Wednesday, 14 December 2011

"...O2 in Seattle..." and "...Please Hack TeamMentor (beta)..."

I'm presenting an updated version of O2 at tonigth's OWASP Chapter meeting (

There are a number of new O2 features that I will cover, but to make it relevant to the audience, I will present O2 as part of a challenge which is 'Please Hack TeamMentor'.

TeamMentor is the WebApp product (currently in Beta) I have been developing for Security Innovation with the help of O2 (you can download TeamMentor Beta and its source code from GitHub).

Showing O2 this way will allow me to:
  • present and discuss the architecture of a real world app and its security implications
  • how me (as a developer) see security and its position on the development/management food-chain (btw on this topic, if you haven't you should also see my 'Making Security Invisible by Becoming the Developer's Best Friends' presentation deliveled at OWASP AppSec Brazil and this amazing video response to it: A developer's rant about security professionals )
  • how O2 allows me to deal with real world problems such as:
    • creating Unit Tests for jQuery/Ajax/WebServices based websites,
    • dealing with automation problems that ALL current browser automation engines have (WatiN, WatiR, Selenium, Cucumber, WebKit, QUnit, etc...) ,  and visualizing the data created using custom GUIs (note that O2 has native support for WatiN, NUnit and QUnit and has access/control to all of .NET's WinForms/WPF)
    • creating cached versions of the site (controlled by a built-inside-O2 web proxy),
    • direcly invoke/compile specific parts/components of the application (this is used to create targeted Unit Tests & fuzzing), 
    • running consolidated (i.e. all available) NUnit tests using NUnit's GUI, command line and O2 scripts
    • dealing with complex webservices
    • view, analyse and test the server side RoleBase Authorization mappings (created using .NET Attributes) which affects the exposed WebServices
  • how the APIs and tools created by O2 purely as 'developer aids' (i.e. not for security) are then massively important, useful and usable on the UnitTesting phase.
For the 'hands-on' part of the crowd, I want to use the following OWASP projects to help me with TeamMentor development and testing (and I really could do with some help here):
  • ESAPI (both .NET and Javascript) - Starting with the Encoding part to deal with XSS (needs to be integrated with .NET's AntiXSS)
  • AppSensor  - to allow TeamMentor to modify its behaviour depending on its current 'attack' level
  • OpenSAMM - create a score card  
  • ZAP Proxy - feed the existing O2 Browser automation scripts via ZAP's proxy and fire up its tests
  • Agnitio (not yet an OWASP)  - map out to its check lists
  • OWASP Testing, Code Review and Developer Guides 
  • ... other OWASP projects?  (if you are involved in an OWASP project that you think would be a good fit, please go for it)
What is interesting about TeamMentor is that it is a complex real world app (with legacy code), containing tons of WebServices and JavaScript/jQuery activity. This makes it very hard to test by today's tools (or even manual process). 

Also very important, is the fact that we are dealing with a team/company that welcomes the 'Security' part of the SDL (which doesn't happen very often :)  )

I'm very happy that SI is ok with this, and my hope is that this will allow us to have a number of interesting conversations/threads (hard to happen in test apps like WebGoat or HacmeBank, or apps where the main developers are not directly engaged in the process)

For the ones that can't come tonight, I will follow up later this week with more detailed instructions.

So here is your official invite: Go and HACK TeamMentor (GitHub) and report your findings as O2, NUnit, Python, Boo, etc. scripts. 

Btw, since this is a Beta version, I'm sure that there are still a number of areas which have juicy security vulnerabilities! Good luck in finding then :) 

Only one condition, I WILL NOT READ any findings reported in PDF format :)

Thursday, 24 November 2011

Please root these devices (project and customer awareness)

Here is a cool opportunity which also raises some interesting questions

I just got asked to see if I could recommend a good AppSec and Reverse Engineer person to spend one month breaking the security of a tablet (and another device) that is coming to a place near you next year.

The brief is quite an interesting one, since it basically says: '...please root this device, show how to install malicious apps on it without root, and/or show how to extract encrypted content...'  (so if you know somebody or are interested please ping me directly)

What is interesting about this gig is the company that it is from. Usually those corporate folks are bit more gentle and politically correct, but this shows that these guys really want to know first the problems (which is a nice evolution in our market). I have to say that 'finally' I have seen more people/customers who want to be secure (vs being compliant or wanting to been seen doing something about it).

It also shows how interconnected out day-to-day devices are becoming, and how big a can of worms (from a security point of view) they can/will be.

Note how web app security is staring to be more and more dependent with the devices that use it, for example, there could be a number of vulnerabilities created by how the client/server exchanges occur (it would be cool to root the device by tricking it into installing something via an reflected exploit on the server, would we call that a 'Reflected Root' vulnerability? :)   ) . 

This also feels a lot like the 'return of the fat client', where the vendors have so much control over the client's device that they extend the attack surface to it (which could lead to a number of security decisions being made on the wrong location).

Wednesday, 23 November 2011

Heads up on O2 WebProxy and WAF Simulator

For the more advanced O2 users out there, I just committed a new set of O2 scripts that implement two very powerful capabilities
  • O2 Web Proxy - native (to O2) web proxy that sits between the IE automation object and the rest of the world (although inside the same O2 .Net process). This was based on the code in and it givesO2 something that I have been wanting for years now: Programatically access to a Web Proxy. This opens up a LARGE number of testing/fuzzing capabilities and dramatically simplify IE analysis tasts (for example, something that is now simple to get is the full value of the Cookies (and Headers) sent to/from the IE browser (the http-only cookes for example were really hard to get) )
  • O2 WAF Simulator - built on top of the  O2 Web Proxy, I was able to quickly create a WAF simulator which uses the O2 Proxy's callbacks to fix a couple vulnerabilities in the test app I was looking at (great when talking to developers about the vulnerabilities discovered and its possible fixes)
I will shortly put more details about this on the O2 blog

What I like the most about these two new capabilities, is that this was all created/implemented in about 4h of focused-development (and shows how powerful O2's APIs and quick-prototyping development environment have become)

Help on running Cucumber via security tools and .NET

Hi, I need to integrate Cucumber into O2, so I was wondering if I could get some help.

Here is my first set of challenges:
  • I need a couple Cucumber scripts (running on top of Ruby) that do some kind of web actions (ideally on a vuln app like webgoat,, hacmebank, etc...) so that we can test the following scenarios:
    • Trigger this tests directly from O2 (including seeing its results). This could be as simple as triggering Cucumber from the command line
    • Run those same tests via a security proxy/tool/scanner so that we can 'teach it' how to app works. This should work for any tool that can act like a proxy, but to start, I would like to run it on
      • OWASP ZAP
      • NetSparker
      • AppScan Standard
      • Burp
  • Use IronPython to run cucumber tests/features directly in .NET/O2 so that I can create a solid two way communication and instrumentation between those scripts and O2 (i.e. O2 to consume them directly, and the scripts being able to access O2 APIs)

Friday, 11 November 2011

Comment on reply to post: Mark on 'Models for Better Security Communities'

(comment I made on the OWASP mailing list last week which contains some ideas on where I see OWASP going next)

Stephen, you absolutely shouldn't feel guilty of 'only' contributing to OWASP through your regular bursts of energy (I put 'only' in quotes, since you are one of my favorite OWASP stories, and a talent that I'm very proud to have helped to attract to OWASP) . Your type of contributions is one of the things that have built OWASP and it is one of its most amazing characteristics.

In fact, my view, the job of OWASP 'the organization' is to make sure that when you do focus and want to commit some energy, there is an environment (or ecosystem) that will make that process as productive, enjoyable and efficient as possible.

In that light, OWASP 'the organization' should be much more like an event organizer (think 'music production company') than a big 'we have the vision and know it all' type of org.

Please don't be to hard on Mark since his heart is absolutely on the right place (and let's not really judge Microsoft's ethics since most large companies these days wont get a clean bill of health :)  ). 

One think I learned from playing music is that you have to listen to the audience's comments, and most of the times they say (from your point of view of course) the right thing the wrong way (or not the same way you would articulate it).

Mark wants a more professional and focused approach to OWASP, where there is energy and commitment in the creation of very professional, high-quality, well presented, easy to use/adopt and community-friendly deliveries (tools, books, guides, dev outreach, etc...). 

Which is exactly what I also want.
  • That doesn't mean that we stop supporting the grassroots movements and activities that allowed OWASP to be want is it today (and empower its contributors to 'just get on with it and try to find a solution'). It means instead that we need to put a lot more investment and effort into creating an operational machine that will support it (we have the talent at OWASP, what we don't have is the operational machine (which OWASP's leaders are not really good at, or have time to dedicated to it)).
Part of the problem is that there is still this view at OWASP that we need: 
  • a strong mission, vision, etc...
  • high level commitments/endorsements and 
  • centrally controlled activities
.... as if we had those anything would happen because of it :)

Part of the problem of this type of thinking, is that it creates an environment where Mark (correctly under that thinking) was expecting a level of support and endorsement for his ideas that is just not possible at OWASP. 

The irony is that there are lots of really great leaders inside OWASP that share Mark's wish for a more professional and dev-community-friendly OWASP. Unfortunately we (OWASP) still have not come up with an operational model that allow those groups to aggregate and flourish (I don't think the current Commitees structure are the right structure, but maybe the is a better one).

Btw, for me the only vision and mission that OWASP needs is three (or maybe two) words: Web Application Security or maybe just even two: Application Security

So please embrace Mark's ideas and comments, you might not like his style (like many don't like mine), but he is carrying a important message.

Think about this, we are lucky that Mark cared enough about OWASP that he spent his time documenting and talking about his issues and problems. We would be much worse if he had just ignored OWASP. In fact, I wish he blogged more about his ideas for OWASP since there are some great stuff in there :). He also talks to a lot of people about OWASP, specially from people who would like to be involved at OWASP but have not found their sweet spot. We need to hear those voices and find ways to connect to them.

Wednesday, 9 November 2011

Solution for fixing Spring's JPetStore AutoBinding vulnerabilities

Here is an O2 blog post that describes my preferred solution for Fixing one of JPetStore's AutoBinding Vulnerabilities (changing the purchase price)

I have to say that as a developer doing the code fix, it was simply amazing and very powerful to have the complete web workflow of the shopping cart available as an automated O2 script .

This allowed me to quickly ensure that: 
  a) the app still behaved as it should (after the fix)
  b) the vulnerabilities identified where properly fixed

What do you think of the solution?

Tuesday, 8 November 2011

Integrating Security into the User's Gui - In this case Rational AppScan Source in AppScan Standard

Based on an SI engagement I'm currently involved in, which is focused on the integration AppScan Source and Standard findings, here is a pretty cool PoC of what we are doing there:

Monday, 7 November 2011

In ASP.NET, prevent XSS with automatic html encoding

Yesterday when looking for the ASP.NET XSS mappings I found an article that presents a solution that I have been looking for ages: Changing the behaviour of the ASP.NET <%= tag so that it encodes by default.

His technique of hooking the compilation step is absolutely brilliant

The future of secure code? Fixing/Encoding .NET code in real time (in this case Response.Write)

If we really want to help developers to fix they code, we ultimately need to move all the way into their IDEs and actually provide them code-fixes in context!

A while back somebody asked me how to perform actually .NET code changes and patches using O2's .NET Static Analysis engine, and I wrote a little PoC that clearly shows how that can be done (and a preview of what the future looks like).

I just wrote a O2 blog post about it which you can find here: (if you have O2 installed just run the Fixing Response.Write.h2 script)

Here is a 20 sec video that shows this script in action:

I really like this concept and it is sort of similar to what Spring is doing with Roo ( where the developer's code is automatically refactored in order to meet specific objectives

Sunday, 6 November 2011

ASP.NET Anchor tag allows XSS payloads, is this a vulnerability on the .NET Framework?

I just posted a blog entry on an O2 script I wrote a couple days ago that checked if the HREF tag in ASP.NET HtmlAnchor control is vulnerable to XSS:

There are a number of really cool techniques on this script:
  • Render the Html Tag control in isolation (which will allow these tests to be run from vanilla UnitTests)
  • Quickly put Html content in a browser and see what it looks like
  • Quickly fire-up an .NET Webserver on a local directory, create a test *.aspx page, and see its contents (rendered from the ASP.NET server)
  • Test some payloads on the *.aspx page and confirm (or not) the exploitability of this control (a good follow-up script to write is to run the FuzzDB on this property and see which ones work)
Since it is safe to assume that the Href from an HtmlAnchor should not have " (and other dangerous chars) in its rendered text (it should be encoded), shouldn't this be classified as a vulnerability in the Asp.Net Framework? Specially since it bypasses the ASP.NET build-in validation.

Is this documented somewhere? I know there is (somewhere) a list of all ASP.NET mappings (so it should be there), but I just looked at the MS pages for the HtmlAnchor tag and there is no mention in there for the security implications of this:

Saturday, 5 November 2011

New O2 main GUI (as 2.0 beta version)

I just pushed a new simpler GUI for O2 which will hopefully make it easier to quickly start using O2 and find useful scripts.

This is what it looks like:

Let me know what you think of it.

Do you like it?

Does it make it easier?

You can read mode details about this new GUI at Details of new O2 main GUI (as 2.0 beta version) and you can download the latest version of O2 from here

Wednesday, 2 November 2011

Using O2 to help an AppScan Source (and Standard) user

Yesterday I had a great session with a potential SI customer where I was tasked to help them make the most out of AppScan Source resources.

The scenario is a very typical one for any SAST client (namely Ounce/AS.Source or Fortify):

Unit Tests to detect problems with site and content integrity

So with the public launch of TeamMentor Beta I now have a nice problem to solve:

"How to write UnitTests (Browser Automation and WS driven) that test for the valid state of the TM test websites ( and and ensure that they have not been spectacularly modified, modified or hacked :)"

Here is a list of what I would like to keep an eye on or do:

  • Is the website still up?
  • What about its response time?
  • Do the normal N user activities still work? (open page, view content, login, edit content)
  • Is there any malicious content on the TM websites? (namely on the changes recently changes)
  • Activity logs and detect malicious/weird activity?
  • How to automatically rebuild the server (maybe every day)?

All these should be written as UnitTest and executed on demand (or in a schedule). Sounds like a job for O2 :)

Humm, it looks like I really need to add AppSensor capabilities to TM, since that would allow some of these tests/activities to be detected in real time :)

TeamMentor v3.0 Beta is out of the bag (try it or download it now)

UPDATE (Oct 2012): THIS POST IS OUT-OF-DATE .The latest version of TeamMentor to test is at: Test and Hack TeamMentor server with 3.2 RC5 code and SI library

Last night SI (Security Innovation) released the public beta of the product I have been working for the past 7 months. It is called TeamMentor (TM) and it is a web based tool to create and distribute security knowledge.

There are lots that I want to talk about this project (specially since O2 was used for its development and there is product is a great case study of the power of O2 when used as a developer-helping tool). Also, SI is more than happy for me to talk about the internals of TM, how it evolved and its architecture (which is a rare thing in product companies)

So to kick start this, here are the main links:
Here are the login details (note that the editor role change change all content, so try to be gentle with the version online :)  )
  • Administrator - admin/changeme 
  • Reader - Reader/changeme 
  • Editor - Editor/changeme 
  • Developer - Developer/changeme
If you download the TM code and want to run it locally, once you unzip it:
  • Launch the server but runing either the "Start NET35.bat" file or the "Start  NET4.bat" file ( use the one that works for you). 
    •  Give it a couple of seconds to load. An icon in the system tray should appear, indicating that the "Cassandra" server is running.
    • Please, note that the "Cassandra" server does not bind to external interfaces by default, so it will only be available on the local machine when started from the bundled scripts. 
  • Open the site. A web browser should open automatically on the main page. 
  • Login to the application with one of the pre-defined user accounts (listed above)
If you find bugs or security issues, please add them here: (this is beta so I expect you guys to find good stuff in there :) )

Let me know what you think of TM :)

Tuesday, 25 October 2011

First Answer to: Why doesn't SAST have better Framework support (for example Spring MVC)?

A couple days ago I received the question and asked here on this blog Why doesn't SAST have better Framework support (for example Spring MVC)? (if don't don't what SAST means, see What does SAST mean? And where does it come from?)

I wrote the answer below on that day, but since I also posted this question to the O2 mailing list I wanted to give some space for others to chip in with their views (which they did, namely John Steven who I will reply to later):

Mea culpa: How I abused the OWASP rules on presenter's slides

After I posted my presentation and slides the OWASP Brazil AppSec presentation on "Making Security Invisible by Becoming the Developer's Best Friends" , I was reminded that a couple slides on that presentation break the OWASP rules for conference presentations which are very well established.

In fact, they’re right in the speaker agreement, which I totally violated.

"...Speakers are encouraged to include their contact information when introducing themselves, but may NOT include their logo on any visual and handout materials. Speakers are to avoid any appearance of commercialism in their session and presentations are to be of a technical or solutions emphasis. Further, I understand that the program tracks of the conference/event/chapter are an educational event, not a sales or marketing platform. I agree that my presentation(s) will be an objective review of the topic on which I am presenting, and will not contain any content that is a sales or promotional pitch for any specific product(s) or company(ies). My materials will also be reflective of the current status of the topic(s) I am addressing...."

Clearly the initial slide about SI breaks this, and my mistake was in thinking that tagging it with an 'Advertising' tag made it better (the next slides, although covering Common Criteria content released free by SI, in hindsight are also, too much on the marketing/sales side).

And yes, although there have been worse offenders in the past, that is no excuse and I should know better.

Sorry for this...

(I'm currently in a location with slow internet connection, but once I'm back to land I will update the slides accordingly)

Sunday, 23 October 2011

What does SAST mean? And where does it come from?

After I posted Why doesn't SAST have better Framework support (for example Spring MVC)? I received the question "What is SAST?" (which is a valid question since a Google search today for SAST returns some hilarious answers)

SAST means Static Analysis Software Testing , and (I believe) it was originally coined by Gartner when they published their Magic Quadrant for Static Application Security Testing report (first version in 2009).

SAST is basically what we usually (in the web world) call Static Analysis of source code (i.e. White Box tools). It cousin is DAST (Dynamic Application Security Testing) and is what we call Pentesting (i.e. BlackBox tools). Google's DAST search results are also funny. Here is a more detailed answer on the difference between SAST and DAST.

Why doesn't SAST have better Framework support (for example Spring MVC)?

I received this question today, and before I answered it, I was wondering if you guys wanted to have a go at it first: 

"...I was reading over some of your blog entries, that made me thinks about the current state of SAST regarding the current frameworks.
I've been aware for a long time that SAST do not handle properly framework-level information. In the case of Spring MVC, the tools just don't get the data flow, etc.

Since you worked at Ounce before, do you know any particular reason why they didn't want to fo into that direction? I mean, this is a solvable problem (you somewhat show how to do that in O2). Even if they would need to implement new front-ends, this is still a very important task to be done if they wanted to compete directly with Fortify (especially since F. doesn't get it either)....

Saturday, 22 October 2011

Mozmill looks really interresting

Anybody tried Mozmill? and

It looks very powerful and it could be a great way to write 'browser-based usability+security unit tests'

O2 needs to support it :)

Example of O2 being used to create a PDF from a list of users

One of the powers of O2 is that is allows the automation of repetitive tasks via scripts

This usually means automating some Web Vulnerability Browser workflow or an specific Static Analysis of source code.

Thursday, 20 October 2011

I need a .Net and JQuery developer based in London

Let me know if you are or know of a great .Net and JQuery developer in London.

SI is going to hire an extra resource to work with me on TeamMentor so please connect the dots :)

Microsoft All-In-One Code Framework (should the OWASP .NET community be involved?)

Anybody tried the Microsoft All-In-One Code Framework ?

It looks like a way to distribute sample apps (for example this ASP.NET AJAX web chat application ) and I wonder how much security thinking (and review) has occurred? 

If we are looking for a place to help .NET developers to write secured code, maybe this is a great place for us (OWASP) to be involved. 

What do you think?

A comment on "Making Security Invisible by Becoming the Developer's Best Friends"

After my "Making Security Invisible by Becoming the Developer's Best Friends" post, Daniel posted a reply on his blog, and here are my comments on it (as posted on his blog):

Hi Daniel, Thanks for your comments, I think you make a good representation of the security camp that defends that "security is EVERY developer's business" which although well intended, unfortunately doesn't scale, and, in fact it doesn't work.

We will never achieve secure applications at a large scale if we require ALL developers (or even most) to be experts at security domains like Crypo, Authentication, Authorization, Input validation/sanitation, etc...

Note that I didn't say that NOBODY should be responsible for an Application's security. Of course that there needs to be a small subset of the players involved that really cares and understands the security implications of what is being created.

The core idea is that developers should be using Frameworks, APIs and Languages that allow them to create secure applications by design (where security is there but is invisible to developers). And when they (the developers or architects) create a security vulnerability, at that moment (and only then), they should have visibility into what they created (i.e. the side effects) and be shown alternative ways to do the same thing in a secure way.

The other idea that I'm trying to push our (the application security) industry to adopt, is this concept: "One can't protect/analyze what is not understood, so application security teams create models (and tools) that help them to visualize and understand how the apps works, and since this 'application visualization metadata' is also VERY valuable to developers, let's work together (devs+qa+appsec) so that we can embed application security knowledge and workflows into the SDL"

For example, a very good and successfully example of making security 'invisible' for developers was the removal of 'buffer overflows' from C/C++ to .Net/Java (i.e. from unmanaged to managed code). THAT is how we make security (in this case Buffer Overflow protection) Invisible to developers

If you are looking for an analogy, "a chef cooking food" is probably the better one. Think of software developers that are cooking with a number of ingredients (i.e. APIs). Do you really expect that chef to be an expert on how ALL those ingredients (and tools he is using) were created and behave? It is impossible, the chef is focused on creating a meal. Fortunately the chef can be confident that some/all of his ingredients+tools will behave in a consistent and well documented way (which is something we don't have in the software world). I like the food analogy because, as with software, one bad ingredient is all it takes to ruin it.

Wednesday, 19 October 2011

Webinar on 'How to Break Web Software Security'

Tomorrow (20th October) I'm delivering a Webinar on the topic of 'How to Break Web Software Security' which will cover a number of Application Security vulnerabilities (and live demos)

You can read more details about this webinar and register here


Webinar abstract:
More than 80% of attacks happen at the application layer and network security isn't the answer. To compound the problem, Web applications employ specialized protocols and languages and suffer from unique problems that very quickly and easily lead to vulnerabilities for the uninformed.

This Webcast will describe and present techniques for breaking (from a security standpoint) web applications and learn methods of mitigation. This talk covers all of the basics (SQL injection, XSS, etc.) but goes beyond that to more advanced and sinister attacks.

Topics Covered:
  • Why the web is different and what this means to testing
  • Dangers of web services
  • How to think about security vulnerabilities in web applications
  • Techniques for information gathering, client-side attacks, state attacks, data attacks, language attacks, server attacks, authentication attacks

Friday, 14 October 2011

My presentation at OWASP AppSec Brazil: "Making Security Invisible by Becoming the Developer's Best Friends"

Hi, here is the presentation I delivered last week at OWASP's AppSec Brazil conference: OWASP Brazil - Making Security Invisible by Becoming the Developer's Best Friends (also available online at SlideShare)

I think I was able to capture how security tends to be seen by developers, how it is currently a TAX on the SDL and how we need to move Application Security into the 'application visibility' space so that we add value to the entire SDL (and create a positive model where the developers want to engage with us)

After you read the presentation, check out this video which I recorded also in Brazil: A developer's rant about security professionals (he was one of the developers that was at the audience which really related to the problem of receiving security guidance from security 'consultants' that don't understand his app).

The demos showed how O2 allowed this world to exist :)

Let me know what you think of it.

Note: see also this follow up post in response to Daniel's comments (below)

Tuesday, 9 August 2011

Sending spoofed emails using O2 (why does this still work in 2011?)

I just blogged today about a simple but powerful O2 script that allows the sending of Spoofed emails by sending emails using SMTP: (check out the API and GUI)

These emails are sent using an STMP API, and there are a number of variations/conner-cases that we will need to solve. For example:
  • Sending an email to a throws: No MX record found for the domain "". Check that the domain is correct and exists or specify a DNS server
  • On another server I got the following error (which could be solved by manipulating the provided hostname): ...failed : 504 5.5.2 <WIN-DR8DS3BT4V1>: Helo command rejected: need fully-qualified hostname
The key is to start mapping: :
  • the exact scenarios where it is still possible (in 2011) to send Spoofed emails,
  • the case where it is NOT possible, and
  • what mitigations work
I have to say that I have been surprised at the places where this still works. One of the scary scenarios is the case where one sends an spoofed email 'to email X' , 'from email Y' , 'both at company Z' (and if Y is X's boss, there is no way X will not read it and click on a provided link)

I would like to start a list of locations where this is still possible, for example it works for Gmail. So let me know if it works for you, and if you have any ideas on how/where to start mapping the data collected. On the topic of mapping this data, is there an online service to find if a email host/provider is vulnerable to this? (i.e. allow the easy spoofing of emails)

Final Question: What are the mitigations and where in OWASP should be put this information? (I could only find which is not 100% relevant)

Saturday, 6 August 2011

Injecting O2 into an .NET Process, in this case IBM Rational AppScan standard

Here is another example of how to inject O2 into an .NET Application and be able to control its GUI:
The 'pink' example came about because in the group I was having dinner yesterday, there was a female AppScan user. I was explaining to her, that once we can run O2 scripts inside AppScan, there are very few limitations of what can be done, and nothing showed that better than a Pink version of AppScan :)

Wednesday, 3 August 2011

OWASP O2 platform, the history so far (Sep 2008 till Aug 2011)

For the past couple years I have been using this personal blog to document O2 Platform's history.

Here are the most important blog posts, ordered chronologically and with some additional comments (made in August 2011).

Monday, 1 August 2011

Joining Security Innovation (SI) as a Employee

Today (1st August 2011) marks a new period of my career, I'm joining SI (Security Innovation) as an employee.

This is quite a departure for me, since I have been an 'independent consultant' for the past 10+ years and even when I had a contract with OunceLabs and ABN Amro, I was a contractor and not an employee.

I'm very excited to join SI, so far it has been a perfect match. I really like the SI setup, the people are amazing and they seem genuinely happy to support:
  • what I want to do,
  • how I want to do it, and
  • what I have been doing (namely the O2 Platform).

Although I've known SI for a while (I was a big fan of their Holodeck product) I never really thought of them as an Application Security company, so, it was with some surprise that I started a thread with Ed and Jason about OWASP Certification.

At the time I outlined what was the OWASP position (see this post for more details) and was expecting them (as others before) to give up, and not try to do anything about it.

To my surprise , they kept coming back, and the bigger the 'curve ball' I would send on their direction, the better they responded.

Cutting a long story short, SI:

Since there was an obvious synergy between us, after the Summit I talked with Jason and Ed and we come up with a first way of working together (see my blog post Working with SI on Team Mentor and OWASP projects ).

What started as a 'lets make some bug fixes' to TeamMentor, became a major redesign, where the new version (3.0) is almost a complete rewrite of the existing version of TeamMentor's backend and frontend.

It was this process that really allowed me to see what SI was like. I basically kept coming back to Jason with requests to improve/redesign TeamMentor's backend/frontend, and he kept trusting me and allowing me to go on the direction that I felt was more suitable for TeamMentor.

I'm glad he let me do that, since the new version is heavily based on JQuery, is fully driven by WebServices and has an File-based-Xml data store (i.e no SqlServer). Of course I used O2 to help with the development of TeamMentor :) and there are LOTs and LOTs of goodies and tools in there that I will be blogging about next.

In some ways, it's the little things that I like about SI:
  • The way that Jason and Ed understand the added value of playing the 'open' game at OWASP where everybody benefits
  • Jason's (CTO) Free Range family and lifestyle
  • The hard-core geek squad at the Seattle office (one of the authors of Firesheep is part of SI :) ), which is VERY strong in Application Security
  • The very mature SDL process and Application Security review that they 'try' to get the clients to use :)
  • The large component of training and e-learning (which has always been a passion of mine)
  • The voice and type of discussion that occurs in the internal mailing lists
  • The fact that Jason is happy for me to blog about what I am doing with TeamMentor (see
  • The way the marketing department is trying to do the right thing for OWASP
  • The fact they SI tag line is 'The Software Security Company' - which is exactly what I want to do :)
So let's see what happens next. I know that I'm now going to be viewed as a 'vendor' and my 'independence' is going to be questioned. I hope that my actions in the next months/years, will show that my heart is still in the right place and that I'm still 100% focused on solving the 'Application Security' problem (i.e. helping developers to create secure applications).

FYI, my new title is 'Principle Security Engineer' and here is a direct quote from my contract:
  1. Continue development on TeamMentor. Particularly finish v3.0 and post-release work with .... as well as customers and prospects to ID use cases, promote adoption, and spec new features for future releases.
  2. Deliver SI professional services and training, with a focus on European clients. This can include ILT, app pen testing, code reviews, threat modeling, and SDLC consulting.
  3. Serve as SME for SI eLearning courses, with a focus on web/OWASP content. This may entail reviewing content and storyboards, and sourcing/adapting existing content from OWASP sources that can be built into our commercial eLearning products.
  4. Serve as “outreach” – a public face of SI to help elevate our stature and presence in the industry. This would include everything from your blog to speaking engagements at conferences to interacting with the press and our PR firm.
Btw, if you have any questions or issues about SI, feel free to contact me.

Saturday, 30 July 2011

Proposed workflow for breaking and analysing FVDL Files

Following the multiple blog entries prosted about O2's support for Fortify's FVDL, (sent to me by an O2 user) here is a description of a use-case that O2 should support:

I would shoot for the ability to disposition large *.fpr/*.fvdl files.

Here is a typical workflow:

1. Scan is run code base generating an *.fpr file
2. Code Reviews receive the file but because it is too large it cannot be opened by Fortify's tool.
3. Code reviewer uses O2 to open file and disposition or suppress issues by Category (XSS, SQL Injection, Path Tampering, etc.)
4. Code Reviewer then saves dispositions to *.fpr file.
5. The *.fpr is saved and on subsequent scan of the same application. The new.fpr file is merged with the old.fpr file.
6. The code reviewer works on the merged.fpr to disposition items.
7. Wash, rinse, repeat.

The data needs to be stored in the *.fpr file because most code assessment processes relies on merging the old fpr with the new *.fpr/*.fvdl on subsequent rereviews.

Next step(s) is to write a script(s) to implement this workflow, and try to figure the best GUIs to enable it.

Friday, 29 July 2011

What needs to be done to map Static Analysis Traces from Controllers and Views

Here is a reply I just posted on the O2 Mailing list, which provides a number of ideas on how to map/glue partial traces (i.e. traces that have sinks on Controllers and Sources on Views)


I think we are exactly on the same page, and welcome to the wonderful world of 'Framework behaviour mapping' :)

More FVDL scripting and example of (O2 created).NET Taint Flow trace

Here is a reply I just sent to a new O2 user that is trying to get his head around O2 Scripting (to parse, filter and visualize FVDL Files) , which also includes a link to a blog post with an example of what the O2 .NET Static Analysis engine is able to create:

"...I've pushed another blog post that should give you more ideas on what you can do with O2 scripting and FVDL files: (I wrote this last week, but run out of time to publish it then) ..."

Question: what do you mean by "connecting some related unsupported MVC pattern breaks the data flow from the controller to the view" ? Are you trying to connect the tain-flow traces? (for example a trace that starts in a Controller and continues on a View?)

If so, you need to take a look at what I was doing with the traces I used to get from the Ounce Labs engine. I was doing exactly that. 

There is quite a lot of scripts and code in O2 to support the joining of traces (from simple to complex use cases), so let me know if this is what you are trying to do (note that to really take advantage of O2, we should expand the current FVDL parser to create IO2Findings objects, since once we have that, we can use the existing O2 tools for Finding's viewing and Trace's joining (including Drag&Drop trace creation support)).

To see an example of the kind of traces you can do in O2, check this out .NET HacmeBank SQL Injection vulnerability trace example: .

Note how that 'O2 created trace':
  • starts on a URL (the real Source of tainted data), 
  • then follows the taint flow into a server-side Textbox, 
  • and into the WebService's call on the WebSite code
  • and into the WebServices' method on the WebService's code (this was a separate trace that was joined with the first one), 
  • and continues the taint follow until it reaches the Sql Injection Sink

Thursday, 21 July 2011

101 O2 Platform Blog posts (by category) - on July 21st

If you are looking for info on O2 features and scripting capabilities, the best place to look is the O2 Blog (at

Here is the full list of the currently 101 entries (listed by category (the last post listed them by publish date)):

101 O2 Platform Blog posts (by publish date) - on July 21st

If you are looking for info on O2 features and scripting capabilities, the best place to look is the O2 Blog (at

Here are the full list of the currently 101 entries (here listed by publish date (next post will list them by category))