absolutely brilliant

If you look at the code:

He creates a class (SafeEncodingCSharpCodeProvider) that implements CSharpCodeProvider
in there he overrides GenerateCodeFromStatement(System.CodeDom.CodeStatement statement, TextWriter writer, CodeGeneratorOptions options)
then finds a CodeMethodInvokeExpression that is a Write
and wraps the parameter in a call to SafeEncodingHelper.SafeEncodingCSharpCodeProvider.EncodeHtmlIfNeeded

This is a massive step on the right direction, but there are a couple things that we should also take into account:

encoding is done with the HttpUtility.HtmlAttributeEncode which is not as sounds as the AntiXSSLibrary (note how he added an extra patch to encode ' )
we will need to take into account where in the page's HTML is the output going to be used (an HtmlElement, vs an Attribute, vs Javascript, vs CSS), and this can only be done with Static Analysis technology (SAST)

I also like the ability to change the framework the developer is coding on top, and make it secure by-default. This is another example of making security invisible since it allow us to add security in a way that it is invisible/transparent to developers. In that worlds, the devs only need to care about security when they are doing security-sensitive actions (which must still be supported, but should be the exception, not the norm).

One interesting question is where we want to do this change as a hardcoded compiler step (Steve's example), or do it directly on the code before it is compiled (as I show in the Fixing/Encoding .NET code in real time (in this case Response.Write) example)?

The future of secure code? Fixing/Encoding .NET code in real time (in this case Response.Write)

noreply@blogger.com (dinis) — Mon, 07 Nov 2011 11:02:00 +0000

If we really want to help developers to fix they code, we ultimately need to move all the way into their IDEs and actually provide them code-fixes in context!

A while back somebody asked me how to perform actually .NET code changes and patches using O2's .NET Static Analysis engine, and I wrote a little PoC that clearly shows how that can be done (and a preview of what the future looks like).

I just wrote a O2 blog post about it which you can find here:
http://o2platform.wordpress.com/2011/11/07/fixingencoding-net-code-in-real-time-in-this-case-response-write (if you have O2 installed just run the Fixing Response.Write.h2 script)

Here is a 20 sec video that shows this script in action:

I really like this concept and it is sort of similar to what Spring is doing with Roo (http://www.springsource.org/spring-roo) where the developer's code is automatically refactored in order to meet specific objectives

ASP.NET Anchor tag allows XSS payloads, is this a vulnerability on the .NET Framework?

noreply@blogger.com (dinis) — Sun, 06 Nov 2011 16:06:00 +0000

I just posted a blog entry on an O2 script I wrote a couple days ago that checked if the HREF tag in ASP.NET HtmlAnchor control is vulnerable to XSS: http://o2platform.wordpress.com/2011/11/06/checking-if-nets-htmlanchor-href-property-is-vulnerable-to-xss/

There are a number of really cool techniques on this script:

Render the Html Tag control in isolation (which will allow these tests to be run from vanilla UnitTests)
Quickly put Html content in a browser and see what it looks like
Quickly fire-up an .NET Webserver on a local directory, create a test *.aspx page, and see its contents (rendered from the ASP.NET server)
Test some payloads on the *.aspx page and confirm (or not) the exploitability of this control (a good follow-up script to write is to run the FuzzDB on this property and see which ones work)

Since it is safe to assume that the Href from an HtmlAnchor should not have " (and other dangerous chars) in its rendered text (it should be encoded), shouldn't this be classified as a vulnerability in the Asp.Net Framework? Specially since it bypasses the ASP.NET build-in validation.

Is this documented somewhere? I know there is (somewhere) a list of all ASP.NET mappings (so it should be there), but I just looked at the MS pages for the HtmlAnchor tag and there is no mention in there for the security implications of this:

New O2 main GUI (as 2.0 beta version)

noreply@blogger.com (Dinis Cruz) — Sat, 05 Nov 2011 17:46:00 +0000

I just pushed a new simpler GUI for O2 which will hopefully make it easier to quickly start using O2 and find useful scripts.

This is what it looks like:

Let me know what you think of it.

Do you like it?

Does it make it easier?

You can read mode details about this new GUI at Details of new O2 main GUI (as 2.0 beta version) and you can download the latest version of O2 from here

Using O2 to help an AppScan Source (and Standard) user

noreply@blogger.com (dinis) — Wed, 02 Nov 2011 22:25:00 +0000

Yesterday I had a great session with a potential SI customer where I was tasked to help them make the most out of AppScan Source resources.

The scenario is a very typical one for any SAST client (namely Ounce/AS.Source or Fortify):

They have a large .NET application, made of a large number of projects (i.e. big code base)
The app is quite complex and makes use of multiple messaging-buses to move data around (think of this has a more obscure version of getters and setters pairs)
There where a good number of AS.Source results (about 19k findings with 11k traces), but very few that actually make sense (to them)
The security team is made of really cleaver guys (who know how to code in C#) and with good understanding of how the app works (add as a bonus the fact that they actually want to improve the apps security (vs being compliant) and that they want to get good value from SAST+DAST tools)
Since the security team actually knows the app and what type of issues exist in there, they where very quickly able to look at the initial AS.Source findings and say

".... that is not good enough!'

a) there can't be THAT number of 'findings' and
b) I know for a fact that a number of those 'findings' are false' ..."

So after trying to get a number of good results via the 'official way' (i.e. using a bunch of IBM/AppScan guys), the IBM sales rep decided to bring in a company that he trusted in Boston (Security Innovation) which happened to have a guy in there that really knows how to get the most out of AppScan Source (me) with a toolkit that allows the easy development, test and deployment of the analysis customization that will be required to get this to work: the OWASP O2 Platform

The model that we are going to use on this engagement is one where:

I am going to create a customized version of O2 for the client which is going to be fully supported by SI
IBM makes a product sale
SI makes a service sale
and O2 gets a couple more tools and scripts (any new code that doesn't contain the client's apps information/structure will be committed back to the O2 code base).

I was there for most of the day, and here is what happened:

After the intros, the IBM and SI reps defined the working model where IBM would be focused on the product side and SI would be focused on the customization side
This meat that instead of having to deal with the normal road-blocks created by trying to get the AS.Source to work, we could move strait away into the solution part, ie using O2 :)
I started to explain my methodology, namely how I use O2 to analyse an application's structure and connect the dots, but since clearly they had no idea of what I was talking about looked like (and they had never seen O2), I decided to do a number of demos:
After firing up a projector, I showed them the O2 scripts with the analysis of the JPetStore (see Current O2 support for analyzing Spring MVC). This is the order that I showed this scripts:

launched the main O2 Script and showed how I could click on a link to start the local apache and hqsql server
make a couple simple browser-automation requests to the server to make sure it is working ok
opened up the O2 script with the exploits

executed the multi-step shopping card purchase without any payloads (just the normal JPetstore app behaviour)
executed the same shopping card purchase with the payload that allowed the modification of the total purchase price
executed the other exploit scripts (variations of the above)

then I opened up the script that showed the Spring MVC mappings, namely

all urls
urls mapped to source code
correct identification of the Command Class used on the Spring Autobinding
correct visualization of the real size of the CommandClass used on the shopping card (which is huge and allows for the manipulation of many more fields than the ones exposed in the web gui, like for example the setTotalPrice)

.... Now they were getting into O2 .... and since the main guy from their security team knew how to code in C# he was able to write most of the scripts I talk about below (with my guidance and help on the best O2 APIs to use :) )
While we (me and a great friend from IBM that was there as a technical resource from IBM) grabbed a coffee, they installed O2 and found a test version of the target website that we could use (he also copied the O2 Click-One installed files and O2 scripts into another Box which didn't had direct internet access (ie. you can run/install O2 without the click-once installer))
Now we were ready to go and we started with the O2 Quick Development GUI writing a script that:

retrieved all files from a particular directory
added a treeview to the 'panel' control (from the O2 Quick Development GUI)
added the files to the treeview
added a source code viewer to the panel control
configured the treeview to show the file contents when the user clicked on one of its nodes
made the script run on a popup window (instead of the panel control)
saved the script on a local folder (as an *.h2 file)
clicked on that *.h2 file to see how this script had just become a stand-alone tool

By now they were staring to get the really power of O2 for fast prototyping and mini-tool development
Then we moded into the O2 IE Automation control script and:

created a script that would open their website
retrieved the list of fields
found the field that controlled a search function
populated that field (programatically) with a specific value
tried to find the submit button but it was not there (it was an image with a link)
injected jQuery and FirebugLite into the IE object so that we could use it to find the search button (i.e. image with link) id
once we knew that id (back in O2) get its reference and click it (programatically)
now that we had a working search automation, we created a inner lambda method so that it could be invoked with just a method call: search('....')
tried to show how O2 FuzzDB could be used to easily run a batch of XSS or SQLi test strings on that automation, but their firewall rules prevented the download of it :)

ok... and that was just on a couple hours, ... with him coding now me ... :)
The next script was more interesting, we went back to the first script (the one where you could click on a treeNode and see its contents) and did this to it:

changed the location path to be root of the app we were looking at
changed the search extensions to be *.asmx, *.asmx, *.ashx
added a web browser so that we could also see the web page that was related to that page (this was done by simply doing a search and replace of the root path with a url)
added an extra source code viewer so that we also could see the source code of the .cs page, ie:

user clicked on c:\...path...\webroot\page.aspx (in the treeview on the top left) and
open in browser (top right) the web page http://....test...site.../page.aspx
open in source code viewer #1 (bottom left) the file c:\...path...\webroot\page.aspx
open in source code viewer #2 (bottom right) the file c:\...path...\webroot\page.aspx.cs

... Now they were getting really excited... . What what happening was that they were realising/visualizing that the real power and uniqueness of O2, is not on the ability to write such scripts (you can do that in Visual Studio or Eclipse given enough time), but in the ability to do it in such interactive environment and speed (during the security review engagement)
Next we went back to the AS.Scan results and started reviewing them (using O2's *.ozasmt file viewers which are super fast and interactive)
Once we had a couple interesting targets and realized that we had good traces for the web pages we were looking at before, we made the following changes to the previous script

add support for loading up *.ozasmt files
add support to cache the loading up of *.ozasmt file (which not only made the multiple 'code changes + auto compile + execution' cycles much faster, but it also keeped the memory consumption of the O2 process under control :)
added a *.ozasmt findings viewer to the main gui (we put it on the top right)
created a Lambda function that was able to create a filtered view of the findings loaded based on a file name (this was basically a foreach loop that returned a match for findings that had a trace from that file)
modified the afterSelect event of the treeview to also call the findings filtering lambda function (and viewer), and
.... finally we ended up with a pretty sweet tool, that when the user selected a particular *.aspx, it would :

show its web pages
show both is source code files (*.aspx and *.aspx.cs)
showed all findings that were related to that file

By now we were running out of time, but I got the feeling the they really got a taste for the type of analysis that can be done with O2 and AS.Source
They also started to see the power of having a large number of AS.Source findings since that can be of enormous value when looking/analysing sprecific parts of the application (btw 11k traces are nothing for O2 , it can handle 100k or even 1M traces :) )
One of the steps that needs to happen over the next week or so, is that my good IBMer friend will work with them to add the missing taint rules (namely Sources and Sink) and rerun the scans (one key problem that was happening is that due to the large number of abstraction layers the AS.Source was missing both sources and sinks on lots of key parts of the application (i.e. creating no traces))

As a side note, they were also having lots of problems with a big 5Gb AppScan Standard file.

I wanted to take a look since O2 has a parser for it, and part of the exercise is to connect the AppScan Source findings with the AppScan Standard findings (i.e. urls to source code).

When I asked him to unzip that 5GB (*.scan) file and just give me the internal findings file (which is a FireBird DB), he asked me '... unzip what?...' (i.e. he never looked inside an AppScan Standard results file!)

This is quite crazy, since there is so much good stuff in those files that I'm sure will be useful for him when performing manual+automation app reviews (I wonder how many AppScan Standard users actually know that it's possible to access those resources)

Btw, the O2 script that we wrote stayed at their offices, but since that is quite a generic need (map *.aspx pages to website and source) I will write a generic version of it to show what it looks like (in fact O2 already has a more advanced and complex version of that script, which also maps *.aspx to *.ascx which I used and developed in the initial stages of my TeamMentor coding (i.e. when I was trying to figure out what was going on))

I know that some people will look at what we did yesterday and wish that was not needed, unfortunately in the real world all apps are different and if we don't have the ability to create workflows like the one described here, we will always struggle to understand how the app work (and get the best out of the tools we have).

As a final point, what also happened yesterday (and always happens when I show these capabilities/scripts to security teams or devs), is that they were also seeing the opportunities to use this for more than security (specially to create bridges+dialogues with development/QA teams)

But that is topic for another blog post.....

Unit Tests to detect problems with site and content integrity

noreply@blogger.com (dinis) — Wed, 02 Nov 2011 15:24:00 +0000

So with the public launch of TeamMentor Beta I now have a nice problem to solve:

"How to write UnitTests (Browser Automation and WS driven) that test for the valid state of the TM test websites (http://50.19.221.68:90 and http://50.19.221.68:91) and ensure that they have not been spectacularly modified, modified or hacked :)"

Here is a list of what I would like to keep an eye on or do:

Is the website still up?
What about its response time?
Do the normal N user activities still work? (open page, view content, login, edit content)
Is there any malicious content on the TM websites? (namely on the changes recently changes)
Activity logs and detect malicious/weird activity?
How to automatically rebuild the server (maybe every day)?

All these should be written as UnitTest and executed on demand (or in a schedule). Sounds like a job for O2 :)

Humm, it looks like I really need to add AppSensor capabilities to TM, since that would allow some of these tests/activities to be detected in real time :)

TeamMentor v3.0 Beta is out of the bag (try it or download it now)

noreply@blogger.com (dinis) — Wed, 02 Nov 2011 13:32:00 +0000

Last night SI (Security Innovation) released the public beta of the product I have been working for the past 7 months. It is called TeamMentor (TM) and it is a web based tool to create and distribute security knowledge.

There are lots that I want to talk about this project (specially since O2 was used for its development and there is product is a great case study of the power of O2 when used as a developer-helping tool). Also, SI is more than happy for me to talk about the internals of TM, how it evolved and its architecture (which is a rare thing in product companies)

So to kick start this, here are the main links:

you can try it online here (login details below):

http://50.19.221.68:90 - with the OWASP Top 10 Library (with 244 Guidance Items)
http://50.19.221.68:91 - with the SI Library (with 3365 Guidance Items)

if you want to run TM locally you can download the latest binaries and source code from:
OWASP Library - TeamMentor Beta (Tuesday, November 01, 2011).zip

this is hosted at https://github.com/SecurityInnovation/TeamMentor-3.0-beta/downloads which also contains a download for the TM version with the SI Library which is password protected (ping me if you want the pwd))
note that the TM OWASP Top 10 Library is released under a Creative Commons license and it is available here: https://github.com/SecurityInnovation/OWASP-TeamMentor-Library

Here is the maling list which you can join to receive the lastest news or to ask questions: https://groups.google.com/a/securityinnovation.com/group/teammentor

Here are the login details (note that the editor role change change all content, so try to be gentle with the version online :) )

Administrator - admin/changeme
Reader - Reader/changeme
Editor - Editor/changeme
Developer - Developer/changeme

If you download the TM code and want to run it locally, once you unzip it:

Launch the server but runing either the "Start NET35.bat" file or the "Start NET4.bat" file ( use the one that works for you).

Give it a couple of seconds to load. An icon in the system tray should appear, indicating that the "Cassandra" server is running.
Please, note that the "Cassandra" server does not bind to external interfaces by default, so it will only be available on the local machine when started from the bundled scripts.

Open the site. A web browser should open automatically on the main page.

The page might have to be refreshed if the server does not load quickly enough
The home page will either http://localhost:12345 or http://localhost:12346

If you find bugs or security issues, please add them here: https://github.com/SecurityInnovation/TeamMentor-3.0-beta/issues (this is beta so I expect you guys to find good stuff in there :) )

Let me know what you think of TM :)

First Answer to: Why doesn't SAST have better Framework support (for example Spring MVC)?

noreply@blogger.com (Dinis Cruz) — Tue, 25 Oct 2011 17:31:00 +0000

A couple days ago I received the question and asked here on this blog Why doesn't SAST have better Framework support (for example Spring MVC)? (if don't don't what SAST means, see What does SAST mean? And where does it come from?)

I wrote the answer below on that day, but since I also posted this question to the O2 mailing list I wanted to give some space for others to chip in with their views (which they did, namely John Steven who I will reply to later):

There are a number of reasons why the tool vendors have not been able to provide decent (or even any) wide Framework Support on their tools

Note that this is not for lack of trying, for example the latest version of AppScan already supports WAFL (Web Application Flow Language) which is their attempt at creating a Framework descriptor language, HP is doing interesting work in their integration of WebInspect+Fortify and there are a couple new players (like WhiteHat, Veracode, Armorize) that claim will do a better job.

For me, the key problem that all tools have (not only SAST, but this is critical in SAST) is that they are all trying to find a 'big red button' while ignoring how the app actually works/behaves. They basically want to create a product that can just be pointed to an application and work.

The problem with this approach is that all apps are massively different!

The apps themselves are build on top of MASSIVE frameworks (from a point of view of their behaviour), and even when they use common frameworks (vs writing their own frameworks), the way the actual code flows tends to be quite unique per app.

So by trying to treat the "Application Behaviour' as a black box, and choosing NOT to try to (really) understand/map how it works (beyond the default Java/.NET functionality or whatever 'Framework Support' they are able to have), these tools are trying to climb a mountain that is far too big and complex.

My approach with O2 has been "I know I will have to map how the application works/behaves and that I will need to create (from the source-code or dynamic analysis) an working model of its real code/data-flows, and while I'm there, also create a set of rules for the tools that I can use. My only question is: how long will it take to gain the level of visibility that I will need in order to be able to do a good job". This is what I call 'playing the Application Visibility game'

Basically with O2 I'm climbing a complete different mountain.

Lets take for example Spring MVC. The first things I do when looking at a Spring app are:

review the source code in order to 'codify' how the controllers are configured and what is their behaviour (namely the URLs, Command Classes and Views).

paying special attention to any 'Framework behaviour modifications', for example filters, authentication/authorization engines, or even direct spring MVC code patches

then I continue these mappings into the inner-working of the application in order to identify its 'hyper jumps' (reflection, aop, setters/getters, hash-objects-used-to-carry-data, web services, data/storage layers, other abstraction layers, etc...) and 'data changing' steps like validation or object casting.
then I map out the connection between the controllers and the views (which is very important because we can't assume that there will be path into all views from all controllers)
then.... (next actions depend on how the app is designed and what other APIs or Frameworks are used)

When I'm doing these steps, I (using O2) tend to do three things:

Create mini tools that visualize what is going on (for example url mappings to controllers, or the complete command classes objects )
Create Browser-Automation APIs that represent the expected behaviour of the target application (how to login, how to perform action XYZ, how to invoke a Web Service, etc...)
Mass create rules for the tools available (for example I used to create 1000s of Ounce rules so that I would get the most of its Engine by getting it to create as many taint-flow traces as possible

So yes, I'm coding all the time

The only difference between engagements, is that I'm able to build on the technology developed on the previous engagements.

Again using Spring MVC as an example:

First time I saw Spring MVC I had a script that did a dirty read of the XML files and extracted some metadata (with a lot of manual mappings)
On next engagement I was able to add support for Java bytecode analysis and analyse the Spring MVC attributes (used to mass create Ounce rules)
On next engagement , I was able to start visualizing the Command Classes and created an generic API for Spring MVC (with specific classes/objects to store Spring MVC metadata in a way that made sense to us (security consultants))
On next engagement , I added a number of real powerful GUIs, improved the CommandClass resolution calculations and did a bunch of mappings between controllers and viewers
On next engagement , I already had most of the core Spring MVC behaviour scripts in place, so I mainly focused on what specific about the application being analyzed

As you can see, although there is always some level of customization, its amount (and skill level) is reduced on each interaction (and this is how we will scale this type of analysis).

So to play this game (and to be able to do this type of analysis), this is what is needed from the tools used (in this case SAST)

Ability to write scripts that directly control how the tool works

Ideally most of the tool's analysis capabilities is written in 'dynamically compiled scripts' so that it is possible to modify/adjust them to the current reality (created by the application being analysed)

Ability to have direct access the tools internal capabilities via exposed APIs
Ability to start and stop each analysis phase (with each phase providing a modifiable dump of its internal representations and analysis so far)
Ability to consume, feed and correlate data from all sorts of sources: file system, config files, black-box scans, fuzzers, real-time instrumentation, security consultant's brain
Ability to mass create/manipulate rules
Ability to write rules as scripts AND in a fast-prototyping language like: C#, Java, Python, Ruby or Javascript (i.e. not in C/C++ or XML)
Ability to easily 'process, filter and visualize in real-time' thousands if not millions of findings (created by the large number of rules applied)
Ability to create rules that analyse the thousands if not millions of findings findings created (i.e. create findings from findings)

this is the ability to perform multi-phase analysis, each using different rules/techniques and targeted at a different types of vulnerabilities (for example SQL Injection vs Direct Object References)

Ability to visualize the data that was created (in its multiple stages of maturity) so that a security consultant (and/or app developer) can help to connect the dots (with more scripts or config settings)
Ability to add 'business logic analysis' to the findings discovered. (for example when taking Authorization and Authentication activities in account, an 'direct SQL execution' or 'file upload' security vulnerability finding in an admin panel, might actually be a feature)
Ability to re-package the final findings into the SDL tools currently used by the client (bug tracking, collaboration, IDEs), in a way that makes sense to the client (i.e. using their terminology and workflows) and is immediately consumed
Ability to package all analysis (and rules, workflows, scripts, etc...) into a single execution point (i.e. an *.exe). This is the 'big button' that can be inserted into the Build process
Ability to execute individually the complete analysis required to confirm (and ideally to exploit) a particular issue. This is the 'small button that can check if ONE issue has been fixed'

And here you can see why the SAST tools really struggle with frameworks, because they don't want to play this game. Ironically the end result is the same 'big button to press and get solid results' , the only difference is how to get there.

My personal view (backed by real world experience) is that this is the only way that 'good enough' framework support can be added to a SAST tool in a way that it will actually be usable by developers.

Note that I said 'good enough', because usually the comment I receive when explaining that we need to do this is "..well but only you (Dinis) wants this... and what we (tool vendor XYZ) wants to do, is to provide 'Good Enough' support ".

Unfortunately for the tool vendors, I'm not asking for them to create a tool that would only add value to a small number of 'expert security consultants'. I'm describing what they will need to do in order to add 'good enough' support for frameworks to their tools. Only then security consultants and app developers can customize those tools and deploy them to a wide audience (finally being able to have 'decent support' for the frameworks used and the target apps). The cases where there is no need to customize the engine (or rules) should be seen as 'free passes' (i.e. easy sales)

The bottom-line is that, if the path chosen by the tool vendors really worked, then today (Oct 2011), we should have much better Framework support in our tools. The reality is that we don't even have in our current SAST tools decent support for vanilla Java or .NET language behaviours (for example: reflection, collections, arrays, base-classes behaviour). And part of the reason of currently struggle with Java or .NET, is because its core libraries are in itself a Framework :)

The good news is that I have shown with O2 how my proposed model can work in the real-work. It was done on top of an Open Source platform (O2), and it is out there for others to learn and copy

Unfortunately, I am one of the few O2 users that can really do this, so the next step is to find a way to scale O2's techniques/usability and help SAST (and others) tools to develop/expose similar technology and wokflows.

Finally, the other reason why the tools vendors are not doing this is because there is very little 'public' (i.e. 'on the record') customer demand for this! Those nasty NDAs have a powerful side-effect on buyers (and end users) who won't publicly say what they really think.

So in some ways, it is not 100% the vendors fault. They tend to react to their paying customers needs, who (since they can't say "the tool doesn't really work in my environment") tend to ask for thinks like: "You need to be able scan XYZ Millions of line of code", "You need to have support for Oracle databases", "you need to have a report for the PCI XYZ", "You need to support language XYZ", etc...

Add to this the fact that SAST vendors :

don't see the security consulting companies (who would ask for the capabilities described above) as their partners (i.e. they try to get as much money from them as possible),
want to control all/most the technology that they consume/create
don't have enough paying customers that put them to the ropes and demand that their tools really work
still believe (or want to believe) that their tools actually work
don't have to deal with the side-effects of 'applications scanned by their product got exploited by malicious attackers' (i.e. got sued by their clients or by the attacker's victims)

and you have a world where the SAST vendors don't have an direct incentive to go down this path.

Note that some paying customers DO get some value from the current SAST tools (the ones that don't have SAST tools as shelfware). And since there are no popular alternatives (O2's market share is still very small :) ), these customers are resigned with the current status-quo (the others are trying to ignore the fact that they spent a pile of money of a tool that they have not found a way to work in their environment, or are trying to hire a consulting company to make it work).

The tragedy is that SAST's marked could be enormous!!!

Just imagine that we were able to use SAST tools in a way that they were really able to map/visualize/analyze an entire code/data flow, and create 'solid, defensible and comprehensive' results (with very low False Positives and False Negatives)

Don't you think the developers (and managers architects, buyers, consumer groups, government agencies, etc..) would be ALL over it?

This is what I am to say in my 'Making Security Invisible by Becoming the Developer's Best Friends' presentation. If only we could be the developer's best friends by showing them how their app actually works and what are the side effects of their code :)

Mea culpa: How I abused the OWASP rules on presenter's slides

noreply@blogger.com (Dinis Cruz) — Tue, 25 Oct 2011 17:14:00 +0000

After I posted my presentation and slides the OWASP Brazil AppSec presentation on "Making Security Invisible by Becoming the Developer's Best Friends" , I was reminded that a couple slides on that presentation break the OWASP rules for conference presentations which are very well established.

In fact, they’re right in the speaker agreement, which I totally violated.

"...Speakers are encouraged to include their contact information when introducing themselves, but may NOT include their logo on any visual and handout materials. Speakers are to avoid any appearance of commercialism in their session and presentations are to be of a technical or solutions emphasis. Further, I understand that the program tracks of the conference/event/chapter are an educational event, not a sales or marketing platform. I agree that my presentation(s) will be an objective review of the topic on which I am presenting, and will not contain any content that is a sales or promotional pitch for any specific product(s) or company(ies). My materials will also be reflective of the current status of the topic(s) I am addressing...."

Clearly the initial slide about SI breaks this, and my mistake was in thinking that tagging it with an 'Advertising' tag made it better (the next slides, although covering Common Criteria content released free by SI, in hindsight are also, too much on the marketing/sales side).

And yes, although there have been worse offenders in the past, that is no excuse and I should know better.

Sorry for this...

(I'm currently in a location with slow internet connection, but once I'm back to land I will update the slides accordingly)

What does SAST mean? And where does it come from?

noreply@blogger.com (Dinis Cruz) — Sun, 23 Oct 2011 07:03:00 +0000

After I posted Why doesn't SAST have better Framework support (for example Spring MVC)? I received the question "What is SAST?" (which is a valid question since a Google search today for SAST returns some hilarious answers)

SAST means Static Analysis Software Testing , and (I believe) it was originally coined by Gartner when they published their Magic Quadrant for Static Application Security Testing report (first version in 2009).

SAST is basically what we usually (in the web world) call Static Analysis of source code (i.e. White Box tools). It cousin is DAST (Dynamic Application Security Testing) and is what we call Pentesting (i.e. BlackBox tools). Google's DAST search results are also funny. Here is a more detailed answer on the difference between SAST and DAST.

As you will seen in Gartner's website, they change for this report, but some companies have bought them and posted/leaked the PDF online (in a way that Google finds it)

1st edition: 6 February 2009 here
2nd edition: 13 December 2010: here and here (linked from http://www-01.ibm.com/software/rational/info/gartner-security/)

Here are couple other blog entries about this:

Back on the topic of Framewoks, Neil MacDonald (from Gartner) is absolutely spot on in this 2009 entry: For Static Application Security Testing, Frameworks Matter

Btw, I wonder when will the O2 Platform be included in a Gartner Magic Quadrant report?

Why doesn't SAST have better Framework support (for example Spring MVC)?

noreply@blogger.com (dinis) — Sat, 22 Oct 2011 23:04:00 +0000

I received this question today, and before I answered it, I was wondering if you guys wanted to have a go at it first:

"...I was reading over some of your blog entries, that made me thinks about the current state of SAST regarding the current frameworks.

I've been aware for a long time that SAST do not handle properly framework-level information. In the case of Spring MVC, the tools just don't get the data flow, etc.

Since you worked at Ounce before, do you know any particular reason why they didn't want to fo into that direction? I mean, this is a solvable problem (you somewhat show how to do that in O2). Even if they would need to implement new front-ends, this is still a very important task to be done if they wanted to compete directly with Fortify (especially since F. doesn't get it either)....

For reference here are some of my previous Framework (i.e.Spring MVC) related posts:

Current O2 support for analyzing Spring MVC
What needs to be done to map Static Analysis Traces from Controllers and Views
http://o2platform.wordpress.com/category/java/spring-mvc/ (numbers of code samples at O2's blog)
In this (longish presentation) I also talk about some of the challenges that we have in supporting frameworks: http://www.slideshare.net/DinisCruz/owasp-o2-platform-november-2010

What do you think?

[Update blog post: What does SAST mean? And where does it come from?]

Mozmill looks really interresting

noreply@blogger.com (dinis) — Sat, 22 Oct 2011 01:13:00 +0000

Anybody tried Mozmill? https://developer.mozilla.org/en/Mozmill and https://developer.mozilla.org/en/Mozmill/First_Steps/Tutorial%3A_Introduction_to_Mozmill

It looks very powerful and it could be a great way to write 'browser-based usability+security unit tests'

O2 needs to support it :)

Example of O2 being used to create a PDF from a list of users

noreply@blogger.com (dinis) — Sat, 22 Oct 2011 00:59:00 +0000

One of the powers of O2 is that is allows the automation of repetitive tasks via scripts

This usually means automating some Web Vulnerability Browser workflow or an specific Static Analysis of source code.

In this case what we have here is an non-professional programmer or security consultant, Sarah Baso from OWASP, writing/customizing an O2 script to batch create the attendee and speaker participation certificates of the OWASP AppSec Brazil.

I think Sarah based her code on this 2010 O2 Script: Creating PDFs with OWASP AppSec Brazil Certificates.

Here is what the 2011 version (of a PDF created from a DB list of users) looks like:

I need a .Net and JQuery developer based in London

noreply@blogger.com (dinis) — Thu, 20 Oct 2011 22:49:00 +0000

Let me know if you are or know of a great .Net and JQuery developer in London.

SI is going to hire an extra resource to work with me on TeamMentor so please connect the dots :)

Microsoft All-In-One Code Framework (should the OWASP .NET community be involved?)

noreply@blogger.com (dinis) — Thu, 20 Oct 2011 22:28:00 +0000

Anybody tried the Microsoft All-In-One Code Framework ?

It looks like a way to distribute sample apps (for example this ASP.NET AJAX web chat application ) and I wonder how much security thinking (and review) has occurred?

If we are looking for a place to help .NET developers to write secured code, maybe this is a great place for us (OWASP) to be involved.

What do you think?

A comment on "Making Security Invisible by Becoming the Developer's Best Friends"

noreply@blogger.com (Dinis Cruz) — Thu, 20 Oct 2011 00:29:00 +0000

After my "Making Security Invisible by Becoming the Developer's Best Friends" post, Daniel posted a reply on his blog, and here are my comments on it (as posted on his blog):

Hi Daniel, Thanks for your comments, I think you make a good representation of the security camp that defends that "security is EVERY developer's business" which although well intended, unfortunately doesn't scale, and, in fact it doesn't work.

We will never achieve secure applications at a large scale if we require ALL developers (or even most) to be experts at security domains like Crypo, Authentication, Authorization, Input validation/sanitation, etc...

Note that I didn't say that NOBODY should be responsible for an Application's security. Of course that there needs to be a small subset of the players involved that really cares and understands the security implications of what is being created.

The core idea is that developers should be using Frameworks, APIs and Languages that allow them to create secure applications by design (where security is there but is invisible to developers). And when they (the developers or architects) create a security vulnerability, at that moment (and only then), they should have visibility into what they created (i.e. the side effects) and be shown alternative ways to do the same thing in a secure way.

The other idea that I'm trying to push our (the application security) industry to adopt, is this concept: "One can't protect/analyze what is not understood, so application security teams create models (and tools) that help them to visualize and understand how the apps works, and since this 'application visualization metadata' is also VERY valuable to developers, let's work together (devs+qa+appsec) so that we can embed application security knowledge and workflows into the SDL"

For example, a very good and successfully example of making security 'invisible' for developers was the removal of 'buffer overflows' from C/C++ to .Net/Java (i.e. from unmanaged to managed code). THAT is how we make security (in this case Buffer Overflow protection) Invisible to developers

If you are looking for an analogy, "a chef cooking food" is probably the better one. Think of software developers that are cooking with a number of ingredients (i.e. APIs). Do you really expect that chef to be an expert on how ALL those ingredients (and tools he is using) were created and behave? It is impossible, the chef is focused on creating a meal. Fortunately the chef can be confident that some/all of his ingredients+tools will behave in a consistent and well documented way (which is something we don't have in the software world). I like the food analogy because, as with software, one bad ingredient is all it takes to ruin it.

Webinar on 'How to Break Web Software Security'

noreply@blogger.com (dinis) — Wed, 19 Oct 2011 16:19:00 +0000

Tomorrow (20th October) I'm delivering a Webinar on the topic of 'How to Break Web Software Security' which will cover a number of Application Security vulnerabilities (and live demos)

You can read more details about this webinar and register here http://web.securityinnovation.com/webinar-october/

-------------------------

Webinar abstract:

More than 80% of attacks happen at the application layer and network security isn't the answer. To compound the problem, Web applications employ specialized protocols and languages and suffer from unique problems that very quickly and easily lead to vulnerabilities for the uninformed.

This Webcast will describe and present techniques for breaking (from a security standpoint) web applications and learn methods of mitigation. This talk covers all of the basics (SQL injection, XSS, etc.) but goes beyond that to more advanced and sinister attacks.

Topics Covered:

Why the web is different and what this means to testing
Dangers of web services
How to think about security vulnerabilities in web applications
Techniques for information gathering, client-side attacks, state attacks, data attacks, language attacks, server attacks, authentication attacks