Here is a pretty funny and / or really serious (depending on your frame of reference) utility that exploits a low level SMTP vulnerability by design.  In effect, this allows one to send an email FROM ANY ADRESS, as long as the domain doesn't actually exist. That may sound like a tough restriction but I can testify that anything from a realistic sounding new division name, theoretically something like myboss@security.us.ibm.com , has a very high potential of being opened.   Link to the Utility in a Standalone Executable (with a cool... [More]

Tags:  wafl injection appscan_for_analysis findings_viewer ounce appscan_appliance findings callbacks application_injection sp1r0 results appscan static_analysis appscan_source frameworks web_application_framework... o2 hijacking

This post will be the first in a series dedicated to providing initial support for a very common .NET framework in use today, the ASP.NET MVC – specifically version 3.0  http://www.asp.net/mvc/mvc3 The lack of AppScan Source visibility into this framework and any applications built using it was first described in depth in this post by Dinis Cruz: ASP.NET MVC Support in SAST and IBM F4F Given that there currently is not WAFL support, i.e. a WAFL Generator has not yet been created to identify the various constructs that need WAFL rules... [More]

Tags:  sp1r0 mvc wafl hijacking appscan_source asp.net_mvc dynamic_analysis appscan_appliance appscan_for_analysis appscan results callbacks findings github injection java frameworks application_injection o2platform static_analysis

The AppScan Appliance – Proof Of Concept Architecture and Application Security Process Following some great feedback I received on my previous post regarding the concept of an AppScan Security Appliance, How The Mainframe Can Transform Application Security , I want to further define a potential high level architecture along with a set of processes for integration into the application development life cycle.  The goal here is to start down the path towards a Proof Of Concept including a prototype in order to demonstrate what I believe will... [More]

Tags:  findings appscan_correlation appscan_for_analysis appscan_source frameworks url_mapping appscan_appliance static_analysis results sp1r0 appscan findings_viewer ounce mvc struts correlation wafl spring o2 dynamic_analysis

"Application Injection" is a term that I coined last year at DefCon for a technique first demonstrated to me there.   Sitting in the front row of a rowdy, fun crowd at one of the last talks (shots, shots for the speaker!) of the conference, I watched in amazement as it was shown to me how to start an application, hook into it's process, grab a reference to the main form and then inject a full scripting and compilation environment directly into the application. This of course was happening, not at the podium, but directly beside me, as... [More]

Tags:  frameworks wafl hijacking java correlation application_injection correlated_findings static_analysis callbacks appscan_blackbox appscan_whitebox injection github o2platform appscan_correlation appscan_appliance dynamic_analysis

  In his recent post on obtaining the various installation packages for a complete installation of the AppScan product suite: AppScan Eval Downloads and What is What   Dinis makes a good point about the confusion that one can encounter when moving from earlier versions (pre-8.5) of AppScan Source and AppScan Enterprise to 8.6.x and does a pretty solid job of explaining the line in a bit more detail. To help out with his one point of confusion, regarding the Dynamic Analysis module, I gave him a bit of an insider explanation, which may be useful... [More]

Tags:  o2 static_analysis wafl dynamic_analysis struts downloads installation findings_viewer appscan_source appscan_correlation appscan findings sp1r0 appscan_for_analysis ounce frameworks appscan_appliance spring results correlation mvc

As promised in the overview of this blog, I am going to being demonstrating / releasing some utilities that push the limits of what is normally considered possible in a windows environment. This should be considered both an effort to educate the general public about the pace at which security is changing (where exactly is the sandbox now??) and also to shed some light on the power of the O2 Platform , since it seems to me that right now may be one of the rare times in the 'application security arms race', where The Developers Have A... [More]

Tags:  wafl source static_analysis jn14net fortify github frameworks o2platform encoding kernel sink struts taint checkmarx hijacking callbacks mvc handle_hijacking taint_propagators spring validation handles windows java

** Re-posting this entry from the Message Board **   IBM Security Systems Has All The Artillery To Dominate the Security Battlefield It just needs to be deployed properly.. → Some factors that may explain the current state of the application security maturity [extremely low]: Development organizations continue to lack the necessary security training and processes to translate 'security requirements' into a secure design with appropriate unit tests. The intense pace development of new technologies and migration of... [More]

Tags:  applicance appscan_for_analysis fortify static_analysis appscan_appliance java correlation findings_viewer ounce security_appliance fluentsharp fxcop appscan_source development checkmarx o2platform o2 fuzzing sp1r0 veracode github

Difficult to present Findings with Disconnected Data-Flows  Any time I've found myself faced with a real-world, web application, scanning and presenting the AppScan Source Edition Findings, I always arrive at the point at which I have Triaged, Analyzed, Filtered and otherwise massaged the raw results into the 'data-flow pieces', which in totality represent the true vulnerabilities that I've found.  The most difficult part of this exercise is then to construct [for the results consumer] a realistic picture of what an actual round trip of... [More]

Tags:  fluentsharp fortify development static_analysis findings mvc ounce frameworks checkmarx appscan_for_analysis kernel jn14net fxcop o2platform results spring appscan_source appscan sp1r0 findings_viewer struts o2 java github fuzzing

An Easy Way To View AppScan Source Findings from Multiple .ozasmt Files   For many years now, I have been dealing with the tens of thousands of Findings that are generated from an average size web application scanned with AppScan Source Edition. Although there have been numerous improvements to the user interface and the Findings representation to accommodate the huge amount of data that is necessarily generated, I find that my approach to static analysis ( I want Millions of Findings, i.e. ALL Possible Traces ) demands that multiple... [More]

Tags:  jn14net findings_viewer sp1r0 mvc github o2platform development appscan findings static_analysis java fortify spring fluentsharp o2 checkmarx results kernel fuzzing frameworks appscan_source ounce appscan_for_analysis struts fxcop