[Mono-list] Owasp .Net Project and Mono

Dinis Cruz dinis.mono.projects at googlemail.com
Fri Dec 23 06:25:50 EST 2005 

Hello, Dinis Cruz here from the Owasp .Net project

Before I jump in and start asking questions (and contributing where I can) I
would like to just give a quick introduction of what we are doing at the
Owasp .Net project, and what is my current position on several issues
(namely Security in the .Net Framework which is my main focus/speciality).

The 'Owasp .Net Project' is a branch of the main Owasp (Open Web Application
Security Project) ecosystem which (using a quote from www.owasp.org) "...is
dedicated to finding and fighting the causes of insecure software. Our open
source projects and local chapters produce free, unbiased, open-source
documentation, tools, and standards. The OWASP community also facilitates
conferences, local chapters, articles, papers, and message forums. The OWASP
Foundation, a not-for-profit charitable organization, ensures the ongoing
availability and support for our work. Participation in OWASP is free and
open to all, as are all the materials here.".

The Owasp .Net project is hosted in a separate website www.owasp.net and
contains several forums <http://owasp.net/forums/> and
blogs<http://owasp.net/blogs/>

Over the last couple months I have created several blog entries which some
of you might find interesting (especially if are focused in Security)

Before we continue, just a quick disclaimer, I have nothing (personally)
against Microsoft (most of my paid work is on Microsoft-related
technologies), I just think that they still don't 'get' application
security, and are on the wrong path. I am a strong believer in Openness,
although I don't think that Open Source products are automatically more
secure than closed source (proprietary) products (Open Source products CAN
be more secure)

Here is a quick compilation of my blog entries (separated by subject):

On mono:

   - Mono vs Medium
Trust<http://owasp.net/blogs/dinis_cruz/archive/2005/12/21/374.aspx>
   - Comment on Microsoft's leaked memos, and the unofficial end of
   Microsoft 'Trustworthy
Computing'<http://owasp.net/blogs/dinis_cruz/archive/2005/11/17/92.aspx>(see
the last paragraphs)

Security/Issues on the .Net Framework

   - Buffer OverFlow in ILASM and
ILDASM<http://owasp.net/blogs/dinis_cruz/archive/2005/12/14/327.aspx>
   - Possible Type Confusion issue in .Net 1.1 (only works in Full
Trust)<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/08/36.aspx>
   - ANSI/UNICODE bug in System.Net.HttpListenerRequest
   <http://owasp.net/blogs/dinis_cruz/archive/2005/12/17/349.aspx>

On Microsoft's .Net Full Trust (in)Security (note that I have been talking
about this issue for more than two years now)

   - What are the 'Real World' security advantages of the .Net Framework
   and the JVM?<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/03/5.aspx>
   - An 'Asp.Net' accident waiting to
happen<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/16/80.aspx>,

   - Microsoft must deliver 'secure environments' not tools to write
   'secure code'<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/16/81.aspx>,

   - My experience with the MSRC (Microsoft Security Response
Center)<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/14/67.aspx>,

   - Some comments to Misleading and False Information in: 'What ASP.NET
   Programmers Should Know About Application
Domains'<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/16/82.aspx>,
   - Microsoft's David Treadwell 'almost' admits the
problem<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/16/84.aspx>,
   - Some comments about 'The Six Dumbest Ideas in Computer
Security'<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/14/68.aspx>,

   - Current Microsoft info about CAS and Full
Trust<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/03/7.aspx>
   - my Owasp Presentations:  OWASP AppSec 2005 UK
Presentation<http://www.owasp.org/docroot/owasp/misc/OWASP_UK_2005_Presentations/AppSec2005-Dinis_Cruz-Full_Trust_Asp.Net_Insecurity.ppt>
   and AppSec2004-Dinis_Cruz-Full_Trust_Asp.Net_Security_Issues.ppt
   <http://prdownloads.sourceforge.net/owasp/AppSec2004-Dinis_Cruz-Full_Trust_Asp.Net_Security_Issues.ppt?download>
   ).
   - LUA, nonadmin.editme.com, and why managed applications are the
   future <http://owasp.net/blogs/dinis_cruz/archive/2005/12/20/372.aspx>

Manipulating/Hooking the .Net Framework/IIS

   - Dynamically replacing the Asp.Net viewstate with a
GUID<http://owasp.net/blogs/dinis_cruz/archive/2005/12/19/365.aspx>
   - Hooking HttpApi.dll's
HttpReceiveHttpRequest<http://www.owasp.net/blogs/dinis_cruz/archive/2005/12/17/348.aspx>

Finally, but not least, Owasp .Net tools:

   - OWASP IIS .NET Tools in Shared Hosting Environments (download
   installer from here <http://owasp.net/forums/283/ShowPost.aspx>)
   including:
      - ANBS (Asp.Net Baseline Security) - Analyzes shared host
      hosting environments and creates nice 'executive reports' that
highlight the
      vulnerabilities identified
      - ANSA (Asp.Net Security Analyzer) - Analyzes shared host
      hosting environments (contains Proof Of Concept code for the
vulnerabilities
      identified). This is a previous version of ANBS
      - Asp.Net Reflector - shows all live methods, properties and
      fields in a Asp.Net page (very handy for security audits and
      low-level .Net Hacking)
      - IS_5_VA - Asp version - Simple security analyzer for ASP
      Classic
      - SecurityTokenVulnerability_POC - shows the security tokens
      available in the current process
      - DefApp (download latest version from here
   <http://owasp.net/forums/378/ShowPost.aspx>) - 'Web Application
   Firewall' / 'Security Access Layer'
   - Beretta (Download main files from here
   <http://owasp.net/forums/29/ShowPost.aspx>and the database from
here<http://owasp.net/forums/28/ShowPost.aspx>
   )
   - Also available in the owasp.net site are the following tools that I
   (Dinis) developed for Foundstone:
      - HacmeBank V2  (download<http://owasp.net/forums/62/ShowPost.aspx>)
      - New version of Foundstone's HacmeBank which is an demo banking
application
      containing dozens of vulnerabilities (draft user guide available
      here <http://owasp.net/forums/291/ShowPost.aspx>)
      - HacmeBank v2 with Validator .Net (
download<http://owasp.net/forums/199/ShowPost.aspx>)
      - This version of HacmeBank is the same as the one above except for the
      Validator.Net HttpModule which protects HacmeBank against most
      vulnerabilities (Validator .Net is a smaller/simpler version of DefApp)
      - SQLInjectionExplorer
(<http://owasp.net/forums/63/ShowPost.aspx>download<http://owasp.net/forums/63/ShowPost.aspx>)
      - GUI tool to exploit SQL Injection vulnerabilities (hardcoded
to the latest
      version of Hacmebank)
      - CodeScope (download<http://owasp.net/forums/247/ShowPost.aspx>)
      - tool to analyze source code and help during white-box security audits (
      i.w. with access to the source code (or non-obsfuscated .Net or
      Java binaries))

>From the above projects, DefApp is the one that is closer to being released
in Mono, but I am interested in porting all of them into Mono, so if you are
interested in helping, as with all Open Source projects, we need help and
will welcome your contributions and participation.

Best regards

Dinis Cruz
Owasp .Net Project
www.owasp.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-list/attachments/20051223/90d9ab5a/attachment-0001.html

More information about the Mono-list mailing list