Forum for those Learning about Leading IBM Application Security Tricks, Scripts and Tools and Kits for AppScan Source for Analysis ...Customizing, Integrating, Sniffing, Snooping and Hijacking your way to joy.
Findings / Entrypoint Viewer with URL Mapping Tool
Following up on my previous, high-level overview of the Web Application Framework Language (WAFL) and how it is incorporated into an AppScan Source Analysis, I want to demonstrate a tool which uncovers one of the hidden gens contained in the .wafl file...the application Entrypoints.
Below are screenshots of using this tool with Altoro2, a sample application used for demonstration of both AppScan Blackbox and Whitebox technologies. I'll continue to use this application as a sample in my pursuit of a proper integration of results from both tools, introducing along the way a different concept of "Correlation" that I have found incredibly interesting.
I'll continue to post all the necessary assessments, scans or other files in the "FILES" section...
The Initial Screen - Note the order in which to drop the files subtly pointed out
Both the WAFL Entrypoints and the Findings from the AppScan Source analysis are loaded side by side. Note the matching Signatures from WAFL and the Method Names in the Findings!
Click the "Map Entrypoint URLs To Findings" and a new Findings Viewer will pop up with the URLs mapped to the Findings. This technique replaces the 'file' path with the URL path for each matched Finding. In this case, I have already stitched together any Traces that were connected by setAttribute Sinks and getAttribute Sources as described in my Basic Trace Stitching Utility post.
The result shown above is now quite close to being directly associated with the appropriate Blackbox Finding and already can be considered to have an increased level of confidence due to the fact that it is
1) Connected to the actual attack surface, as specified by the URL and
2) A Joined Trace consisting of multiple data flow traces, connected through a very common data structure and asynchronous sharing pattern.
In this case I'm only going to publish the script the creates this tool along with a minimal C# compilation environment -- called the C# REPL Editor -- since I'm having a hard time generating my preferred method of distribution, the Stand Alone Exe, for this particular tool as it's mix of dependencies needs some re-factoring (or the packing utility needs some more de-bugging) :
Download the above Utility and then drag and drop (or copy and paste) the FindingsAndWaflViewer_URLMapping_v1.0.h2 script from the Files section of this Group to see this tool in action.
Much More on the C# REPL scripting environment can be found by starting here: