Orizon post

Yesterday, during a trip back from my customer I hacked around XSS sanity check inclusion in default library XML format.

A problem arises when I tried to put a XSS attack pattern in the XML check… I would break the XML file itself… unless I’ll encode it:

<check id=”O_XSS_1″ severity=”error” impact=”high” description=”sanitize your input”>

<xss *=”Lz48c2NyaXB0PmFsZXJ0KCd4c3MnKTs8L3NjcmlwdD4=”></xss>

</check>

Thanks to Christian d’Heureuse and its gourgeous Base64 encoding class.

Today, will waiting for my customer, I hacked around dawn classes. The results I achieved are:

• helper applications are created for methods, but just a parameter is supported by now (it is a silly limitation, I’ll overrun it in few days)
• helper applications are compiled, executed and theri output collected
• the output is scanned for known XSS attack patterns

I’ll release quickly something useful

I know this is few for a production tool but further improvements will follow shortly…

I can’t remember what is the due date for Spring of Code 2007

The orizon website has been completely rewritten with a brand new layout.

It lacks API reference and API usage example but I’ll provide them asap.

It seems to be real… or at least, it starts to be real. Dawn package is contained in Orizon since 0.45pre1 and it is responsible about dynamic code review services.

How does it work?

It creates an helper program in the same language the source code being assessed is written (Java is the only language supported by now).

The helper is a standalone application built upon a method or function contained in the starting source file. So if your Java class has 3 public methods, Orizon will create 3 helper applications for each method being tested.

The helper is so compiled and executed with a set of well known attack patterns.

The patterns will cover:

• Cross site scripting attacks
• Injection flaws
• Unhandled exceptions

Last week I introduced Report class to manage reports. Report class is now the return data type from Source class, apply() method that perform static code review.

As you may see in Milk source code, a Report object works related with an implementation of Formatter class that describe how the output has be organized.

In fact, there is just a PlainFormatter by now that prints report lines over standard output. In the near future I’ll implement XMLFormatter and HTMLFormatter as well.

I’ve to work over the documentation too… and create a fancy web site… a lot of things to do…

That’s it. Orizon has reached the half of its Spring of Code pathwalk. I’m very pleased of this. Library contains 10 checks out of 30 that I’ve planned. Interaction between the library, the security checks and the translated source file works quite well.

Milk is now released as 0.10 and it is working. There are of course a lot of bugs and improvements to do, but it is now usable.

From the southern italian sea, fresh news for Orizon fans. Version 0.40 is in the air and as you may see from the Milk.java source file it is working.

I’m very happy about last two weeks coding and I’m excited for the new things I planned to code before september when code will reach a further mature stage.

Description
In Java, there a class could contain another class, so called “inner class”. This is a deprecated way of implementing the code, but sometimes an intrusive revision of class code was not feasible so workarounds must be implemented instead.

Read the rest of this entry »

Here @ work there are a lot of things to do… and next week won’t be so good as a shiny july afternoon… I have to an hospital here in Milan for surgery… second times in two years… Just a little scared.

Talking about orizon, I really don’t know what’s the more than 100 unique visitors downloading the jar opinion. I checked the email address a lot of times and it’s correct… I hope this silence is just because we’re in very early stage but hey, a “c’mon it’s a good idea” message will help

Indeed, I think I’ll start Milk project asap as demonstration…

I think Spoc will now sound as Summer owasP of code since start of summer is very close and project isn’t started yet
While I’m waiting about this, I’m working hard in refactoring org.owasp.orizon.core objects, in particular I’m working over Source object that will substitute OrizonSource. In fact there is no need to having such a naming convention for Orizon objects.

I’m confident I will release a version 0.30 at the end of July, before leaving Milan and start working over Milk that will be the first tool using orizon as base