Wednesday, 14 December 2011

"...O2 in Seattle..." and "...Please Hack TeamMentor (beta)..."

I'm presenting an updated version of O2 at tonigth's OWASP Chapter meeting (

There are a number of new O2 features that I will cover, but to make it relevant to the audience, I will present O2 as part of a challenge which is 'Please Hack TeamMentor'.

TeamMentor is the WebApp product (currently in Beta) I have been developing for Security Innovation with the help of O2 (you can download TeamMentor Beta and its source code from GitHub).

Showing O2 this way will allow me to:
  • present and discuss the architecture of a real world app and its security implications
  • how me (as a developer) see security and its position on the development/management food-chain (btw on this topic, if you haven't you should also see my 'Making Security Invisible by Becoming the Developer's Best Friends' presentation deliveled at OWASP AppSec Brazil and this amazing video response to it: A developer's rant about security professionals )
  • how O2 allows me to deal with real world problems such as:
    • creating Unit Tests for jQuery/Ajax/WebServices based websites,
    • dealing with automation problems that ALL current browser automation engines have (WatiN, WatiR, Selenium, Cucumber, WebKit, QUnit, etc...) ,  and visualizing the data created using custom GUIs (note that O2 has native support for WatiN, NUnit and QUnit and has access/control to all of .NET's WinForms/WPF)
    • creating cached versions of the site (controlled by a built-inside-O2 web proxy),
    • direcly invoke/compile specific parts/components of the application (this is used to create targeted Unit Tests & fuzzing), 
    • running consolidated (i.e. all available) NUnit tests using NUnit's GUI, command line and O2 scripts
    • dealing with complex webservices
    • view, analyse and test the server side RoleBase Authorization mappings (created using .NET Attributes) which affects the exposed WebServices
  • how the APIs and tools created by O2 purely as 'developer aids' (i.e. not for security) are then massively important, useful and usable on the UnitTesting phase.
For the 'hands-on' part of the crowd, I want to use the following OWASP projects to help me with TeamMentor development and testing (and I really could do with some help here):
  • ESAPI (both .NET and Javascript) - Starting with the Encoding part to deal with XSS (needs to be integrated with .NET's AntiXSS)
  • AppSensor  - to allow TeamMentor to modify its behaviour depending on its current 'attack' level
  • OpenSAMM - create a score card  
  • ZAP Proxy - feed the existing O2 Browser automation scripts via ZAP's proxy and fire up its tests
  • Agnitio (not yet an OWASP)  - map out to its check lists
  • OWASP Testing, Code Review and Developer Guides 
  • ... other OWASP projects?  (if you are involved in an OWASP project that you think would be a good fit, please go for it)
What is interesting about TeamMentor is that it is a complex real world app (with legacy code), containing tons of WebServices and JavaScript/jQuery activity. This makes it very hard to test by today's tools (or even manual process). 

Also very important, is the fact that we are dealing with a team/company that welcomes the 'Security' part of the SDL (which doesn't happen very often :)  )

I'm very happy that SI is ok with this, and my hope is that this will allow us to have a number of interesting conversations/threads (hard to happen in test apps like WebGoat or HacmeBank, or apps where the main developers are not directly engaged in the process)

For the ones that can't come tonight, I will follow up later this week with more detailed instructions.

So here is your official invite: Go and HACK TeamMentor (GitHub) and report your findings as O2, NUnit, Python, Boo, etc. scripts. 

Btw, since this is a Beta version, I'm sure that there are still a number of areas which have juicy security vulnerabilities! Good luck in finding then :) 

Only one condition, I WILL NOT READ any findings reported in PDF format :)