[Mono-dev] Fwd: Owasp .Net Project and Mono

Dinis Cruz dinis.mono.projects at googlemail.com
Thu Dec 22 09:41:11 EST 2005

Hello, Dinis Cruz here from the Owasp .Net project

Before I jump in and start asking questions (and contributing where I can) I
would like to just give a quick introduction of what we are doing at the
Owasp .Net project, and what is my current position on several issues
(namely Security in the .Net Framework which is my main focus/speciality).

The 'Owasp .Net Project' is a branch of the main Owasp (Open Web Application
Security Project) ecosystem which (using a quote from www.owasp.org) "...is
dedicated to finding and fighting the causes of insecure software. Our open
source projects and local chapters produce free, unbiased, open-source
documentation, tools, and standards. The OWASP community also facilitates
conferences, local chapters, articles, papers, and message forums. The OWASP
Foundation, a not-for-profit charitable organization, ensures the ongoing
availability and support for our work. Participation in OWASP is free and
open to all, as are all the materials here.".

The Owasp .Net project is hosted in a separate website www.owasp.net and
contains several forums <http://owasp.net/forums/> and

Over the last couple months I have created several blog entries which some
of you might find interesting (especially if are focused in Security)

Before we continue, just a quick disclaimer, I have nothing (personally)
against Microsoft (most of my paid work is on Microsoft-related
technologies), I just think that they still don't 'get' application
security, and are on the wrong path. I am a strong believer in Openness,
although I don't think that Open Source products are automatically more
secure than closed source (proprietary) products (Open Source products CAN
be more secure)

Here is a quick compilation of my blog entries (separated by subject):

On mono:

   - Mono vs Medium
   - Comment on Microsoft's leaked memos, and the unofficial end of
   Microsoft 'Trustworthy
the last paragraphs)

Security/Issues on the .Net Framework

   - Buffer OverFlow in ILASM and
   - Possible Type Confusion issue in .Net 1.1 (only works in Full
   - ANSI/UNICODE bug in System.Net.HttpListenerRequest

On Microsoft's .Net Full Trust (in)Security (note that I have been talking
about this issue for more than two years now)

   - What are the 'Real World' security advantages of the .Net Framework
   and the JVM?<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/03/5.aspx>
   - An 'Asp.Net' accident waiting to

   - Microsoft must deliver 'secure environments' not tools to write
   'secure code'<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/16/81.aspx>,

   - My experience with the MSRC (Microsoft Security Response

   - Some comments to Misleading and False Information in: 'What ASP.NET
   Programmers Should Know About Application
   - Microsoft's David Treadwell 'almost' admits the
   - Some comments about 'The Six Dumbest Ideas in Computer

   - Current Microsoft info about CAS and Full
   - my Owasp Presentations:  OWASP AppSec 2005 UK
   and AppSec2004-Dinis_Cruz-Full_Trust_Asp.Net_Security_Issues.ppt<http://prdownloads.sourceforge.net/owasp/AppSec2004-Dinis_Cruz-Full_Trust_Asp.Net_Security_Issues.ppt?download>
   - LUA, nonadmin.editme.com, and why managed applications are the
   future <http://owasp.net/blogs/dinis_cruz/archive/2005/12/20/372.aspx>

Manipulating/Hooking the .Net Framework/IIS

   - Dynamically replacing the Asp.Net viewstate with a
   - Hooking HttpApi.dll's

Finally, but not least, Owasp .Net tools:

   - OWASP IIS .NET Tools in Shared Hosting Enviroments (download
   installer from here <http://owasp.net/forums/283/ShowPost.aspx>)
      - ANBS (Asp.Net Baseline Security) - Analyzes shared host
      hosting environments and creates nice 'executive reports' that
highlight the
      vulnerabilities identified
      - ANSA (Asp.Net Security Analyzer) - Analyzes shared host
      hosting environments (contains Proof Of Concept code for the
      identified). This is a previous version of ANBS
      - Asp.Net Reflector - shows all live methods, properties and
      fields in a Asp.Net page (very handy for security audits and
      low-level .Net Hacking)
      - IS_5_VA - Asp version - Simple security analyzer for ASP
      - SecurityTokenVulnerability_POC - shows the security tokens
      available in the current process
      - DefApp (download latest version from
   - 'Web Application Firewall' / 'Security Access Layer'
   - Beretta (Download main files from here
   <http://owasp.net/forums/29/ShowPost.aspx>and the database from
   - Also available in the owasp.net site are the following tools that I
   (Dinis) developed for Foundstone:
      - HacmeBank V2  (download<http://owasp.net/forums/62/ShowPost.aspx>)
      - New version of Foundstone's HacmeBank which is an demo banking
      containing dozens of vulnerabilities (draft user guide available
      here <http://owasp.net/forums/291/ShowPost.aspx>)
      - HacmeBank v2 with Validator .Net <http://Validator.net> (
      download <http://owasp.net/forums/199/ShowPost.aspx>) - This
      version of HacmeBank is the same as the one above except for the
      Validator.Net HttpModule which protects HacmeBank against most
      vulnerabilities (Validator.Net is a smaller/simpler version of
      - SQLInjectionExplorer (<http://owasp.net/forums/63/ShowPost.aspx>
      download <http://owasp.net/forums/63/ShowPost.aspx>) - GUI tool
      to exploit SQL Injection vulnerabilities (hardcoded to the
latest version of
      - CodeScope (download<http://owasp.net/forums/247/ShowPost.aspx>)
      - tool to analyze source code and help during white-box security audits (
      i.w. with access to the source code (or non-obsfuscated .Net or
      Java binaries))

>From the above projects, DefApp is the one that is closer to being released
in Mono, but I am interested in porting all of them into Mono, so if you are
interested in helping, as with all Open Source projects, we need help and
will welcome your contributions and participation.

Best regards

Dinis Cruz
Owasp .Net Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-devel-list/attachments/20051222/bf214da7/attachment.html 

More information about the Mono-devel-list mailing list