Sunday, 17 August 2014

WatiN in the O2Platform/FluentSharp projects and what is the status of WatiN developmet?

(as posted to http://sourceforge.net/p/watin/mailman/watin-development/) 

Hi, as you can see at:


I've been using WatiN a LOT in the O2Platform and FluentSharp projects, where I created a large number of ExtensionMethods that make WatiN really easy to use (see https://github.com/o2platform/FluentSharp_Fork.WatiN/tree/master/FluentSharp.WatiN/ExtensionMethods)

I used WatiN because It really worked much better than Selenium (specially because I was able to run it inside an embedded IE instance).

I would like to connect with the WatiN developers and see if it is possible to contribute some of these ideas and methods into the main WatiN Codebase.

One thing I noticed is that the development pace of WatiN seems to have slowed down. Can you point me to the current development plans and focus?

Thanks for creating such a great API, and let me know how to help

Dinis

Friday, 15 August 2014

OWASP O2 Platform 5.5 - RC1 , please give it a test drive

Just pushed to bintray the latest version of the O2 Platform (v5.5).

I'm calling it RC1 (Release Candidate 1) so that it can be given a good test drive before I update the main O2 Platform download and links.

This version is distributed as a zip, since there were a couple issues with the auto-extraction of the stand-alone exe version (used in the 5.3 version).

So please download the 16Mb O2_Platform_5.5_RC1.zip ,  unzip it into a local folder, and execute the O2 Platform 5.5 - RC1.exe file:

Sunday, 10 August 2014

Just used bintray.com to publish a number of O2Platform/FluentSharp stand-alone exes

I just tried BinTray (see https://bintray.com/o2-platform) as a platform to host exe/binaries/release files, and I have to say that it was a great experience.

Ever since I added to the O2 Platform and FluentSharp the ability/feature to package O2/H2 scripts as stand-alone exes, I've been trying to find a nice place to host them (since there are dozens, if not hundreds, of mini-tools that I want to publish).

For a while I used DropBox, but not only that was not THAT practical, DropBox never gave me any stats. Even worse, DropBox started blocking the downloads (saying 'too much traffic on this account') but was not able to tell me which files were causing the problem!!

The good news is that BinTray.com seem to work perfectly for publishing these O2 Platform created tools.

To see this in action and download one or more of these tools, open https://bintray.com/o2-platform/O2-Tools

Extract from my SANS Interview on Application Security (in 2007)

While trying to find a link to the SANS What Works 2007 conference (where I presented Inconvenient Truth(s) on Application Security) I found this Interview on the Interweb which contains a number of responses that I want to capture on this blog. That page might disappear one day (just like the SANS conference page form 2007), and most comments are still relevant today (Oct 2014)

Here is an extract of the of interview I did with Stephen Northcutt in June 11th 2007 (see full version here):

Inconvenient Truth(s) on Application Security (presented in 2007 and still relevant in 2014)

Here and embedded below is a presentation that I did in 2007 at an SANS conference when I was working for OunceLabs.

Here are the 13 Inconvenient Truth(s) mentioned on that presentation (I'm not sure if I should be encouraged that I made some good points, or depressed on how little progress we have done in Application security over the past 7 years)
  • #1 There are no metrics!
  • #2 Global Warming ~ Software InSecurity
  • #3 Secure software doesn’t make business sense
  • #4 Our systems are safe today
  • #5 We will be doomed!
  • #6 The attacker's business model is still immature
  • #7 Physical Extremism doesn't scale (but Digital Extremism does)
  • #8 We need better engineering
  • #9 We need containment
  • #10 Open Source security is a myth
  • #11 Most Source Code must be disclosed
  • #12 Most IT Security products have negative ROI
  • #13 The 'digital Armageddon' will never happen

Can you spot the vulnerabilities? (6 code snippets in C# and Java)

I was cleaning up a bit one of my laptops and I found these 6 code snippets that (I think) we used for one of the conferences I participated with SI (on some marketing materials with a question like 'Spot the vuln and get a free beer at our booth').

So ...  can you spot the 6 vulnerabilities on the code snippets below? (some of these are from HacmeBank v2):

Monday, 4 August 2014

The 4 components of the new TeamMentor 4.0 design (and IE support)

Thinking at the new TeamMentor 4.0 design from a technical, implementation and shipping point of view, there are 4 kinda-separate parts of the new design.

1) the 4.0 look and feel + basic use (simple navigation, basic search and article viewing)
2) the 4.0 ' search driven functionality'
3) the 4.0 design with full article (and library / metadata) editing capabilities
4) the 4.0 design on TBot/Admin features

For the 1st one, we should aim to have a full-backwards compatible version of TM. Note that this version would also be the 'TM Mobile' version (i.e. the default way to consume TM on a mobile, or in a small window space like what we get inside an IDE plugin (bootstrap has a 'responsive, mobile first fluid grid system' which makes this easier))

For the 2nd, this is where the main UE and UI thinking/experimentation needs to occur.

Search feedback loop and other TeamMentor 4.0 Search related topics

While thinking and researching how to do the search on TeamMentor 4.0 (next version of TM), one of the key workflows that I kept coming back into are:
  • need to have feedback loop on the search results (this is really what makes Google Google), which can be be captured: 
    • explicitly: via the user clicking on the + or - sign close to each search)
    • implicitly: via detecting which search result the user clicks (and which rank that search had)
    • by mapping: where the user (or TM admin/editor) is able to provide feedback on a particular search. For example saying that the search results for 'X' should be the search results for 'Y'
  • need to learn: this is connected to the feedback loop mentioned above and is based on the idea that the TM search results should become better with time
  • need to start collecting data as soon as possible (ideally leveraging the current hundreds or thousands of Application security searches SI employees already do every day
  • need to explain how we calculated a particular search result (of course that this needs to be hidden to normal users (unless they want it to), but we really need to show TM Editors/Admins the logic behind the search formula (and data) used to create those results, and reach the conclusion that 'article X' should be shown before 'article Y' (or folder/view/category 'X' should be shown before folder/view/category 'y')
  • Provide links to other search engines and application security websites (like google, StackOverflow, OWASP, Wikipedia, etc...). this would allow us to make the case 'first search in TM and then go into Google' (I think google used to do this with other search engines (in a long distant past)):
    • If fact, this could also allow use to 'fix' Google queries, since we could say "Hey you searched for XSS but what you probably want (from google) is 'How to fix XSS vulnerabilities in .NET" (assuming we had detected that that user was looking at .NET results
  • Provide recommended searches based on past searches: the typical "users that searched/bought this item also searched/bought this ones"

Thursday, 31 July 2014

FluentSharp July 2014 Update - Better README.MD page, list of issues to help and NuGet Packages

I just cleaned up the main FluentSharp README.md file (with lots of info) and added a number of issues to:
Please take a look and see which ones you would like to solve :)

As you can see by the commit activity (graphs/contributors and commits/master) there has been quite a number of API updates and fixes (for example there is quite a lot of great new stuff on the WatiN IE Web Automation front, including native support for Cassini).

Although I have not created a separate O2 Platform exe release, you can already get all the APIs from the NuGet packages:


Friday, 18 July 2014

Wednesday, 16 July 2014

From NUnit AppDomain, accessing properties and invoking methods on 'Serializable MarshalByRefObject TeamMentor objects' (hosted on Cassini's AppDomain)

After How fast do the 'NUnit-Cassini-driven' tests execute (on a full TM instance) it was time to start accessing internal TeamMentor objects from the NUnit AppDomain.

The main change I did was to add the [Serializable] and the MarshalByRefObject to the TeamMentor (TM) objects that I want to consume (i.e. access data and invoke methods) from NUnit tests.

Here is an example of what it looks like in one of the main TM's data classes:

Tuesday, 15 July 2014

How fast do the 'NUnit-Cassini-driven' tests execute (on a full TM instance)

A question I received after posting The moment I was able to serialize objects across an ASP.NET AppDomain and an NUnit AppDomain was 'Ok, that is is interesting, but how fast is it?'

That is actually one of the 'THE' key questions, since if we want to be able to create NUnit tests that use newly created Cassini-driven websites (i.e. a new Cassini server per test or test class) they have to be fast.

Ok, so how 'fast' is fast?

Well, in my book, that is either less than 1 second (for quick tests) or 10 seconds (for more complex setups).

More than that, and it is not practical to run those tests from NCrunch (or even manually via Resharper/NUnit-GUIs)

The good news is that (as you can see below), I was able to execute an 'NUnit-Cassini-driven' test in:
  • 6 sec: via NCrunch (consuming a TM instance with 0 libraries)
  • 7 sec: via ReSharper (consuming a TM instance with 3 libraries)

The moment I was able to serialize objects across an ASP.NET AppDomain and an NUnit AppDomain

As you can see at the end of How to debug an Cassini hosted website and the UnitTest that uses WatiN to automate that hosted website, although I was now able to start cassini in the current NUnit process, I was still not able to have direct/native access to the running objects of that website.

Basically what I wanted was to be able to access programatically the live TeamMentor (TM) objects from an NUnit test (note that both are running on separate AppDomains).

Not only this would make some of the tests I want to write possible, it would allow me to much faster setup specific test environments (for example cases when I need a number of users to already exist in TM).

The key problem is that after starting the 'TM website running inside Cassini, triggered from the NUnit test' I was left with two AppDomains:
  • The NUnit AppDomain running the NUnit Test and the Cassini Server
  • The Cassini AppDomain running the TM website
In practice what I wanted to do is to be able to access and edit one of TM objects (for example TeamMentor.Schemas.TM_Config from the NUnit test).

And that is exactly what I was able to do :)

Friday, 11 July 2014

How to debug an Cassini hosted website and the UnitTest that uses WatiN to automate that hosted website

One of the cool new capabilities that I'm using when writing QA Automation scripts for the latest version of TeamMentor, is the https://www.nuget.org/packages/FluentSharp.CassiniDev which allows the execution of an an 'in memory' version of Cassini (hosting the full TeamMentor website) in the same process as the Unit Test driving the IE automation of the hosted website (using FluentSharp.WatiN)

In practice, what this means is that the UnitTests are being executed in the same process as the main TeamMentor Website. This something that I have been wanting to have for ages, and the key capability I gained from it was the ability to debug both live website and UnitTest in the same session.

Lets set it in action.

Using WatiN and Embedded Cassini to run complex TeamMentor Automation (Create and Delete an Library)

Here is an QA Automation script I created today which performs a number of Integration Tests on the new version of TeamMentor.

These are the main moving parts (of the QA Environment and script):
  • Using an embedded WatiN IE window inside an WinForms window to drive Cassini hosting an .NET 4.5 website (this 'popupWindow' was actually opened from a UnitTest :) )
  • Driving the IE browser using  a number of FluentSharp ExtensionMethods
  • Number of waits for links to exist (needed due to the Ajax nature of TeamMentor)
  • When needed, directly query javascript variables ('window.TM.WebServices.Data.AllLibraries.length') and invoke core TM Javascript APIs ('window.TM.Gui.LibraryTree.remove_Library_from_Database')  
  • Use of Lambda methods to create an basic TM API (login, logout, open xyz page, trigger complex workflows, etc...)
Here is what this test QA environment looks like:

Friday, 20 June 2014

Please come and play with the OWASP Band AppSec EU at the CB2 (Tuesday 24th,7pm)

Next week the OWASP Band is getting back together and as always we need players. 

So, If you are coming to the conference (or are in the area), please let me know (ASAP) what instrument you can play, and I'm sure we can find a way to make it work.

Due to Adrian relentless efforts there is a full PA + Amps + Guitar + Bass + Keyboard + Drums available, what we now need is players :)

The show starts at at 7pm and we will do the soundcheck (i.e. the rehearsal) from 5pm.

The venue is the CB2 (http://www.cb2bistro.com/contact.html) which is just walking distance from the main conference location:

Sunday, 1 June 2014

Bypassing asp.net request validation detection, but it is a vulnerability?

Defence in Depth is a good strategy, specially since part of its core principles is the idea that some of the security measures applied will fail. The problem with NOT doing defensive-in-depth coding, is that if there is a way to bypass the security control, then the app can be exploited.

Asp.NET Request Validation is one of those security measures that can sometimes backfire, since it can be used instead of output encoding (in context) the data shown to users (i.e. there is a false sense of security provided by the use of that 'outside-of-the-application security filter').

But since fixing vulnerabilities has a real cost, one must be able to make the business case for the fix (i.e. show that there is a significant risk for the target application).

For example, do you think that following scenario is a 'real-vulnerability' (which should be fixed?):
  • Asp.net website has Request Validation Enabled
  • There is a page with a reflected XSS (quasi)vulnerability
  • There is a bypass for the Request Validation that only works in IE
  • On the scenario where Request Validation can be bypassed (in IE) the same IE version is able to detect it via its current Anti-XSS detection (and disable the payload)
This is one of those cases where although there a 'vulnerable' page, the number of affected users is very small, so the interesting question is: is there a business case to fix the vulnerability?

I think a more interesting (and relevant) question is: Is this an one-off vuln, or, are there other XSS vulnerabilities in that website, specially persistent XSS vulns?

Friday, 30 May 2014

Game to learn how to find XSS Bugs (by Google)

As you can see on https://xss-game.appspot.com and read on Google Launches Game to Teach XSS Bug Discovery Skills , this could be a really interesting way to reach developers.

I will try to give it a test drive and see how easy/hard it is.

I wonder if this could also be used to teach kids about application security (and how fun it can be to break it :)  )

I'm delivering "Writing Secure Java EE Web Applications Training Course" (June 19,20 in London)

Next month I'm teaching a 2 day training course for JBI here in London, on the topic of "Writing Secure Java EE Web Applications Training Course"

As the description mentions (see below), this is going to be a highly interactive course, where I will customise the course depending on the attendees experiences, knowledge and focus.

The cost is £1,500 GBP and if you are interested, you can use the form on this page or ping me directly (so that I put you in touch with the right guys at JBI)

Here is the blurb I wrote for this delivery:

XSS PoC on Lync 2010 (using C# WebClient, WebBrowser and WatiN)

Today I needed write an O2 C# script that was able to put an XSS payload on the UserAgent Header.

This was to write a PoC for the Microsoft Lync 2010 server which is (quasi)vulnerable to anonymous XSS via the UserHeader (the payload lands inside an Javascript).

This is a known and accepted issue, which has been previously reported and accepted by Microsoft and in 2014 is much harder to exploit:

Here are the PoCs I wrote (also on this gist (embedded below))

Thursday, 8 May 2014

Watching google crawl TeamMentor site (10m after blog post)

This is really interesting and telling of Google's crawling speed and updates.

I posted What are the main TeamMentor use cases? (and "Don't copy and paste from Google, copy and paste from TeamMentor") 10 minutes ago, and while looking at the new 'TM 3.4.1 real-time TeamMentor Activity' viewer, I noticed a number of 404s:

What are the main TeamMentor use cases? (and "Don't copy and paste from Google, copy and paste from TeamMentor")

(Earlier today I was asked "What are the most compelling use cases for TeamMentor" and here is my answer:)

There are a couple pages in SI's website that cover some of the common use cases : see here  and here

I think the main use-case is in 'answering Developers/Testers questions'

I like to think of the workflow as in "Don't copy and paste from Google, copy and paste from TeamMentor"

For example take a look at the .NET 4.0 library (direct link here) , if you filter by 'Code Example'

Friday, 2 May 2014

Some hacking for the weekend (with an AppSensor and O2 Platform flavour)

(originally posted to the OWASP leaders list)
---------- ---------- ---------- ---------- ---------- ---------- ---------- 

As you can see on Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job) I'm inviting the world to hack the app I'm been working for the past years.

You can either do a pure black-box (on https://tm-appsensor.azurewebsites.net ) or look at the source code (clone from https://github.com/TeamMentor/Dev and run locally or in Azure (only needs .NET 4.0, no DB install required) 

There is quite a lot of OWASP influence in this release of TeamMentor, from the O2 Platform FluentSharp libraries (which make me a lot more productive as a developer), to the AppSensor-like features (see below) and the multiple OWASP-inspired coding strategies used to keep the app secure (look for example at the ASMX and WCF security tests or the .NET Security Demands).

What is really cool and I'm very excited about, is the first pass at adding AppSensor capabilities to this app. 

Please hack TeamMentor 3.4.1 (learn, maybe be paid or even get a job)

TeamMentor (TM) is the project I have been the main developer for the past couple of years, and as we approach another release (v3.4.1), I would like to invite you all to have a go and hack it (i.e. find security vulnerabilities, report them to us, learn a bit and maybe even get paid or get a job offer :)

TeamMentor is a web-based Security KB with tons of prescriptive security guidance, how-tos and guidelines. It is built on C# .NET 4.0,  jQuery with a bit of AngularJS;  and you can see in action at https://www.teammentor.net (you can create an eval account and have access to the entire content for 15 days)

Friday, 11 April 2014

From Azure to Firebase: Could not establish trust relationship for the SSL/TLS secure channel.

UPDATE (16/Apr/2014):  Following a lead from the Firebase Support it looks like the problem could be inside Azure for all SSL, since "https://www.google.pt".GET(); also doesn't work.

Just had a really weird scenario happen to me in the last couple hours, which could be somebody hacking Azure (but I think there is a more benign explanation)

The new version of TeamMentor (currently in 3.4.1 RC0) has a really cool real-time log/activity log viewer which uses Firebase to push data and pull data (from a 'configured TM server' into 'multiple browser-based viewers').

For a while all was good (both locally and in Azure), but in the last couple hours, I noticed that the 'data push' stopped working (i.e. my test version of TM running on Azure was not pushing Activities, DebugMsg and RequestUrls into the assigned Firebase account).

Here is what the viewer looks like (with new messages not being received):