AppScan Source Framework 4 Frameworks Support Series As I'm just now beginning to fully realize -  The Web Application Framework Language ( WAFL ) and the associated F ramework-4- Framework s APIs together are an incred ibl y powerful mechanism to describe a particular " Application Reality " - which I would s ummarize as 'th e specific sets of rules and behaviors that enable th e creation of functionality, a long with s pecial unintended consequences , unique to any given applicatio n '.   Putting aside the potential uses and... [More]

Tags:  hijacking appscan_web_portal callbacks mvc_music_store appscan_appliance wafl application_injection source_code asp.net_mvc_3.0 injection f4f frameworks appscan_on_demand source_scans_on_demand web_application_framework...

Here is a pretty funny and / or really serious (depending on your frame of reference) utility that exploits a low level SMTP vulnerability by design.  In effect, this allows one to send an email FROM ANY ADRESS, as long as the domain doesn't actually exist. That may sound like a tough restriction but I can testify that anything from a realistic sounding new division name, theoretically something like myboss@security.us.ibm.com , has a very high potential of being opened.   Link to the Utility in a Standalone Executable (with a cool... [More]

Tags:  wafl callbacks injection application_injection frameworks appscan_for_analysis appscan_appliance ounce web_application_framework... o2 sp1r0 static_analysis results findings hijacking appscan appscan_source findings_viewer

This post will be the first in a series dedicated to providing initial support for a very common .NET framework in use today, the ASP.NET MVC – specifically version 3.0  http://www.asp.net/mvc/mvc3 The lack of AppScan Source visibility into this framework and any applications built using it was first described in depth in this post by Dinis Cruz: ASP.NET MVC Support in SAST and IBM F4F Given that there currently is not WAFL support, i.e. a WAFL Generator has not yet been created to identify the various constructs that need WAFL rules... [More]

Tags:  results java o2platform sp1r0 wafl asp.net_mvc appscan_source application_injection static_analysis github hijacking mvc findings appscan_for_analysis callbacks frameworks appscan dynamic_analysis injection appscan_appliance

Getting back to the task of adding support for the ASP.NET MVC framework and following the advice of the architects of the language:   “ Details of writing and deploying an F4F handler that uses the F4F high-level APIs  are described in the AppScan Source document Security_AppScan_Source_Utilities.pdf shipped with the product.  See Chapt. 7. “   Hence it seems that we shall create a new F4F Handler (also known around town as a 'WAFL Generator') – which is the mechanism by which the .wafl files are created during each scan for use by... [More]

Tags:  appscan_source appscan_web_portal f4f appscan_appliance application_injection appscan_on_demand frameworks source_scans_on_demand injection callbacks correlation hijacking source_code wafl web_application_framework...

Following my previous venture, more accurately 'wander', into Extending WAFL - ASP.NET MVC and a very cool, tangential trip off into Continuous Integration Land , I'm now re-gaining focus on using the AppScan Source Framework-4-Frameworks (F4F) APIs to write support for handling the ASP.NET MVC 3.0 framework. As detailed in this post by Dinis Cruz:   AspNet Support In Sast And IBM-F4F There are several, non-trivial, pieces to constructing the full data flow picture of a modern MVC application and ASP.NET MVC 3.0 contains a particular... [More]

Tags:  mvc wafl callbacks source_code correlation source_scans_on_demand appscan_on_demand appscan_source application_injection asp.net web_application_framework... frameworks injection hijacking appscan_appliance f4f appscan_web_portal

After the relatively successful F4F expedition into Mapping The MVC-3.0 Controllers , where we generated Tainted Callbacks for  each of the Controllers found, in effect simulating calls WITH user-controllable or Tainted data.  With this skeleton of the application sketched out, we will now need to tie these to the appropriate Views and Models according to the MVC 3.0 Framework Lifecycle. A seemingly sensible plan to generate the analysis components necessary consists of the following steps: a) identify the Models used by each controller b) map... [More]

Tags:  callbacks hijacking injection web_application_framework... source_scans_on_demand application_injection appscan_on_demand wafl asp.net_mvc_3.0 source_code f4f appscan_web_portal mvc_music_store frameworks appscan_appliance

To illustrate a real world application for the technique described in Application Injection, we are going to use the O2 REPL functionality to modify the running process, in real-time, to add a Source Edition Results Plug-in to AppScan Standard. The resulting prototype is a way to display and map Static and Dynamic Analysis results for a given application that allows for a very interesting perspective - one that highlights the strengths and weaknesses of both technologies and allows for a deeper and more accurate investigation. ... [More]

Tags:  url_mapping f4f appscan_appliance application_injection wafl appscan_source hijacking correlation callbacks source_scans_on_demand appscan_on_demand appscan_web_portal source_code frameworks web_application_framework...

One of the main advantages of having a full Continuous Integration environment integrated with the security scanning tools, all running together on a central server (pronounced “Mainframe”) is the ability for customization to take place, such as the initial phase of Support for ASP.NET MVC 3.0 , and immediately be made available to the entire enterprise. In this scenario, a key aspect to take into consideration is the fact that the product integration, installation of the development  / run time environments and SDKs, as well as the... [More]

Tags:  web_application_framework... callbacks hijacking f4f asp.net_mvc_3.0 wafl application_injection mvc_music_store appscan_appliance injection source_code appscan_on_demand appscan_web_portal frameworks source_scans_on_demand

Last Episode: After having configured our Continuous Integration platform, Team City, and integrating GitHub as both the source code control system as well as the eventual build and scanning artifact repository, we were able to properly trigger an Ant build of a simple application by committing (or 'pushing' in Git terminology) the application and it's build files to a predetermined public repository. Here And Now: Our Prototype-tagonists are tasked with the integration of AppScan Source Scanning into the environment.  By either adding... [More]

Tags:  callbacks appscan_web_portal hijacking appscan f4f appscan_on_demand source_scans_on_demand application_injection wafl ounce injection correlation frameworks web_application_framework... appscan_source appscan_appliance

  As detailed in my previous post The AppScan Appliance - Design and Architecture I noted several components that I consider crucial steps in the development of the AppScan Appliance Proof of Concept. One of the first major milestones will be the creation of a web-based portal where AppScan Source scans can be triggered and the results viewed. Ideally this portal will be the front end for a Continuous Integration environment which itself will be integrated with a Version Control System (VCS) used not only for acquiring the source code... [More]

Tags:  appscan_source appscan_appliance wafl frameworks callbacks web_application_framework... appscan_appliance_develop... appscan_for_analysis static_analysis injection hijacking teamcity ci continuous_integration application_injection

<!-- @page { margin: 0.79in } P { margin-bottom: 0.08in } --> Below is a link to an updated Web Application Framework Langauge Viewer: WAFL Viewer v0.7 I updated this version with a partial mapping of Synthetic Methods - only the Synthetic itself and the Type of the first argument in the Callback are exposed accurately.  This was done in order to gain some understanding of the translation of the use of the high level F4F API methods, especially addTaintedCallback(), into the actual WAFL xml elements. Using... [More]

Tags:  web_application_framework... callbacks appscan_web_portal source_scans_on_demand wafl frameworks source_code appscan_appliance application_injection injection asp.net_mvc_3.0 mvc_music_store hijacking appscan_on_demand f4f