Tuesday, 29 June 2010

O2 Platform support for WebGoat

(just sent to the OWASP WebGoat mailing list)

Hi WebGoat Crowd

I finally started adding support for WebGoat to the OWASP O2 Platform by creating an API for Web Goat and showing how to automate a number of WebGoat's tasks and lessons. I've started to documentat how to use it and how it works, which you can read it (or watch the video) here: http://o2platform.com/wiki/WebGoat/First_Example_of_O2_WebGoat_API 

At the moment there is a first pass at an API for WebGoat (see API_WebGoat.cs) and a number of Unit Tests (see WebGoat_BlackBox_Exploits.cs). Both these files are available locally when you install the O2 Platform and the WebGoat_BlackBox_Exploits.cs can be executed by double-clicking on it or dragging'n'dropping it into a loaded O2 instance (see video for an example)

O2 Platform: MSI download, VB/C# conversion, Amazon S3 Browser and WebGoat API

Couple updates while I prepare for the big launch for HackInTheBox later this week:
if you are wondering, how I created those videos using O2, check out:

Sunday, 20 June 2010

O2 now has Javascript AST support (plus XSS PoC builder)

The latest version of O2 contains support for parsing Javascript (and building its AST), which you can see in action in these two scripts:

Also, for the BlackBox crowd, to showcase O2's automation capabilities, I wrote a XSS PoC Builder which allows the quick development, testing and deployment of XSS PoCs

You can read all about it here: Web - XSS PoC Builder  (in O2's wiki)

Saturday, 5 June 2010

First pass at try-o2.com Theme

(as emailed to the O2 Platform mailing list)

Humm, I just spent some time installing a number of Drupal Themes at the TRY O2 website, and found a couple themes that are are quite nice.

Check out how
http://try-o2.com looks at the moment: (the top banner images rotates on page load):


I also like the way the text I wrote for o2-platform.com's home page, looks really nice when placed in prime time position

I think that this text really encapsulates what I'm trying to do with O2:

"Welcome to OWASP O2 Platform's website. The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge."

Does this text make sense to you?

Friday, 4 June 2010

try-o2.com, o2-platform.com and OWASP.org

I'm the process of setting up the try-o2.com website and so far it seems that Drupal is a good fit for what I need (using a TurnKeyLinux.org image which was very easy to setup). Btw, any good Drupal power-users out there that can give a hand in building this? So far I've managed to install a new theme and configure it to use OpenID :)

Why Drupal? Well, now that I am in full swing on the efforts to build a community around O2 (from core developers, to users, to clients), I needed to find a web technology which provided strong social-network/community features, such as: Blogs, Forums, Voting/Rating, CMS and even (eventually) an e-commerce engine.

On the other hand, there is also a need to create solid documentation and books around the O2 Platform (which I think the MediaWiki is a much better medium)

Add to the mix the O2 Platform pages at the OWASP website, and we have some mapping to do here :)

So, how are all this different websites going to work together?

My plan is that by having different focus for each one, it will make sense:

* the Drupal-based www.try-o2com website (I also have the use-o2.com domain) will be focused on the community that is trying to 'use O2' (this is where all the 'social-tools' will be hosted)
* the MediaWiki based www.o2-platform.com website will be focused on the core O2 developers (i.e. the ones that are customising or creating APIs). This is where the detailed technical documentation will exist and where (eventually) O2 books will be made from (this tight editorial control will also make sense due to more-and-more support/capability that O2 will have for consuming data from this website (from vulnerability rules, documentation and C# scripts))
* the MediaWiki based O2 pages at the OWASP website will be focused in presenting the most mature O2 modules and also on making the connection with the multiple OWASP projects O2 will be integrated with.

One interesting question is: Why 2 MediaWiki websites.

Well, in addition to the fact that I can be much more experimental with the O2-Platform.com MediaWiki that I can/should with the OWASP's MediaWiki engine (for example in trying extensions and themes), there is also some content that I want to
create/maintain that will be hard to do at OWASP (for example, providing technical details about the multiple 3rd party Commercial Tools that exist and how they integrate with O2).

Also, the discussion of how to handle Commercial services around OWASP tools/projects is still in a very early stage, and there are no clear guidelines on how to present/maintain this 'commercial' information in a way that is compatible with OWASP's mission, values and culture.

Thursday, 3 June 2010

O2 Services: Online Training, Remote Support, Custom development

A key component of the 'O2 Platform Commercial Business Model' is the provision and delivery of commercial services to clients who are using (or planning to use) the O2 Platform.

Two days ago I started this process by launching a couple O2 related training courses (see Forthcoming Commercial O2 Training Courses in London blog entry)

Today I'm launching the 'Online Training, Remote Support, Custom development' services for the O2 Platform:

Here is the Wiki page with service's description Online Training, Remote Support, Custom development and here is the EventBrite page containing the current pricing structure http://o2services.eventbrite.com

In the short-term these services will provided and delivered by me.

In the medium-term, the plan is to build a network of security companies and consultants that provide these services (whereby I'm only involved in selected O2 engagements, most likely as a consultant for those 'O2 Enabled' companies)

Note that these services have nothing to do with OWASP and the OWASP Foundation.

O2 Script: ViewState Decoder for .NET 2.0

I just published to the O2 Platform Wiki a good example of O2's powerful scripting capabilities (including the ability that I have (using O2's MediaWiki editor tool) to quickly create technical articles containing tons of screenshots)

The tool is a ViewState decoder for .Net 2.0 and the article is here: http://o2platform.com/wiki/DotNet/ViewState_Decoder_ASP.NET_2.0

Here are the features of this tool:

* Enter any url or browse to any website, and the list of all values present in the ViewState will be shown on the right (note that the refresh is fired on the browser's OnLoad event (which means that you will get multiple views for urls that load more that one page))
* The list of url's is cached in the ComboBox used to enter the url to load (top left)
* There are two view modes
* the simple mode (by default) which presents a TextBox with all values found in the ViewState
* the 'Show all Details' mode (tick the checkbox) which shows: a TreeView of the ViewState, the ViewState Xml, the ViewState values (same as simple mode) and the same info (TreeView, Xml and Values) for the ControlState values
* All relevant code required to create this tool is being dynamically compiled on the fly (note how the source code included at the end of the post is quite small, and the couple supporting classes (included as File references) are also not that big)
* I wrote this entire tool in couple hours today (using O2's scripting environment). Here was my workflow:
* had the need to decode HacmeBank's viewstate
* found a good code sample of the decoding process (which I got from PluralSight's ViewState Decode example)
* created and tweaked the Tool's GUI
* created a couple supporting 'DotNet ViewState' APIs
* consumed the APIs from the GUI
* created the documentation WikiPage

For me, the power of the O2 Platform, lies not in the fact that I can build tools like this, but the fact that I can do it in a couple hours.

Of course, that now that I have an API for DotNet's ViewState, I will be able to perform much complex vulnerability analysis workflows (for example find data leakage or authorisation issues by analysing the ViewState collected from multiple user's sessions)

Wednesday, 2 June 2010

New technology needs to be faster and more convenient

Part of the reason why I don't blog more ofter is because I find the current workflow hard and non practical.

From the moment I have an idea on a blog post, I have to:
* Open a browser
* Go to my blog (& remember the address)
* Enter my credentials
* Select the option to write a new blog post
* start writing the post
* deal with blogger UI (which sucks)
* post it
* click again to view it
* (in most cases) realise that the fonts/spacing are all wrong and edit the post
* grab the link to the post
* go to the 'edit posts' page on Blogger, select the recently posted blog entry, and when it loads copy the title (since the Theme that I currently use shows the Blog title as an image)
* open twitter, paste the title, paste the link to the blog post (if too big, first pass via bit.ly)

huff... no wonder I don't blog more offten.

In addition to the number of steps there is another problem which is that the time that it takes for me to start writing the blog is too long (i.e. by the time I get ready to write it the mojo is gone).

I'm now trying something else.

Using my new IPad (Yes I'm trying to find reasons to justify the purchase :) ), I just installed the BlogPress App and am writing this blog post using it.

My first reactions:

* it is much faster to go from blog idea to blog post
* I have a IPad keyboard so I am writing as fast as I do on a computer
* I really like the setup, the size of the IPad looks like the perfect length for a blog post and I like the 'undivided attention' that it forces me
* I also like the 'proof reading' mode where I use the touch screen to follow my reading and to quickly make changes
* I like not having to deal with Blogger HTML formatting and messy UI
* all I need is to find a way to tweet about this blog entry and I'm done :)
--> Correction: Before I wrote this post I added my twitter account details to it, and after I posted this, BlogPress automatically created a bit.ly address and posted a tweet with the title+address on my tweeter account :) Very nicccccceeeeeeee :)

So what is the moral of the story here?

New technology (like the OWASP O2 Platform) regardless of its potential future impact and benefit, if it doesn't add immediate value to the user and makes him/her faster and more efficient from the day one, it will struggle to be adopted.

This means that:

"It must be faster to 'do it' using the new tool for the first time than it takes to 'do it' manually"

Only then will the user take the risk in trying something new

Location:A315,Hounslow,United Kingdom

Tuesday, 1 June 2010

Forthcoming Commercial O2 Training Courses

Just published 4 new training courses at the O2 external website: http://www.o2platform.com/

These courses are a good place to start if you want to learn about how to use O2:
The courses are going to be delivered by me and cost £200.00 (for 1 day  training)
Note that this is not an OWASP delivered course and it not related to the OWASP Foundation (I'm organizing this independently)

The beginning of O2's Documentation

(ss emailed to the O2 Platform mailing list)

After a week of solid O2 use (and a bunch of new features), I am finally staring to document how O2 works and its main features

One of the many web APIs now supported by O2 is the MediaWiki engine, so I have been using it on the http://o2platform.com website to create O2 documentation (for example the 'O2-Sceenshot-to-Clipboard-Tool + Paste + Auto-Upload-to-MediaWiki' workflow is really powerful and explains why there are so many images/screenshots in there :) ).  

From http://o2platform.com home page, here are the main links to O2's documentation:


Last friday I did an O2 presentation at the OWASP London Training Event and there was great reaction from the attendees (I also was able for the first time to do my presentation mainly using previously created scripts and videos, most executed from Paulo Coimbra's laptop (which is a great sign of O2's maturity :) ))

There is a fresh new version of O2 at the web based O2 Installer, so give it a test-drive and post here your feedback.