TODAS AS PUBLICAÇÕES
- Classificar por:
- Data ▼
- Título
- Curtir
- Comentários
- Visualizações
Testing the three types of mobile applications with AppScan
Nader Nassar, Carloa Hoyos, and Daniel J. Anderson have published a new How-To guide for testing the three types of mobile applications with IBM Security AppS can . htt ps:/ /ibm .biz /Bdx Vd d
Marcações:  ibmsecurity appscan mobile security |
Extending WAFL Into The Application Security Information Language
Given that I've been adhering more and more to what has become the leading edge of a communication paradigm shift, which I'll talk the liberty of terming HyperLink It Or Lose It , below is a response I wrote to an email with some appreciated positive encouragement which I received from one of the innovators behind the technologies that I've been using in my latest investigations. Hi, Many thanks
for the positive feedback! I'm going to assume that you're the only one that
replied to this email simply because no one else could put into... [More]
Marcações:  wafl publish appscan_balckbox appscan_whitebox frameworks appscan_wafl web_application_framework... appscan_correlation appscan_standard appscan_web_portal appscan_server dynamic_analysis publishing f4f appscan_enterprise |
How to Publish to AppScan Enterprise?
Recently, I've heard from several AppScan users that it's not entirely obvious how to "Publish" results from either AppScan Source Edition or AppScan Standard Edition to the AppScan Enterprise Console where both sets of results can be viewed, reported on and otherwise managed. I would agree that [correct] information was difficult to obtain so I did my own short investigation and found [brute forced] the answers which I thought I would share: Below are the screenshots of the configuration which yielded successful connections:... [More]
Marcações:  appscan_wafl appscan_web_portal dynamic_analysis publish web_application_framework... wafl appscan_enterprise appscan_whitebox appscan_server frameworks appscan_correlation publishing f4f appscan_standard appscan_balckbox |
WAFL, F4F And ASP.NET : Data Flow Pieces of the MVC 3.0 Puzzle
<!--
@page { margin: 0.79in }
P { margin-bottom: 0.08in }
--> Below is a link to an updated Web
Application Framework Langauge Viewer:
WAFL Viewer v0.7 I updated this version with a partial
mapping of Synthetic Methods - only the Synthetic itself and the Type
of the first argument in the Callback are exposed accurately. This was done in
order to gain some understanding of the translation of the use of
the high level F4F API methods, especially addTaintedCallback(), into
the actual WAFL xml elements. Using... [More]
Marcações:  f4f wafl callbacks source_code hijacking injection appscan_web_portal frameworks application_injection asp.net_mvc_3.0 appscan_on_demand source_scans_on_demand web_application_framework... mvc_music_store appscan_appliance |
F4F For ASP.NET MVC-3.0 – Mapping The Framework Lifecycle
After the relatively successful F4F expedition into Mapping The MVC-3.0 Controllers , where we generated Tainted Callbacks for each of the Controllers found, in effect simulating calls WITH user-controllable or Tainted data. With this skeleton of the application sketched out, we will now need to tie these to the appropriate Views and Models according to the MVC 3.0 Framework Lifecycle. A seemingly sensible plan to generate the analysis components necessary consists of the following steps: a) identify the Models used by each controller b) map... [More]
Marcações:  injection application_injection source_code f4f mvc_music_store appscan_appliance appscan_web_portal web_application_framework... hijacking appscan_on_demand source_scans_on_demand asp.net_mvc_3.0 callbacks wafl frameworks |
The AppScan Appliance – Adding .NET Solution Scanning On Demand
One of the main
advantages of having a full Continuous Integration environment
integrated with the security scanning tools, all running together on
a central server (pronounced “Mainframe”) is the ability for
customization to take place, such as the initial phase of Support
for ASP.NET MVC 3.0 , and immediately be made available to the
entire enterprise.
In this scenario,
a key aspect to take into consideration is the fact that the product
integration, installation of the development / run time
environments and SDKs, as well as the... [More]
Marcações:  wafl mvc_music_store appscan_on_demand hijacking source_code appscan_web_portal source_scans_on_demand asp.net_mvc_3.0 web_application_framework... injection callbacks f4f frameworks appscan_appliance application_injection |
ASP.NET MVC 3.0 F4FHandler – “The Controllers Are Under Control “
AppScan Source
Framework 4 Frameworks Support Series As I'm just now beginning to fully realize - The Web Application Framework Language ( WAFL ) and the associated F ramework-4- Framework s APIs together are an incred ibl y powerful mechanism to describe a particular " Application Reality " - which I would s ummarize as 'th e specific sets of rules and behaviors that enable th e creation of functionality, a long with s pecial unintended consequences , unique to any given applicatio n '. Putting aside the potential uses and... [More]
Marcações:  appscan_appliance wafl injection appscan_web_portal hijacking mvc_music_store web_application_framework... application_injection callbacks source_code asp.net_mvc_3.0 appscan_on_demand f4f frameworks source_scans_on_demand |
Extending WAFL – An F4FHandler For ASP.NET MVC
Following my previous venture, more
accurately 'wander', into Extending WAFL - ASP.NET MVC and a very
cool, tangential trip off into Continuous Integration Land , I'm now
re-gaining focus on using the AppScan Source Framework-4-Frameworks
(F4F) APIs to write support for handling the ASP.NET MVC 3.0 framework.
As detailed in this post by Dinis Cruz: AspNet Support In Sast And IBM-F4F There are several, non-trivial, pieces to constructing
the full data flow picture of a modern MVC application and ASP.NET
MVC 3.0 contains a particular... [More]
Marcações:  application_injection appscan_source appscan_web_portal injection frameworks wafl web_application_framework... source_scans_on_demand source_code correlation f4f asp.net callbacks hijacking mvc appscan_on_demand appscan_appliance |
Source Edition Results Plug-in For AppScan Standard – Application Injection Part 2
To illustrate a real world
application for the technique described in Application Injection, we
are going to use the O2 REPL functionality to modify the running
process, in real-time, to add a Source Edition Results Plug-in to
AppScan Standard.
The resulting prototype is a way to
display and map Static and Dynamic Analysis results for a given
application that allows for a very interesting perspective - one that
highlights the strengths and weaknesses of both technologies and
allows for a deeper and more accurate investigation.
... [More]
Marcações:  application_injection appscan_appliance callbacks hijacking source_scans_on_demand wafl appscan_on_demand frameworks appscan_web_portal web_application_framework... source_code appscan_source correlation f4f url_mapping |
Extending The AppScan Web Application Framework Language – Creating an F4F Handler
Getting back to the task of adding
support for the ASP.NET MVC framework and following the advice of the
architects of the language:
“ Details
of writing and deploying an F4F handler that uses the F4F high-level
APIs are described in the AppScan Source document
Security_AppScan_Source_Utilities.pdf shipped with the product. See
Chapt. 7. “ Hence it seems that we shall create a
new F4F Handler (also known around town as a 'WAFL Generator') –
which is the mechanism by which the .wafl files are created during
each scan for use by... [More]
Marcações:  wafl source_scans_on_demand appscan_appliance frameworks web_application_framework... appscan_on_demand appscan_web_portal injection f4f hijacking application_injection appscan_source correlation callbacks source_code |