Friday, 29 July 2011

More FVDL scripting and example of (O2 created).NET Taint Flow trace

Here is a reply I just sent to a new O2 user that is trying to get his head around O2 Scripting (to parse, filter and visualize FVDL Files) , which also includes a link to a blog post with an example of what the O2 .NET Static Analysis engine is able to create:

"...I've pushed another blog post that should give you more ideas on what you can do with O2 scripting and FVDL files: http://o2platform.wordpress.com/2011/07/29/creating-the-the-util-view-fvdl-traces-h2-script-lots-of-data-analysis-code-samples (I wrote this last week, but run out of time to publish it then) ..."

Question: what do you mean by "connecting some related issues..an unsupported MVC pattern breaks the data flow from the controller to the view" ? Are you trying to connect the tain-flow traces? (for example a trace that starts in a Controller and continues on a View?)

If so, you need to take a look at what I was doing with the traces I used to get from the Ounce Labs engine. I was doing exactly that. 

There is quite a lot of scripts and code in O2 to support the joining of traces (from simple to complex use cases), so let me know if this is what you are trying to do (note that to really take advantage of O2, we should expand the current FVDL parser to create IO2Findings objects, since once we have that, we can use the existing O2 tools for Finding's viewing and Trace's joining (including Drag&Drop trace creation support)).

To see an example of the kind of traces you can do in O2, check this out .NET HacmeBank SQL Injection vulnerability trace example: http://o2platform.wordpress.com/2011/07/29/o2-net-ast-scanner-hacmebank-sql-injection-poc .

Note how that 'O2 created trace':
  • starts on a URL (the real Source of tainted data), 
  • then follows the taint flow into a server-side Textbox, 
  • and into the WebService's call on the WebSite code
  • and into the WebServices' method on the WebService's code (this was a separate trace that was joined with the first one), 
  • and continues the taint follow until it reaches the Sql Injection Sink
Post a Comment