Code Crawler Status and Help request June 21, 2008
Posted by nTze in : Code Crawler, Code Review, owasp.org , add a commentHello fellows,
as you know the CC development is still undergoing and most of the features listed in the SOC 2008 are working in a beta status which I'm very happy of.
Code Crawler XML/XSL engine has been coded and I really proud to announce that CC will support custom templates, which will let you build and customize the "look&feel" of your results set.
The structure of the template is quite easy, the xml ouput file is mainly composed of three elements. Threat,Description,Name. I'm half way to release a WFA (Wait for Approval) official owasp template which will be release with CC itself.
As you also may know, the CC keypointers database is in XML format now, and that's why i need your help. The actual database lists around 239 potential keywords.
Here an example
1: <KeyPointer>
2: <k_name>exec sp_executesql</k_name>
3: <k_level>3</k_level>
4: <k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
5: <link>http://www.owasp.org</link>
6: </KeyPointer>
7: <KeyPointer>
8: <k_name>delete from where</k_name>
9: <k_level>3</k_level>
10: <k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
11: <link>http://www.owasp.org</link>
12: </KeyPointer>
As you can see the description tag of every items are pretty the same for most of the categories, and that's where help is needed. If you have some time to spend and want to get involved in the CC development, feel free to add/modify descriptions for keywords. All help will be high appreciated.
The actual database can be found at http://www.cyphersec.com/TestLab/CodeCrawlerDatabase.xml (102kb). Once again, feel free to submit changes and be sure to mail it back to tools@[idontwantspam]cyphersec.com.
Thanks.
A.
Ops we did it again. June 14, 2008
Posted by nTze in : .NET, My Life , 2comments
We are out now with the updated version of Apogeo ASP.NET pocket, anyway I truly hope the Apogeos guys are pushing for my updated "about". It's going to be funny 
So what's about the future?
"ASP.NET 3.5" is officialy my last "italian written" book, as i said before, there's a new "big fat" book coming up for the next year so, more to come.
"Guarda mamma, senza mani!"
Code Crawler 2.1.2 May 26, 2008
Posted by nTze in : Code Crawler, Code Review, owasp.org , 2comments
Live from Code Crawler Development offices (lol) :
- Done: XML Database instead of SQL Server Express
- Alessio to implement OWASP Orizon Project
- Almost Done: Result XML/XSLT based
- Almost Done: Scanning Engine Option : Scan Visual Studio's Solution
Hacking ViewState for Fun and Profit May 25, 2008
Posted by nTze in : .NET, CyberCrime, Hacking , add a commentThe View State object is stored in a single Base64-encoded string that looks like this:
1: <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="dDw3NDg2NTI5MDg7Oz4="/>
Becase this value isn't formatted as clear text, many ASP.NET programmers assume that their view state date is encrypted. A clever hacker could reverse-engineer this string and examine your view state data in a matter of seconds.
Here a POC that show how it can be done.
Filename: firenze.aspx.cs
1: /// ########################################################################################################################
2: /// Tool Name : Firenze
3: /// Author : Alessio "nTze" Marziali
4: /// Contact : alessio@owasp.org
5: /// Url: http://www.cyphersec.com
6: /// Note: Microsoft ASP.NET is a powerfull web application framework available on the market.
7: /// It's being used in big enviroments to build robuts and scalable web applications.
8: /// Unfortunatelly, due to lack of skills, some so called ASP.NET developers are not investing time in security.
9: ///
10: /// ASP.NET Security is gettin more and more important due to the fact which it gives it's best on Large
11: /// Enterprise Web Application scenarios.
12: ///
13: /// This tool was born based on the idea to show how reading sensitive informations can be possible
14: /// on Web-Applications like E-Banks which are implementing ViewState Object.
15: /// ########################################################################################################################
16: using System;
17: using System.Web;
18: using System.Web.UI;
19: using System.Web.UI.HtmlControls;
20: using System.Web.UI.WebControls;
21:
22: /// <summary>
23: /// Hacking ViewState:
24: /// Because isn’t formatted as clear text, many ASP.NET programmers assume that their
25: /// view state data is encrypted. It isn’t. A clever hacker could reverse-engineer this string and examine
26: /// your view state data in a matter of seconds (here how).
27: /// </summary>
28: public partial class _Default : System.Web.UI.Page
29: {
30: protected void Page_Load(object sender, EventArgs e)
31: {
32: Page.Title = "Firenze : ViewState automated hacking tool";
33: TextBox UITextBox = new TextBox(); // Create a TextBox Item
34:
35: // Set properties
36: UITextBox.TextMode = TextBoxMode.MultiLine;
37: UITextBox.Wrap = true;
38: UITextBox.Rows = 10;
39: UITextBox.Width = 300;
40: UITextBox.ID = "UIViewStateCode1";
41: UITextBox.CssClass = "viewStateBox";
42: UITextBox.Text = "ViewState Goes here";
43:
44: // Show through UIReader1 (PlaceHolder)
45: UIReader1.Controls.Add(UITextBox);
46:
47: // UIButton properties
48: UIButton1.Text = "Decode ViewState";
49: UIButton1.Width = UITextBox.Width;
50: }
51:
52: /// <summary>
53: /// UIButton1_Click Event Handler
54: /// </summary>
55: /// <param name="sender">object</param>
56: /// <param name="e">EventArgs</param>
57: protected void UIButton1_Click(object sender, EventArgs e)
58: {
59: // Check if a TextBox Control exist within the page
60: TextBox RetriviedControl = null;
61: try
62: {
63: RetriviedControl = (TextBox)Page.FindControl("UIViewStateCode1");
64: UILiteral.Text = ReadViewState(RetriviedControl.Text);
65: }
66: catch (NullReferenceException)
67: {
68: UILiteral.Text = "Can find textbox control, giving up..";
69: }
70: }
71:
72: /// <summary>
73: /// TheViewState contains the view state information.
74: /// Convert the Base64 string to an ordinary array of bytes
75: /// representing ASCII characters.
76: /// </summary>
77: /// <param name="TheViewState">System.String - ViewState</param>
78: /// <returns>System.String - Human readeable Code</returns>
79: protected internal string ReadViewState(string theViewState)
80: {
81: string decodedViewState = string.Empty;
82: try
83: {
84: byte[] stringBytes = Convert.FromBase64String(theViewState); // Create an Array of bytes
85: decodedViewState = System.Text.Encoding.ASCII.GetString(stringBytes); // Enconde 7bit set
86: }
87: catch (System.FormatException)
88: {
89: return "Sorry, Looks like you were looking for something i can't read";
90: }
91: return decodedViewState;
92: }
93: }
Filename: firenze.aspx
1: <%@ Page Language="C#" AutoEventWireup="true" EnableViewState="false" CodeFile="Default.aspx.cs" Inherits="_Default" %>
2: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3: <html xmlns="http://www.w3.org/1999/xhtml">
4: <head runat="server">
5: <link rel="Stylesheet" href="Css/StyleSheet.css" type="text/css" />
6: <title>Hacking My Own ViewState</title>
7: </head>
8: <body>
9: <form id="form1" runat="server">
10: <asp:PlaceHolder id="UIReader1" runat="server" /><br /><br />
11: <asp:Button ID="UIButton1" runat="server" onclick="UIButton1_Click" />
12: <br /><br />
13: <asp:Literal ID="UILiteral" runat="server" />
14: </form>
15: </body>
16: </html>
User Controls - The basics May 11, 2008
Posted by nTze in : .NET, Pro ASP.NET, riflessioni , add a commentSooner or later, you'll want to get under the hood, start tinkering, and build your very own user interface components.
In .NET, you can plug into the web forms frameworks with your own controls in two ways. You can develop either of the following:
- User Controls: A user control is a small section of a page that can include static HTML code and web server controls. The advantage of user controls is that once you create one, you can reuse it in multiple pages in the same web application. You can even add your own properties, events, and methods.
- Custom server controls: Custom server controls are compiled classes that programmatically generate their own HTML. Unlike user controls, server controls are always precompiled into DLL assemblies. Depending on how you code the server control, you can render the content from scratch, inherit the appearance and behavior from an existing web control and extend its features, or build the interface by instantiating and configuring a group of constituent controls
Let's start with the User Controls and the basics.
User control, (.ascx) files are similiar to ASP.NET web-form files. Like web forms, user controls are composed of a user interface portion with control tags and can use inline script or a .cs code-behind file. User controls can contain just about anything a web page can, including static HTML content and ASP.NET controls, and they also receive the same events as the Page object (like Load and PreRender) and expose the same set of intrinsic ASP.NET objects through properties.
The key differences between user controls and web pages are as follows:
- User controls begin with a Control directive instead of a Page directive.
- User controls use the file extension .ascx instead of .aspx and their code-behind files inherit from the System.Web.UI.UserControl class. In fact, the UserControl class and the Page class both inherit from the same Template Control class, which is why they share so many of the same methods and events.
- User controls can't be requested directly by a client browser. Instead, user controls are embedded inside other web pages.
To create a user control in Visual Studio, select Website and than Add New Item, and choose the Web User Control template like showed in the image.
The following is the simplest login box user control possible.
1: <%@ Control Language="C#" AutoEventWireup="true" CodeFile="UIWUserControl1.ascx.cs" Inherits="UIWUserControl1" %>
2: <b>Hello and Welcome on WebSite1. Please log-in.</b>
3: <table>
4: <tr>
5: <td>Username</td>
6: <td><asp:TextBox ID="UIusername" runat="server" />
7: <asp:RequiredFieldValidator ID="RFValidator1" runat="server"
8: ErrorMessage="Field is required" ValidationGroup="Validation1" ControlToValidate="UIusername"></asp:RequiredFieldValidator>
9: </td>
10: </tr>
11: <tr>
12: <td>Password</td>
13: <td><asp:TextBox ID="UIpassword" runat="server" />
14: <asp:RequiredFieldValidator ID="RFValidator2" runat="server"
15: ErrorMessage="Field is required" ValidationGroup="Validation1" ControlToValidate="UIpassword"></asp:RequiredFieldValidator>
16: </td>
17: </tr>
18: <tr>
19: <td colspan="2"><asp:Button ID="UIbutton1" runat="server" Text="Log-in"
20: onclick="UIbutton1_Click"/></td>
21: </tr>
22: </table>
As with ASP.NET web forms, the user control is a partial class, because it's merged with a separated portion generated by ASP.NET. That automatically generated portion has the member variables for all the controls you add at design time.
To test the control, you need to place it on a web form. First, you need to tell the ASP.NET page that you plan to use that user control with the Register directive, which you can place immediately after the Page directive, as shown here:
<%@ Register TagPrefix="UIAlessio" TagName="LoginBox" Src="UIWUserControl1.ascx" %>
Tis line identifies the source file that contains the user control using the Src attribute. It also defines a tag prefix and tag name that will be used to declare a new control on the page. In the same way that ASP.NET server controls have the <asp:..> prefix to declare the controls. You can use your own tag prefixes to help distinguish the controls you've created.
This example use a tag prefix of UIAlessio and a tag named LoginBox.
Here the full tag is shown in the page.
1: <%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
2: <%@ Register TagPrefix="UIAlessio" TagName="LoginBox" Src="UIWUserControl1.ascx" %>
3: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4: <html xmlns="http://www.w3.org/1999/xhtml">
5: <head runat="server">
6: <title>WebSite1 (eek)</title>
7: </head>
8: <body>
9: <form id="form1" runat="server">
10: <div>
11: <UIAlessio:LoginBox id="UILoginBox" runat="server" />
12: </div>
13: </form>
14: </body>
15: </html>
Don't be worried to be lazy. Once yo've created your user control, simply selected the .ascx file in the Solution Explorer and drag it onto the design area of a web form. Visual Studio will automatically add the Register directive for you as well as an instance of the user control tag.
The login box didn't include any code. Instead, it simply provided a uself way to reuse a static block of a web-page user interface. In many cases, you'll want to add some code to your user control, either to handle events or to add functionality that the client can access. Just like a web form, you can add this code to the user control class in a <script> block directly in the .ascx file, or you can use a separated .cs code-behind file.
To get a better idea of how this works, the next example check how many times a user tried to log in without success. After 5 tries, it's fire up a mail using Gmail.
1: public partial class UIWUserControl1 : System.Web.UI.UserControl
2: {
3:
4: private Int16 m_FailedLogins = 0;
5: public Int16 FailedLogins
6: {
7: set { m_FailedLogins++; }
8: get { return m_FailedLogins; }
9: }
10:
11: /// <summary>
12: /// Send a Message to internal_ServiceManager@gmail.com
13: /// </summary>
14: private static void SendWarningEmail()
15: {
16: MailMessage msgMail = new MailMessage("myOwnedGmailAccount@gmail.com", "internal_ServiceManager@gmail.com");
17: SmtpClient smtp = new SmtpClient("smtp.gmail.com", 587);
18: smtp.EnableSsl = true;
19: smtp.DeliveryMethod = SmtpDeliveryMethod.Network;
20: smtp.Credentials = new System.Net.NetworkCredential("username", "password");
21: msgMail.Body = "Warning Someones tried to login more than 5 times without success - Possible Brute Force attack";
22: try
23: {
24: smtp.Send(msgMail);
25: }
26: catch (Exception)
27: {
28: // put something here please
29: }
30: }
31:
32: protected void Page_Load(object sender, EventArgs e)
33: {
34:
35: }
36: protected void UIbutton1_Click(object sender, EventArgs e)
37: {
38: // Worst user validation ever
39: if ((UIusername.Text.Equals("Alessio")) && (UIpassword.Text.Equals("Marziali")))
40: {
41: return;
42: }
43: else