Friday, 18 July 2014

Wednesday, 16 July 2014

From NUnit AppDomain, accessing properties and invoking methods on 'Serializable MarshalByRefObject TeamMentor objects' (hosted on Cassini's AppDomain)

After How fast do the 'NUnit-Cassini-driven' tests execute (on a full TM instance) it was time to start accessing internal TeamMentor objects from the NUnit AppDomain.

The main change I did was to add the [Serializable] and the MarshalByRefObject to the TeamMentor (TM) objects that I want to consume (i.e. access data and invoke methods) from NUnit tests.

Here is an example of what it looks like in one of the main TM's data classes:

Tuesday, 15 July 2014

How fast do the 'NUnit-Cassini-driven' tests execute (on a full TM instance)

A question I received after posting The moment I was able to serialize objects across an ASP.NET AppDomain and an NUnit AppDomain was 'Ok, that is is interesting, but how fast is it?'

That is actually one of the 'THE' key questions, since if we want to be able to create NUnit tests that use newly created Cassini-driven websites (i.e. a new Cassini server per test or test class) they have to be fast.

Ok, so how 'fast' is fast?

Well, in my book, that is either less than 1 second (for quick tests) or 10 seconds (for more complex setups).

More than that, and it is not practical to run those tests from NCrunch (or even manually via Resharper/NUnit-GUIs)

The good news is that (as you can see below), I was able to execute an 'NUnit-Cassini-driven' test in:
  • 6 sec: via NCrunch (consuming a TM instance with 0 libraries)
  • 7 sec: via ReSharper (consuming a TM instance with 3 libraries)

The moment I was able to serialize objects across an ASP.NET AppDomain and an NUnit AppDomain

As you can see at the end of How to debug an Cassini hosted website and the UnitTest that uses WatiN to automate that hosted website, although I was now able to start cassini in the current NUnit process, I was still not able to have direct/native access to the running objects of that website.

Basically what I wanted was to be able to access programatically the live TeamMentor (TM) objects from an NUnit test (note that both are running on separate AppDomains).

Not only this would make some of the tests I want to write possible, it would allow me to much faster setup specific test environments (for example cases when I need a number of users to already exist in TM).

The key problem is that after starting the 'TM website running inside Cassini, triggered from the NUnit test' I was left with two AppDomains:
  • The NUnit AppDomain running the NUnit Test and the Cassini Server
  • The Cassini AppDomain running the TM website
In practice what I wanted to do is to be able to access and edit one of TM objects (for example TeamMentor.Schemas.TM_Config from the NUnit test).

And that is exactly what I was able to do :)

Friday, 11 July 2014

How to debug an Cassini hosted website and the UnitTest that uses WatiN to automate that hosted website

One of the cool new capabilities that I'm using when writing QA Automation scripts for the latest version of TeamMentor, is the https://www.nuget.org/packages/FluentSharp.CassiniDev which allows the execution of an an 'in memory' version of Cassini (hosting the full TeamMentor website) in the same process as the Unit Test driving the IE automation of the hosted website (using FluentSharp.WatiN)

In practice, what this means is that the UnitTests are being executed in the same process as the main TeamMentor Website. This something that I have been wanting to have for ages, and the key capability I gained from it was the ability to debug both live website and UnitTest in the same session.

Lets set it in action.

Using WatiN and Embedded Cassini to run complex TeamMentor Automation (Create and Delete an Library)

Here is an QA Automation script I created today which performs a number of Integration Tests on the new version of TeamMentor.

These are the main moving parts (of the QA Environment and script):
  • Using an embedded WatiN IE window inside an WinForms window to drive Cassini hosting an .NET 4.5 website (this 'popupWindow' was actually opened from a UnitTest :) )
  • Driving the IE browser using  a number of FluentSharp ExtensionMethods
  • Number of waits for links to exist (needed due to the Ajax nature of TeamMentor)
  • When needed, directly query javascript variables ('window.TM.WebServices.Data.AllLibraries.length') and invoke core TM Javascript APIs ('window.TM.Gui.LibraryTree.remove_Library_from_Database')  
  • Use of Lambda methods to create an basic TM API (login, logout, open xyz page, trigger complex workflows, etc...)
Here is what this test QA environment looks like:

Friday, 20 June 2014

Please come and play with the OWASP Band AppSec EU at the CB2 (Tuesday 24th,7pm)

Next week the OWASP Band is getting back together and as always we need players. 

So, If you are coming to the conference (or are in the area), please let me know (ASAP) what instrument you can play, and I'm sure we can find a way to make it work.

Due to Adrian relentless efforts there is a full PA + Amps + Guitar + Bass + Keyboard + Drums available, what we now need is players :)

The show starts at at 7pm and we will do the soundcheck (i.e. the rehearsal) from 5pm.

The venue is the CB2 (http://www.cb2bistro.com/contact.html) which is just walking distance from the main conference location:

Sunday, 1 June 2014

Bypassing asp.net request validation detection, but it is a vulnerability?

Defence in Depth is a good strategy, specially since part of its core principles is the idea that some of the security measures applied will fail. The problem with NOT doing defensive-in-depth coding, is that if there is a way to bypass the security control, then the app can be exploited.

Asp.NET Request Validation is one of those security measures that can sometimes backfire, since it can be used instead of output encoding (in context) the data shown to users (i.e. there is a false sense of security provided by the use of that 'outside-of-the-application security filter').

But since fixing vulnerabilities has a real cost, one must be able to make the business case for the fix (i.e. show that there is a significant risk for the target application).

For example, do you think that following scenario is a 'real-vulnerability' (which should be fixed?):
  • Asp.net website has Request Validation Enabled
  • There is a page with a reflected XSS (quasi)vulnerability
  • There is a bypass for the Request Validation that only works in IE
  • On the scenario where Request Validation can be bypassed (in IE) the same IE version is able to detect it via its current Anti-XSS detection (and disable the payload)
This is one of those cases where although there a 'vulnerable' page, the number of affected users is very small, so the interesting question is: is there a business case to fix the vulnerability?

I think a more interesting (and relevant) question is: Is this an one-off vuln, or, are there other XSS vulnerabilities in that website, specially persistent XSS vulns?

Friday, 30 May 2014

Game to learn how to find XSS Bugs (by Google)

As you can see on https://xss-game.appspot.com and read on Google Launches Game to Teach XSS Bug Discovery Skills , this could be a really interesting way to reach developers.

I will try to give it a test drive and see how easy/hard it is.

I wonder if this could also be used to teach kids about application security (and how fun it can be to break it :)  )

I'm delivering "Writing Secure Java EE Web Applications Training Course" (June 19,20 in London)

Next month I'm teaching a 2 day training course for JBI here in London, on the topic of "Writing Secure Java EE Web Applications Training Course"

As the description mentions (see below), this is going to be a highly interactive course, where I will customise the course depending on the attendees experiences, knowledge and focus.

The cost is £1,500 GBP and if you are interested, you can use the form on this page or ping me directly (so that I put you in touch with the right guys at JBI)

Here is the blurb I wrote for this delivery:

XSS PoC on Lync 2010 (using C# WebClient, WebBrowser and WatiN)

Today I needed write an O2 C# script that was able to put an XSS payload on the UserAgent Header.

This was to write a PoC for the Microsoft Lync 2010 server which is (quasi)vulnerable to anonymous XSS via the UserHeader (the payload lands inside an Javascript).

This is a known and accepted issue, which has been previously reported and accepted by Microsoft and in 2014 is much harder to exploit:

Here are the PoCs I wrote (also on this gist (embedded below))

Thursday, 8 May 2014

Watching google crawl TeamMentor site (10m after blog post)

This is really interesting and telling of Google's crawling speed and updates.

I posted What are the main TeamMentor use cases? (and "Don't copy and paste from Google, copy and paste from TeamMentor") 10 minutes ago, and while looking at the new 'TM 3.4.1 real-time TeamMentor Activity' viewer, I noticed a number of 404s:

What are the main TeamMentor use cases? (and "Don't copy and paste from Google, copy and paste from TeamMentor")

(Earlier today I was asked "What are the most compelling use cases for TeamMentor" and here is my answer:)

There are a couple pages in SI's website that cover some of the common use cases : see here  and here

I think the main use-case is in 'answering Developers/Testers questions'

I like to think of the workflow as in "Don't copy and paste from Google, copy and paste from TeamMentor"

For example take a look at the .NET 4.0 library (direct link here) , if you filter by 'Code Example'

Friday, 2 May 2014

Some hacking for the weekend (with an AppSensor and O2 Platform flavour)

(originally posted to the OWASP leaders list)
---------- ---------- ---------- ---------- ---------- ---------- ---------- 

As you can see on Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job) I'm inviting the world to hack the app I'm been working for the past years.

You can either do a pure black-box (on https://tm-appsensor.azurewebsites.net ) or look at the source code (clone from https://github.com/TeamMentor/Dev and run locally or in Azure (only needs .NET 4.0, no DB install required) 

There is quite a lot of OWASP influence in this release of TeamMentor, from the O2 Platform FluentSharp libraries (which make me a lot more productive as a developer), to the AppSensor-like features (see below) and the multiple OWASP-inspired coding strategies used to keep the app secure (look for example at the ASMX and WCF security tests or the .NET Security Demands).

What is really cool and I'm very excited about, is the first pass at adding AppSensor capabilities to this app. 

Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job)

TeamMentor (TM) is the project I have been the main developer for the past couple of years, and as we approach another release (v3.4.1), I would like to invite you all to have a go and hack it (i.e. find security vulnerabilities, report them to us, learn a bit and maybe even get paid or get a job offer :)

TeamMentor is a web-based Security KB with tons of prescriptive security guidance, how-tos and guidelines. It is built on C# .NET 4.0,  jQuery with a bit of AngularJS;  and you can see in action at https://www.teammentor.net (you can create an eval account and have access to the entire content for 15 days)

Friday, 11 April 2014

From Azure to Firebase: Could not establish trust relationship for the SSL/TLS secure channel.

UPDATE (16/Apr/2014):  Following a lead from the Firebase Support it looks like the problem could be inside Azure for all SSL, since "https://www.google.pt".GET(); also doesn't work.

Just had a really weird scenario happen to me in the last couple hours, which could be somebody hacking Azure (but I think there is a more benign explanation)

The new version of TeamMentor (currently in 3.4.1 RC0) has a really cool real-time log/activity log viewer which uses Firebase to push data and pull data (from a 'configured TM server' into 'multiple browser-based viewers').

For a while all was good (both locally and in Azure), but in the last couple hours, I noticed that the 'data push' stopped working (i.e. my test version of TM running on Azure was not pushing Activities, DebugMsg and RequestUrls into the assigned Firebase account).

Here is what the viewer looks like (with new messages not being received):

On the unrealistic expectations on OWASP board members, and the 'myth of the OWASP Board member'

Following Michael's original OWASP.next post to the leaders list (regarding his OWASP.next post on the OWASP blog), Dennis replied with a number of examples of rotten leadership  which I don't really agree with and posted the text bellow as my reply

For a while I have been saying that putting such 'expectations and requirements' on board members was going to cause a lot of friction and this is just another example of it

I don't actually agree with Dennis analysis. But the reason I don't agree is not due to the fact that he is correct (or not) in his analysis. My view is that it is completely unrealistic to put  such a high level of expectation on OWASP board members, specially in terms of their: behaviour, morals, actions and words. My biggest problem with current/past board members is on lack of action, decisions and delegation of duties :)

Thursday, 10 April 2014

RIP 'Belly Cruz', 12 year old Labrador

Today was a sad day :(

We had to put our 12 year 'belly' to 'sleep'

She got hit by a brain tumour a couple weeks ago, which left her without being able to walk and without any quality of life.

But what we have to remember, is that she had a great life, fully of joy and happiness (although she never managed to catch the squirrel, even after hundreds of attempts).

She was able to keep a mental map of every single plate/pot/pan that had not been licked (yet), and was always super excited to find our house (after going our for a walk).

She will be missed ... our silly dog....

Tuesday, 8 April 2014

OpenSSL Heartbleed Bug (read server side memory anonymously)

Wow, this is a pretty nasty vulnerability:

"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). 

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
(from http://heartbleed.com/)

See if your website is vulnerable using: http://filippo.io/Heartbleed/ 

PoCs:
References



Monday, 7 April 2014

Published Beta version of "Practical O2 Platform Tools" eBook

After releasing the "Practical AngularJS",  Practical Git and GitHub,  Practical Jni4Net and Practical Eclipse books, here is an equivalent book containing the O2 Platform Tools related blog posts.

This new eBook has 113 pages and is made of 23 blog posts published in the last couple years.

The posts are grouped by topic and represent a number of mini-tools created by the O2 Platform

This eBook is available at https://leanpub.com/Practical_O2Platform

Sunday, 6 April 2014

Monday, 31 March 2014

Published Beta version of "Thoughts on OWASP" eBook

After releasing the "Practical AngularJS",  Practical Git and GitHub,  Practical Jni4Net and Practical Eclipse books, here is an equivalent book containing my OWASP related blog posts.

This new eBook has 165 pages and is made of 67 blog posts published in the last couple years.

The posts are grouped by topic and represent a lot of my thinking about OWASP, the current AppSec industry and other philosophical ideas.

This eBook is available at https://leanpub.com/Thoughts_OWASP

Sunday, 30 March 2014

Programmatically configuring an WCF service without using .config files (using FluentSharp REPL)

This post will show how to consume an WCF service directly, firstly using VisualStudio and secondly using the O2 Platform C# REPL environment.

The VisualStudio example will use the FluentSharp – C# REPL NuGet package (which will also show how to dynamically program the WCF service in a REPL environment

Part 1) The WCF test service

In VisualStudio start by creating a new WCF Service Library project called WcfServiceLibrary1

Monday, 24 March 2014

E2E testing AngularJS links and routes using NCrunch, VisualStudio and FluentSharp.WatiN

In order to have real TDD while developing AngularJS inside VisualStudio, I needed a way to write C# Unit Tests that could be executed in the background by NCrunch (i.e. in real-time during coding).

Since I wanted to do E2E (End-to-End) testing of the AngularJS app, I needed either a good mocking environment (like the one provided by KarmaJS/AngularJS Mocks) or the real thing (i.e. actually running the app on a local IIS/Cassini server).

If I have the choice, I always prefer to run my tests without mocking (or with as least amount of Mocks as possible), since that allows for a much more realistic test environment, and promotes much better engineering and coding practices.

This post shows how I created such environment and provides a couple examples of C# tests written to check if links created by AngularJS directives and routes are being correctively set.

Sunday, 23 March 2014

Problem with AngularJS ng-view, it doesn’t work when inside a directive

I hit an interesting problem yesterday with AngularJS views. They (the views) where working when clicking on a link, but not working when accessed directly, or when the back button was used (which broke the idea of AngularJS routing, since it is supposed to handle those to key scenarios).

After quite a bit of debugging, I was able to track the problem to the fact that if I placed the ng-view directive inside another directive, the refresh and back button would break (although it would work ok for links and direct browser url manipulation).

What is really nice, is that I was able to use the .NET C# based Unit Test infrastructure to confirm this problem and test for it :)