Saturday, 15 November 2014

Question about ESAPI for .NET

I was asked recently about 'ESAPI for .NET?' (by XXX, who is an SI customer) and here was my reply

---------

Hi, unfortunately there isn't a simple answer/solution for your question

I would definitely not recommend of using any of the ESAPI libraries, specially the .NET since that is not even in a workable state.

The best security controls out there are actually the Microsoft ones, which when used in secure ways, do provide a lot of security (for example Razor now encodes by default which does a lot to prevent XSS). On the topic of XSS, the Microsoft AntiXSS library is really good, and is now part of .NET 4.5.

FluentNode API - please help

I've been working on an Fluent API for node which you can get from https://www.npmjs.org/package/fluentnode

It is basically a large number of JS prototype functions (written in coffee-script) which try to simplify node development, improve developer productivity and make the code more readable.

It's still early days, but there are already a good number of APIs in there (and all are covered by UnitTests)

I would love go get some feedback on the current APIs (and other APIs to add)

Reddit thread

Monday, 1 September 2014

O2Platform question on 'Interactive development with Visual Studio'

Here is a reply I posted today to the O2 Platform Mailing list regarding a question about 'How to use O2 inside VisualStudio and WPF support' (with lots of links to code samples and blog posts)



Hi Chris, I'm glad you found the O2 Platform, specially since it looks like it already have the main features you are looking for :)

The key concept used across the main O2 Platform (and FluentSharp) APIs is the REPL (Read Eval Print Loop), which should be very common to you (btw you can run .Net's version of Lisp via this O2 script : Util - Clojure-clr REPL (Lisp).h2 )

Saturday, 23 August 2014

Friday, 15 August 2014

OWASP O2 Platform 5.5 - RC1 , please give it a test drive

Just pushed to bintray the latest version of the O2 Platform (v5.5).

I'm calling it RC1 (Release Candidate 1) so that it can be given a good test drive before I update the main O2 Platform download and links.

This version is distributed as a zip, since there were a couple issues with the auto-extraction of the stand-alone exe version (used in the 5.3 version).

So please download the 16Mb O2_Platform_5.5_RC1.zip ,  unzip it into a local folder, and execute the O2 Platform 5.5 - RC1.exe file:

Sunday, 10 August 2014

Just used bintray.com to publish a number of O2Platform/FluentSharp stand-alone exes

I just tried BinTray (see https://bintray.com/o2-platform) as a platform to host exe/binaries/release files, and I have to say that it was a great experience.

Ever since I added to the O2 Platform and FluentSharp the ability/feature to package O2/H2 scripts as stand-alone exes, I've been trying to find a nice place to host them (since there are dozens, if not hundreds, of mini-tools that I want to publish).

For a while I used DropBox, but not only that was not THAT practical, DropBox never gave me any stats. Even worse, DropBox started blocking the downloads (saying 'too much traffic on this account') but was not able to tell me which files were causing the problem!!

The good news is that BinTray.com seem to work perfectly for publishing these O2 Platform created tools.

To see this in action and download one or more of these tools, open https://bintray.com/o2-platform/O2-Tools

Extract from my SANS Interview on Application Security (in 2007)

While trying to find a link to the SANS What Works 2007 conference (where I presented Inconvenient Truth(s) on Application Security) I found this Interview on the Interweb which contains a number of responses that I want to capture on this blog. That page might disappear one day (just like the SANS conference page form 2007), and most comments are still relevant today (Oct 2014)

Here is an extract of the of interview I did with Stephen Northcutt in June 11th 2007 (see full version here):

Inconvenient Truth(s) on Application Security (presented in 2007 and still relevant in 2014)

Here and embedded below is a presentation that I did in 2007 at an SANS conference when I was working for OunceLabs.

Here are the 13 Inconvenient Truth(s) mentioned on that presentation (I'm not sure if I should be encouraged that I made some good points, or depressed on how little progress we have done in Application security over the past 7 years)
  • #1 There are no metrics!
  • #2 Global Warming ~ Software InSecurity
  • #3 Secure software doesn’t make business sense
  • #4 Our systems are safe today
  • #5 We will be doomed!
  • #6 The attacker's business model is still immature
  • #7 Physical Extremism doesn't scale (but Digital Extremism does)
  • #8 We need better engineering
  • #9 We need containment
  • #10 Open Source security is a myth
  • #11 Most Source Code must be disclosed
  • #12 Most IT Security products have negative ROI
  • #13 The 'digital Armageddon' will never happen

Can you spot the vulnerabilities? (6 code snippets in C# and Java)

I was cleaning up a bit one of my laptops and I found these 6 code snippets that (I think) we used for one of the conferences I participated with SI (on some marketing materials with a question like 'Spot the vuln and get a free beer at our booth').

So ...  can you spot the 6 vulnerabilities on the code snippets below? (some of these are from HacmeBank v2):

Monday, 4 August 2014

The 4 components of the new TeamMentor 4.0 design (and IE support)

Thinking at the new TeamMentor 4.0 design from a technical, implementation and shipping point of view, there are 4 kinda-separate parts of the new design.

1) the 4.0 look and feel + basic use (simple navigation, basic search and article viewing)
2) the 4.0 ' search driven functionality'
3) the 4.0 design with full article (and library / metadata) editing capabilities
4) the 4.0 design on TBot/Admin features

For the 1st one, we should aim to have a full-backwards compatible version of TM. Note that this version would also be the 'TM Mobile' version (i.e. the default way to consume TM on a mobile, or in a small window space like what we get inside an IDE plugin (bootstrap has a 'responsive, mobile first fluid grid system' which makes this easier))

For the 2nd, this is where the main UE and UI thinking/experimentation needs to occur.

Search feedback loop and other TeamMentor 4.0 Search related topics

While thinking and researching how to do the search on TeamMentor 4.0 (next version of TM), one of the key workflows that I kept coming back into are:
  • need to have feedback loop on the search results (this is really what makes Google Google), which can be be captured: 
    • explicitly: via the user clicking on the + or - sign close to each search)
    • implicitly: via detecting which search result the user clicks (and which rank that search had)
    • by mapping: where the user (or TM admin/editor) is able to provide feedback on a particular search. For example saying that the search results for 'X' should be the search results for 'Y'
  • need to learn: this is connected to the feedback loop mentioned above and is based on the idea that the TM search results should become better with time
  • need to start collecting data as soon as possible (ideally leveraging the current hundreds or thousands of Application security searches SI employees already do every day
  • need to explain how we calculated a particular search result (of course that this needs to be hidden to normal users (unless they want it to), but we really need to show TM Editors/Admins the logic behind the search formula (and data) used to create those results, and reach the conclusion that 'article X' should be shown before 'article Y' (or folder/view/category 'X' should be shown before folder/view/category 'y')
  • Provide links to other search engines and application security websites (like google, StackOverflow, OWASP, Wikipedia, etc...). this would allow us to make the case 'first search in TM and then go into Google' (I think google used to do this with other search engines (in a long distant past)):
    • If fact, this could also allow use to 'fix' Google queries, since we could say "Hey you searched for XSS but what you probably want (from google) is 'How to fix XSS vulnerabilities in .NET" (assuming we had detected that that user was looking at .NET results
  • Provide recommended searches based on past searches: the typical "users that searched/bought this item also searched/bought this ones"

Thursday, 31 July 2014

FluentSharp July 2014 Update - Better README.MD page, list of issues to help and NuGet Packages

I just cleaned up the main FluentSharp README.md file (with lots of info) and added a number of issues to:
Please take a look and see which ones you would like to solve :)

As you can see by the commit activity (graphs/contributors and commits/master) there has been quite a number of API updates and fixes (for example there is quite a lot of great new stuff on the WatiN IE Web Automation front, including native support for Cassini).

Although I have not created a separate O2 Platform exe release, you can already get all the APIs from the NuGet packages:


Friday, 18 July 2014

Wednesday, 16 July 2014

From NUnit AppDomain, accessing properties and invoking methods on 'Serializable MarshalByRefObject TeamMentor objects' (hosted on Cassini's AppDomain)

After How fast do the 'NUnit-Cassini-driven' tests execute (on a full TM instance) it was time to start accessing internal TeamMentor objects from the NUnit AppDomain.

The main change I did was to add the [Serializable] and the MarshalByRefObject to the TeamMentor (TM) objects that I want to consume (i.e. access data and invoke methods) from NUnit tests.

Here is an example of what it looks like in one of the main TM's data classes:

Tuesday, 15 July 2014

How fast do the 'NUnit-Cassini-driven' tests execute (on a full TM instance)

A question I received after posting The moment I was able to serialize objects across an ASP.NET AppDomain and an NUnit AppDomain was 'Ok, that is is interesting, but how fast is it?'

That is actually one of the 'THE' key questions, since if we want to be able to create NUnit tests that use newly created Cassini-driven websites (i.e. a new Cassini server per test or test class) they have to be fast.

Ok, so how 'fast' is fast?

Well, in my book, that is either less than 1 second (for quick tests) or 10 seconds (for more complex setups).

More than that, and it is not practical to run those tests from NCrunch (or even manually via Resharper/NUnit-GUIs)

The good news is that (as you can see below), I was able to execute an 'NUnit-Cassini-driven' test in:
  • 6 sec: via NCrunch (consuming a TM instance with 0 libraries)
  • 7 sec: via ReSharper (consuming a TM instance with 3 libraries)

The moment I was able to serialize objects across an ASP.NET AppDomain and an NUnit AppDomain

As you can see at the end of How to debug an Cassini hosted website and the UnitTest that uses WatiN to automate that hosted website, although I was now able to start cassini in the current NUnit process, I was still not able to have direct/native access to the running objects of that website.

Basically what I wanted was to be able to access programatically the live TeamMentor (TM) objects from an NUnit test (note that both are running on separate AppDomains).

Not only this would make some of the tests I want to write possible, it would allow me to much faster setup specific test environments (for example cases when I need a number of users to already exist in TM).

The key problem is that after starting the 'TM website running inside Cassini, triggered from the NUnit test' I was left with two AppDomains:
  • The NUnit AppDomain running the NUnit Test and the Cassini Server
  • The Cassini AppDomain running the TM website
In practice what I wanted to do is to be able to access and edit one of TM objects (for example TeamMentor.Schemas.TM_Config from the NUnit test).

And that is exactly what I was able to do :)

Friday, 11 July 2014

How to debug an Cassini hosted website and the UnitTest that uses WatiN to automate that hosted website

One of the cool new capabilities that I'm using when writing QA Automation scripts for the latest version of TeamMentor, is the https://www.nuget.org/packages/FluentSharp.CassiniDev which allows the execution of an an 'in memory' version of Cassini (hosting the full TeamMentor website) in the same process as the Unit Test driving the IE automation of the hosted website (using FluentSharp.WatiN)

In practice, what this means is that the UnitTests are being executed in the same process as the main TeamMentor Website. This something that I have been wanting to have for ages, and the key capability I gained from it was the ability to debug both live website and UnitTest in the same session.

Lets set it in action.

Using WatiN and Embedded Cassini to run complex TeamMentor Automation (Create and Delete an Library)

Here is an QA Automation script I created today which performs a number of Integration Tests on the new version of TeamMentor.

These are the main moving parts (of the QA Environment and script):
  • Using an embedded WatiN IE window inside an WinForms window to drive Cassini hosting an .NET 4.5 website (this 'popupWindow' was actually opened from a UnitTest :) )
  • Driving the IE browser using  a number of FluentSharp ExtensionMethods
  • Number of waits for links to exist (needed due to the Ajax nature of TeamMentor)
  • When needed, directly query javascript variables ('window.TM.WebServices.Data.AllLibraries.length') and invoke core TM Javascript APIs ('window.TM.Gui.LibraryTree.remove_Library_from_Database')  
  • Use of Lambda methods to create an basic TM API (login, logout, open xyz page, trigger complex workflows, etc...)
Here is what this test QA environment looks like:

Friday, 20 June 2014

Please come and play with the OWASP Band AppSec EU at the CB2 (Tuesday 24th,7pm)

Next week the OWASP Band is getting back together and as always we need players. 

So, If you are coming to the conference (or are in the area), please let me know (ASAP) what instrument you can play, and I'm sure we can find a way to make it work.

Due to Adrian relentless efforts there is a full PA + Amps + Guitar + Bass + Keyboard + Drums available, what we now need is players :)

The show starts at at 7pm and we will do the soundcheck (i.e. the rehearsal) from 5pm.

The venue is the CB2 (http://www.cb2bistro.com/contact.html) which is just walking distance from the main conference location:

Sunday, 1 June 2014

Bypassing asp.net request validation detection, but it is a vulnerability?

Defence in Depth is a good strategy, specially since part of its core principles is the idea that some of the security measures applied will fail. The problem with NOT doing defensive-in-depth coding, is that if there is a way to bypass the security control, then the app can be exploited.

Asp.NET Request Validation is one of those security measures that can sometimes backfire, since it can be used instead of output encoding (in context) the data shown to users (i.e. there is a false sense of security provided by the use of that 'outside-of-the-application security filter').

But since fixing vulnerabilities has a real cost, one must be able to make the business case for the fix (i.e. show that there is a significant risk for the target application).

For example, do you think that following scenario is a 'real-vulnerability' (which should be fixed?):
  • Asp.net website has Request Validation Enabled
  • There is a page with a reflected XSS (quasi)vulnerability
  • There is a bypass for the Request Validation that only works in IE
  • On the scenario where Request Validation can be bypassed (in IE) the same IE version is able to detect it via its current Anti-XSS detection (and disable the payload)
This is one of those cases where although there a 'vulnerable' page, the number of affected users is very small, so the interesting question is: is there a business case to fix the vulnerability?

I think a more interesting (and relevant) question is: Is this an one-off vuln, or, are there other XSS vulnerabilities in that website, specially persistent XSS vulns?

Friday, 30 May 2014

Game to learn how to find XSS Bugs (by Google)

As you can see on https://xss-game.appspot.com and read on Google Launches Game to Teach XSS Bug Discovery Skills , this could be a really interesting way to reach developers.

I will try to give it a test drive and see how easy/hard it is.

I wonder if this could also be used to teach kids about application security (and how fun it can be to break it :)  )

I'm delivering "Writing Secure Java EE Web Applications Training Course" (June 19,20 in London)

Next month I'm teaching a 2 day training course for JBI here in London, on the topic of "Writing Secure Java EE Web Applications Training Course"

As the description mentions (see below), this is going to be a highly interactive course, where I will customise the course depending on the attendees experiences, knowledge and focus.

The cost is £1,500 GBP and if you are interested, you can use the form on this page or ping me directly (so that I put you in touch with the right guys at JBI)

Here is the blurb I wrote for this delivery:

XSS PoC on Lync 2010 (using C# WebClient, WebBrowser and WatiN)

Today I needed write an O2 C# script that was able to put an XSS payload on the UserAgent Header.

This was to write a PoC for the Microsoft Lync 2010 server which is (quasi)vulnerable to anonymous XSS via the UserHeader (the payload lands inside an Javascript).

This is a known and accepted issue, which has been previously reported and accepted by Microsoft and in 2014 is much harder to exploit:

Here are the PoCs I wrote (also on this gist (embedded below))