Beispiel #1
0
        public static IO2Finding createCopy(IO2Finding o2Finding, bool processChildTraces)
        {
            var newO2Finding = new O2Finding();

            newO2Finding.vulnType     = o2Finding.vulnType;
            newO2Finding.vulnName     = o2Finding.vulnName;
            newO2Finding.text         = createCopy(o2Finding.text);
            newO2Finding.severity     = o2Finding.severity;
            newO2Finding.recordId     = o2Finding.recordId;
            newO2Finding.propertyIds  = o2Finding.propertyIds;
            newO2Finding.projectName  = o2Finding.projectName;
            newO2Finding.ordinal      = o2Finding.ordinal;
            newO2Finding.lineNumber   = o2Finding.lineNumber;
            newO2Finding.file         = o2Finding.file;
            newO2Finding.exclude      = o2Finding.exclude;
            newO2Finding.confidence   = o2Finding.confidence;
            newO2Finding.columnNumber = o2Finding.actionObject;
            newO2Finding.context      = o2Finding.context;
            newO2Finding.callerName   = o2Finding.callerName;
            newO2Finding.actionObject = o2Finding.actionObject;

            if (processChildTraces)
            {
                newO2Finding.o2Traces = createCopy(o2Finding.o2Traces);
            }

            return(newO2Finding);
        }
        public static List <IO2Trace> getListWithAllTraces(O2Finding o2Finding)
        {
            var allTraces = new List <IO2Trace>();

            try
            {
                getListWithAllTraces(o2Finding.o2Traces, allTraces);
            }
            catch (Exception ex)
            {
                PublicDI.log.error("in getListWithAllTraces: {0}", ex.Message);
            }
            return(allTraces);
        }
Beispiel #3
0
        public static IO2Finding createO2FindingFromTrace(IO2Trace o2Trace)
        {
            var o2Finding = new O2Finding();

            o2Finding.vulnType     = "FindingFromTrace";
            o2Finding.vulnName     = o2Trace.signature;
            o2Finding.text         = OzasmtCopy.createCopy(o2Trace.text);
            o2Finding.ordinal      = o2Trace.ordinal;
            o2Finding.o2Traces     = new List <IO2Trace>().add(OzasmtCopy.createCopy(o2Trace));
            o2Finding.lineNumber   = o2Trace.lineNumber;
            o2Finding.file         = o2Trace.file;
            o2Finding.columnNumber = o2Trace.columnNumber;
            o2Finding.context      = o2Trace.context;
            o2Finding.callerName   = o2Trace.signature;
            return(o2Finding);
        }
 public static void fixExternalSourceSourceMappingProblem(O2Finding o2Finding)
 {
     try
     {
         // fix the external_source callback generated finding problem since the source should be the callback back methods and not the <external_source>(...) rule
         if (o2Finding.Source.IndexOf("<external_source>") > -1)
         {
             o2Finding.getSource().traceType = TraceType.Root_Call;
             o2Finding.o2Traces[0].childTraces[1].traceType = TraceType.Source;
         }
     }
     catch (Exception ex)
     {
         PublicDI.log.ex(ex, "in getO2Finding, while trying to fix the external_source callback generated finding problem");
     }
 }
Beispiel #5
0
        public static List <IO2Finding> findWebControlSources(List <IO2Finding> o2Findings)
        {
            var methodsToFind = new RegEx("System.Web.UI.WebControls.*get_Text");
            //var methodsToFind = new RegEx("HttpRequest");
            var results = new List <IO2Finding>();

            foreach (IO2Finding o2Finding in o2Findings)
            {
                IO2Trace source = ((O2Finding)o2Finding).getSource();
                if (source != null && methodsToFind.find(source.ToString()))
                // && o2Finding.getSource.ToString() != "")
                {
                    if (source.context.Contains("txt"))
                    {
                        // PublicDI.log.info(source + " -> " + (o2Finding.getSink != null ? o2Finding.getSink.ToString() : ""));
                        string variableName = OzasmtContext.getVariableNameFromThisObject(source);
                        // PublicDI.log.info(o2Finding.o2Trace + "  :::  " + );// + "    :    " + source.context);
                        foreach (IO2Trace o2Trace in o2Finding.o2Traces)
                        {
                            List <string> wordsFromSignature =
                                OzasmtUtils.getListWithWordsFromSignature(o2Trace.signature);
                            foreach (string word in wordsFromSignature)
                            {
                                //           var sourceO2Trace = new O2Trace("OunceLabs:  " + word);
                                //           var sinkO2Trace = new O2Trace("OunceLabs:   " + variableName);
                                //           sinkO2Trace.childTraces.Add(o2Finding.o2Trace);
                                //           sourceO2Trace.childTraces.Add(sinkO2Trace);

                                var newO2Finding = new O2Finding();
                                newO2Finding.o2Traces = o2Finding.o2Traces;
                                newO2Finding.vulnName = word + "_" + variableName;
                                newO2Finding.vulnType = "ASP.NET Attack Surface";

                                results.Add(newO2Finding);
                            }
                        }
                    }
                    // PublicDI.log.info("    " + o2Finding.getSource + " -> " + o2Finding.getSource.context + "\n\n");
                }
            }
            return(results);
        }
 public static void showO2FindingInDataGridView(O2Finding o2Finding, DataGridView dataGridView)
 {
 }