public static List<IO2Finding> createFindingsFromConversation(List<IWebscarabConversation> webScarabConversations)
{
var o2Findings = new List<IO2Finding>();
foreach (var conversation in webScarabConversations)
{
var o2Finding = new O2Finding();
if (conversation.TAG != null && conversation.TAG != "")
o2Finding.vulnType = conversation.TAG;
else
o2Finding.vulnType = "Tag not defined";
o2Finding.vulnName = conversation.METHOD + ": " + conversation.URL;
addTrace(o2Finding, conversation.COOKIE, "COOKIE");
addTrace(o2Finding, conversation.STATUS, "STATUS");
addTrace(o2Finding, conversation.ORIGIN, "ORIGIN");
addTrace(o2Finding, conversation.URL, "URL");
addTrace(o2Finding, conversation.XSS_GET, "XSS_GET");
addTrace(o2Finding, conversation.CRLF_GET, "CRLF_GET");
addTrace(o2Finding, conversation.SET_COOKIE, "SET_COOKIE");
addTrace(o2Finding, conversation.XSS_POST, "XSS_POST");
// add request and response
var requestTrace = new O2Trace("request: " + conversation.request) {file = conversation.request};
// requestTrace.context = Files.getFileContents(requestTrace.file);
var responseTrace = new O2Trace("response: " + conversation.response) {file = conversation.response};
// responseTrace.context = Files.getFileContents(responseTrace.file);
o2Finding.o2Traces.Add(requestTrace);
o2Finding.o2Traces.Add(responseTrace);
o2Findings.Add(o2Finding);
}
return o2Findings;
}
public static IO2Trace createCopy(IO2Trace o2Trace, bool processChildTraces)
{
if (o2Trace == null)
{
return(null);
}
var newO2Trace = new O2Trace
{
clazz = o2Trace.clazz,
columnNumber = o2Trace.columnNumber,
context = o2Trace.context,
file = o2Trace.file,
method = o2Trace.method,
lineNumber = o2Trace.lineNumber,
ordinal = o2Trace.ordinal,
signature = o2Trace.signature,
taintPropagation = o2Trace.taintPropagation,
traceType = o2Trace.traceType,
text = createCopy(o2Trace.text)
};
if (processChildTraces)
{
newO2Trace.childTraces = createCopy(o2Trace.childTraces);
}
return(newO2Trace);
}
public static List<IO2Finding> mapSinksToSources(Dictionary<string, List<IO2Finding>> lostSinks, Dictionary<string, List<IO2Finding>> sources)
{
DI.log.info("Looking for matches");
var results = new List<IO2Finding>();
foreach (string lostSinkSignature in lostSinks.Keys)
if (sources.ContainsKey(lostSinkSignature))
{
foreach (O2Finding lostSink in lostSinks[lostSinkSignature])
foreach (O2Finding source in sources[lostSinkSignature])
{
var sinkCopy = (O2Finding)OzasmtCopy.createCopy(lostSink);
var sourceCopy = (O2Finding)OzasmtCopy.createCopy(source);
var lostSinkNode = sinkCopy.getLostSink();
lostSinkNode.traceType = TraceType.Type_4;
var interfaceJoinPoint = new O2Trace("---- Interface join --- ");
interfaceJoinPoint.childTraces.AddRange(sourceCopy.o2Traces);
lostSinkNode.childTraces.Add(interfaceJoinPoint);
sinkCopy.vulnName = sinkCopy.Sink;
results.Add(sinkCopy);
//return results;
}
}
//log.info("We have a match on: {0}", lostSink);
return results;
}
public static List<IO2Finding> createFindingsFromConversation(List<IWebscarabConversation> webScarabConversations)
{
List<IO2Finding> o2Findings = new List<IO2Finding>();
foreach (IWebscarabConversation conversation in webScarabConversations)
{
O2Finding o2Finding = new O2Finding();
if ((conversation.TAG != null) && (conversation.TAG != ""))
{
o2Finding.vulnType = conversation.TAG;
}
else
{
o2Finding.vulnType = "Tag not defined";
}
o2Finding.vulnName = conversation.METHOD + ": " + conversation.URL;
addTrace(o2Finding, conversation.COOKIE, "COOKIE");
addTrace(o2Finding, conversation.STATUS, "STATUS");
addTrace(o2Finding, conversation.ORIGIN, "ORIGIN");
addTrace(o2Finding, conversation.URL, "URL");
addTrace(o2Finding, conversation.XSS_GET, "XSS_GET");
addTrace(o2Finding, conversation.CRLF_GET, "CRLF_GET");
addTrace(o2Finding, conversation.SET_COOKIE, "SET_COOKIE");
addTrace(o2Finding, conversation.XSS_POST, "XSS_POST");
var traceRequest = new O2Trace("request: " + conversation.request);
traceRequest.file = conversation.request;
var traceResponse = new O2Trace("response: " + conversation.response);
traceResponse.file = conversation.response;
o2Finding.file = conversation.response;
o2Finding.o2Traces.Add(traceRequest);
o2Finding.o2Traces.Add(traceResponse);
o2Findings.Add(o2Finding);
}
return o2Findings;
}
public static List<IO2Finding> findParameterStaticValueInMethodX(CirData cirData)
{
string functionToFind = "System.Web.UI.WebControls.Button.add_Click(System.EventHandler):void";
var createdO2Findings = new List<IO2Finding>();
try
{
if (cirData.dFunctions_bySignature.ContainsKey(functionToFind))
{
var function = cirData.dFunctions_bySignature[functionToFind];
foreach (CirFunction functionXRef in function.FunctionIsCalledBy)
{
//var functionXRef = cirData.dFunctions_bySignature[functionXRefName];
foreach (var basicBlock in functionXRef.lcfgBasicBlocks)
{
if (basicBlock != null && basicBlock.Items != null)
for (var i = 0; i < basicBlock.Items.Length; i++)
{
var item = basicBlock.Items[i];
if (item.GetType().Name == "ControlFlowGraphBasicBlockEvalExprStmt")
{
var evalExprStmt = (ControlFlowGraphBasicBlockEvalExprStmt)item;
if (evalExprStmt.NaryCallVirtual != null && evalExprStmt.NaryCallVirtual.FunctionName == functionToFind)
{
// go to the previous block
var evalExprStmtWithStaticParameterValue = (ControlFlowGraphBasicBlockEvalExprStmt)basicBlock.Items[i - 1];
if (evalExprStmtWithStaticParameterValue.NaryCall != null && evalExprStmtWithStaticParameterValue.NaryCall.UnaryOprCast != null && evalExprStmtWithStaticParameterValue.NaryCall.UnaryOprCast.Length == 2)
{
string staticParameterValue =
evalExprStmtWithStaticParameterValue.NaryCall.UnaryOprCast[1].
ConstFunctionAddress.FunctionName;
var o2Finding = new O2Finding(staticParameterValue, "Asp.NET Event Mapping") { o2Traces = new List<IO2Trace>{ new O2Trace(functionXRef.FunctionSignature, TraceType.Root_Call)} };
var sourceTrace = new O2Trace(functionXRef.ParentClass.Signature, functionXRef.FunctionSignature, TraceType.Source);
var sinkTrace = new O2Trace(staticParameterValue, TraceType.Known_Sink)
{
context =
"this . HacmeBank_v2_Website.ascx.PostMessageForm.btnPostMessage_Click ( sender, e )"
};
sourceTrace.childTraces.Add(sinkTrace);
o2Finding.o2Traces[0].childTraces.Add(sourceTrace);
createdO2Findings.Add(o2Finding);
DI.log.debug("{0} -- > {1}", functionXRef.FunctionSignature, staticParameterValue);
}
}
}
}
}
}
return createdO2Findings;
}
}
catch (Exception ex)
{
DI.log.debug("in findParameterStaticValueInMethodX :{0}:", ex.Message);
}
return null;
}
public IO2Trace addTrace(string traceSignature, TraceType _traceType)
{
var newTrace = new O2Trace(traceSignature)
{
traceType = _traceType
};
childTraces.Add(newTrace);
return newTrace;
}
public void insertTrace(string traceSignature, TraceType traceType)
{
var newO2Trace = new O2Trace(traceSignature, traceType);
newO2Trace.childTraces.AddRange(o2Traces);
o2Traces = new List <IO2Trace> {
newO2Trace
};
}
public static IO2Finding createO2FindingForXElement(XElement xElement, string currentFile)
{
var createFinding = false;
var xElementSignature = xElement.Name.LocalName;
var sourceTrace1 = new O2Trace();
var sourceTrace2 = new O2Trace();
foreach (var attribute in xElement.Attributes())
{
if (attribute.Name == "value" && attribute.Value.IndexOf("#{") > -1)
{
createFinding = true;
sourceTrace1.signature = attribute.Value;
sourceTrace2.signature = getFilteredValue(attribute.Value);
sourceTrace2.traceType = TraceType.Source;
// set source file and line number
var attributeLineInfo = (IXmlLineInfo)attribute;
sourceTrace2.file = currentFile;
sourceTrace2.lineNumber = (uint)attributeLineInfo.LineNumber;
}
//
xElementSignature += String.Format(" {0}=\"{1}\" ", attribute.Name, attribute.Value);
}
if (createFinding == false)
return null;
var newFinding = new O2Finding();
newFinding.vulnType = "JSF.AutoMapping";
newFinding.vulnName = xElementSignature;
// add traces
// root trace
var rootTrace = new O2Trace(currentFile);
newFinding.o2Traces.Add(rootTrace);
// traceWithFileName
var traceWithFileName = new O2Trace(Path.GetFileName(currentFile));
rootTrace.childTraces.Add(traceWithFileName);
// sourceTrace
traceWithFileName.childTraces.Add(sourceTrace1);
sourceTrace1.childTraces.Add(sourceTrace2);
// traceWithNamespaceAndElementName
var traceWithNamespaceAndElementName = new O2Trace(xElement.Name.ToString());
sourceTrace2.childTraces.Add(traceWithNamespaceAndElementName);
// Sink trace (with xElementSignature contents)
var sinkTrace = new O2Trace(xElementSignature);
sinkTrace.traceType = TraceType.Known_Sink;
traceWithNamespaceAndElementName.childTraces.Add(sinkTrace);
// set file and line number for sink & finding
var elementLineInfo = (IXmlLineInfo)xElement;
newFinding.file = sourceTrace2.file = currentFile;
newFinding.lineNumber = sourceTrace2.lineNumber = (uint)elementLineInfo.LineNumber;
return newFinding;
}
public IO2Trace addTrace(string traceSignature, TraceType _traceType)
{
var newTrace = new O2Trace(traceSignature)
{
traceType = _traceType
};
o2Traces.Add(newTrace);
return(newTrace);
}
public static O2Finding CreateFinding_WithTrace()
{
const uint line_number = 2;
const uint column_number = 3;
const uint ordinal = 1;
const string context = "TraceContext";
const string signature = "TraceSignature";
const string clazz = "class.this.trace.is.in";
const string file = @"c:\o2\temp\file\trace\is\in.cs";
const string method = "methodExectuted";
const uint taintPropagation = 0;
var text = new List<string> {"this is a text inside a trace"};
var o2Finding = new O2Finding("Vulnerability.Name", "Vulnerability.Type");
o2Finding.o2Traces.Add(new O2Trace
{
clazz = clazz,
columnNumber = column_number,
context = context,
file = file,
lineNumber = line_number,
method = method,
ordinal = ordinal,
signature = signature,
taintPropagation = taintPropagation,
text = text,
});
const string sinkText = "this is a sink";
const string methodOnSinkPath = "method call on sink path";
const string methodOnSourcePath = "method call on source path";
const string sourceText = "this is a source";
var o2Trace = new O2Trace("Class.Signature", "Method executed");
var o2TraceOnSinkPath = new O2Trace(methodOnSinkPath, TraceType.Type_0);
o2TraceOnSinkPath.childTraces.Add(new O2Trace(sinkText, TraceType.Known_Sink));
var o2TraceOnSourcePath = new O2Trace(methodOnSourcePath, TraceType.Type_0);
o2TraceOnSourcePath.childTraces.Add(new O2Trace(sourceText, TraceType.Source));
o2Trace.childTraces.Add(o2TraceOnSourcePath);
o2Trace.childTraces.Add(o2TraceOnSinkPath);
o2Finding.o2Traces = new List<IO2Trace> {o2Trace};
return o2Finding;
}
public List <IO2Trace> addTraces(List <string> traceSignatures)
{
var newTraces = new List <IO2Trace>();
foreach (var traceSignature in traceSignatures)
{
var newTrace = new O2Trace(traceSignature);
o2Traces.Add(newTrace);
newTraces.Add(newTrace);
}
return(newTraces);
}
public static O2Finding createO2FindingFromWebInspectFinding(WebInspectFinding webInspectFinding, string keyword)
{
var o2Trace = new O2Trace("WebInspect -> Ounce Mapping (Sql Injection)");
IO2Trace sink = createSink(webInspectFinding);
o2Trace.childTraces.Add(sink);
return new O2Finding
{
o2Traces = new List<IO2Trace> {o2Trace},
//context = webInspectFinding.payload,
context = webInspectFinding.fullUrl,
vulnName = keyword + "_" + webInspectFinding.param,
vulnType = "Sql Injection (from WebInspect)"
};
}
public List <IO2Trace> addTraces(string prefixText, TraceType _traceType, params string[] traceSignatures)
{
var newTraces = new List <IO2Trace>();
foreach (var traceSignature in traceSignatures)
{
var newTrace = new O2Trace(prefixText + traceSignature)
{
traceType = _traceType
};
childTraces.Add(newTrace);
newTraces.Add(newTrace);
}
return(newTraces);
}
public static List<IO2Finding> loadWebInspectResultsAndReturnO2FindingsFor_SqlInjection_PoC1(
string webInspectResultsFile)
{
var results = new List<IO2Finding>();
var webInspectResults = new XmlDocument();
webInspectResults.Load(webInspectResultsFile);
List<XmlNode> sessionsCheckFoundWithEngineId = getSessionsCheckFoundWithEngineId(webInspectResults,
sqlInjectionEngineId);
foreach (XmlNode sessionCheckFound in sessionsCheckFoundWithEngineId)
{
// ReSharper disable PossibleNullReferenceException
string sessionId = sessionCheckFound["VulnerableSessionID"].InnerText;
List<XmlNode> sessionsFoundWithSessionId = getSessionsWithSessionID(webInspectResults, sessionId);
foreach (XmlNode session in sessionsFoundWithSessionId)
{
string fullURL = session["FullURL"].InnerText;
string attackParamDescriptor = session["AttackParamDescriptor"].InnerText;
if (attackParamDescriptor.IndexOf(':') > -1)
attackParamDescriptor = attackParamDescriptor.Split(new[] {':'})[1];
string attackDescriptor = session["AttackDescriptor"].InnerText;
var o2Finding = new O2Finding
{
o2Traces = new List<IO2Trace> { new O2Trace("WebInspect -> Ounce Mapping")},
context = attackDescriptor,
vulnName = fullURL,
vulnType = "WebInspect Vulnerability"
};
var source = new O2Trace(fullURL, TraceType.Source);
source.childTraces.Add(new O2Trace(attackDescriptor));
var Sink = new O2Trace(attackParamDescriptor)
{
traceType = TraceType.Known_Sink,
};
source.childTraces.Add(Sink);
o2Finding.o2Traces[0].childTraces.Add(source);
results.Add(o2Finding);
}
// ReSharper restore PossibleNullReferenceException
}
return results;
}
public static IO2Trace createCopy(IO2Trace o2Trace, bool processChildTraces)
{
if (o2Trace == null)
return null;
var newO2Trace = new O2Trace
{
clazz = o2Trace.clazz,
columnNumber = o2Trace.columnNumber,
context = o2Trace.context,
file = o2Trace.file,
method = o2Trace.method,
lineNumber = o2Trace.lineNumber,
ordinal = o2Trace.ordinal,
signature = o2Trace.signature,
taintPropagation = o2Trace.taintPropagation,
traceType = o2Trace.traceType,
text = createCopy(o2Trace.text)
};
if (processChildTraces)
newO2Trace.childTraces = createCopy(o2Trace.childTraces);
return newO2Trace;
}
public void calculateJoinnedTraces()
{
try
{
var matches2 = from O2Finding sinkFinding in getFindingsIn_Sinks()
join O2Finding sourceFinding in getFindingsIn_Sources()
on sinkFinding.Sink equals sourceFinding.Source
where (
sinkFinding.Sink != "" && sourceFinding.Source != ""
//&& sourceFinding.LostSink == ""
/* &&
sinkFinding.lineNumber == sourceFinding.lineNumber &&
sinkFinding.file == sourceFinding.file*/
)
select new { sinkFinding, sourceFinding };
var findingsResults = new List<IO2Finding>();
foreach (var match in matches2)
{
//var aa = match.sinkFinding.Sink;
//var bb = match.sourceFinding.Source;
foreach (var o2TraceInSource in match.sourceFinding.o2Traces)
{
var joinnedFinding = (O2Finding)OzasmtCopy.createCopy(match.sinkFinding);
var sink = joinnedFinding.getSink();
sink.traceType = TraceType.Type_4;
var joinnedTrace = new O2Trace("{TraceJoin}");
sink.childTraces.Add(joinnedTrace);
//findingsResults.Add(OzasmtGlue.createCopyAndGlueTraceSinkWithSource(match.sinkFinding, o2TraceInSource));
joinnedTrace.childTraces.Add(OzasmtCopy.createCopy(o2TraceInSource));
joinnedFinding.vulnName = joinnedFinding.Sink;
findingsResults.Add(joinnedFinding);
}
}
findingsViewer_JoinnedTraces.loadO2Findings(findingsResults);
}
catch (Exception ex)
{
DI.log.ex(ex, "in calculateJoinnedTraces");
throw;
}
}
public static List<IO2Finding> getSourcesMappedToInterfaces(List<IO2Finding> o2Findings, ICirData cirData)
{
var results = new List<IO2Finding>();
if (cirData == null || o2Findings == null)
return results;
foreach (O2Finding o2Finding in o2Findings)
{
var source = o2Finding.getSource();
if (source != null)
{
if (cirData.dFunctions_bySignature.ContainsKey(source.signature))
{
var cirFunction = cirData.dFunctions_bySignature[source.signature];
var cirClass = cirFunction.ParentClass;
if (cirClass.dSuperClasses.Count > 0)
{
var sourceSig = cirFunction.FunctionSignature.Substring(cirClass.Signature.Length);
//log.info(cirFunction.FunctionSignature);
foreach (var superClass in cirClass.dSuperClasses.Values)
{
foreach (var function in superClass.dFunctions.Values)
{
var interfaceName = function.FunctionSignature.Substring(superClass.Signature.Length);
if (sourceSig == interfaceName)
{
// we have an implementation of a method:
var newO2Finding = OzasmtCopy.createCopy(o2Finding);
var currentSource = ((O2Finding)newO2Finding).getSource();
currentSource.traceType = TraceType.Type_4;
currentSource.signature = "[old source]: " + currentSource.signature;
var interfaceTrace = new O2Trace(function.FunctionSignature);
interfaceTrace.traceType = TraceType.Source;
//interfaceTrace.childTraces.Add(new O2Trace("[interface function Signature (that matched)]: " + sourceSig));
//interfaceTrace.childTraces.Add(new O2Trace("interface: " + interfaceName));
//interfaceTrace.childTraces.Add(new O2Trace("source: " + currentSource.signature));
//interfaceTrace.childTraces.Add(new O2Trace("interface: " + function.FunctionSignature));
//interfaceTrace.childTraces.AddRange(newO2Finding.o2Traces);
interfaceTrace.childTraces.AddRange(currentSource.childTraces);
newO2Finding.o2Traces = new List<IO2Trace>();
newO2Finding.o2Traces.Add(interfaceTrace);
results.Add(newO2Finding);
//return results;
}
}
}
}
//log.info(" {2} : {0} -> {1}", cirFunction.FunctionSignature, cirClass.Name, cirClass.dSuperClasses.Count);
}
}
}
DI.log.info("There were {0} sources mapped to its interfaces (i.e. superclasses))", results.Count);
return results;
}
public static List<IO2Finding> joinTracesWhereSinkMatchesSource(List<IO2Finding> sinkFindings, List<IO2Finding> sourceFindings)
{
var results = new List<IO2Finding>();
foreach (var o2SinkFinding in sinkFindings)
foreach (var o2SourcesFinding in sourceFindings)
//if (o2SourcesFinding.vulnName.IndexOf(o2SinkFinding.vulnName) > -1)
if (o2SourcesFinding.vulnName==o2SinkFinding.vulnName)
{
var o2NewFinding = (O2Finding)OzasmtCopy.createCopy(o2SinkFinding);
results.Add(o2NewFinding);
var sink = o2NewFinding.getSink();
if (sink.notNull())
{
var joinPointTrace = new O2Trace(
string.Format("O2 Auto Join Point::: {0} -> {1}", o2SinkFinding.vulnName, o2SourcesFinding.vulnName));
sink.traceType = TraceType.Type_4;
joinPointTrace.traceType = TraceType.Type_4;
sink.childTraces.Add(joinPointTrace);
var jspSignature = o2SourcesFinding.o2Traces[0].signature;
var indexofJsp = jspSignature.IndexOf("._jsp");
if (indexofJsp > -1)
jspSignature = jspSignature.Substring(0, indexofJsp) + ".jsp";
jspSignature = jspSignature.Replace("jsp_servlet", "").Replace("_45_", @"-").Replace(".__", @"/").Replace("._", @"/");
var jspTrace = new O2Trace("JSP: " + jspSignature);
joinPointTrace.childTraces.Add(jspTrace);
jspTrace.childTraces.AddRange(o2SourcesFinding.o2Traces);
//log.info("we have a match: {0} -> {1}", o2SinkFinding.vulnName, o2SourcesFinding.vulnName);
}
}
return results;
}
public List<IO2Trace> addTraces(List<string> traceSignatures)
{
var newTraces = new List<IO2Trace>();
foreach(var traceSignature in traceSignatures)
{
var newTrace = new O2Trace(traceSignature);
o2Traces.Add(newTrace);
newTraces.Add(newTrace);
}
return newTraces;
}
public static List<IO2Finding> calculate_Url_to_EntryMethod_Mappings(string pathWithSourceFiles, string urlBase, string port, ProgressBar progressBar)
{
var o2Findings = new List<IO2Finding>();
var filesToAnalyze = pathWithSourceFiles.files("*.cs",true);
progressBar.maximum(filesToAnalyze.size());
foreach(var file in filesToAnalyze)
{
"Processing file:{0}".info(file);
var url = urlBase.format(port, file.replace(pathWithSourceFiles,"").replace(".ascx.cs",""));
foreach(var type in file.csharpAst().types(true))
foreach(var baseType in type.BaseTypes)
if (baseType.str() == "System.Web.UI.UserControl")
{
var astData = new O2MappedAstData();
astData.loadFile(file);
foreach(var iMethod in astData.iMethods())
{
var o2Finding = new O2Finding();
o2Finding.vulnName = url;
o2Finding.vulnType = "Web EntryPoint";
var source = new O2Trace(url);
var sink = new O2Trace(iMethod.fullName());
source.traceType = TraceType.Source;
sink.traceType = TraceType.Known_Sink;
source.childTraces.Add(sink);
o2Finding.o2Traces.Add(source);
o2Findings.Add(o2Finding);
}
}
progressBar.increment(1);
}
return o2Findings;
}
private IO2Assessment createO2AssessmentFromCodeCrawlerObject(taintResultSet appScanDEResultsFile, String fileName)
{
var o2Assessment = new O2Assessment();
o2Assessment.name = "AppScan Import of: " + fileName;
var o2Findings = new List<IO2Finding>();
foreach (taintResultSetTaintResult resultSet in appScanDEResultsFile.TaintResult)
{
//log.info(" id: {0} {1} {2}", resultSet.id, resultSet.issueID, resultSet.userSeverity);
var o2Finding = new O2Finding();
o2Finding.vulnName = resultSet.issueID;
o2Finding.vulnType = resultSet.issueID;
//o2Finding.severity = resultSet.userSeverity;
var sourceNode = new O2Trace(resultSet.taintSource.className + "." + resultSet.taintSource.methodName + resultSet.taintSource.methodSignature);
sourceNode.traceType = TraceType.Source;
//sourceNode.file = resultSet.taintSource.fileName;
var lastNode = sourceNode;
foreach (var taintStep in resultSet.taintStep)
{
var stepNode = new O2Trace(taintStep.className + "." + taintStep.methodName + taintStep.methodSignature);
// set filename and line number for step trace:
stepNode.file = taintStep.fileName;
stepNode.lineNumber = taintStep.highlight.lineNumber;
if (taintStep.snippetText != null)
{
var splittedText = taintStep.snippetText.Split(new[] { '\n' });
var lineIndex = taintStep.highlight.lineNumber - taintStep.snippetStartLine;
if (taintStep.snippetText != "")
{
stepNode.context = (lineIndex > -1) ? splittedText[lineIndex - 1] : taintStep.snippetText;
stepNode.context = "> " + stepNode.context.Replace("\t", " ").Trim() + " \n\n -------- \n\n" + taintStep.snippetText;
}
}
// make the finding have the values of the last taitstep
o2Finding.file = taintStep.fileName;
o2Finding.lineNumber = taintStep.highlight.lineNumber;
// set childnodes
lastNode.childTraces.Add(stepNode);
lastNode = stepNode;
}
var sinkNode = new O2Trace(resultSet.taintSink.className + "." + resultSet.taintSink.methodName + resultSet.taintSink.methodSignature);
sinkNode.traceType = TraceType.Known_Sink;
//sinkNode.file = resultSet.taintSink.fileName;
lastNode.childTraces.Add(sinkNode);
o2Finding.o2Traces.Add(sourceNode);
o2Findings.Add(o2Finding);
o2Assessment.o2Findings.Add(o2Finding);
}
return o2Assessment;
}
public static void showO2TraceInTreeView(O2Trace o2Trace, DataGridView dataGridView, String showItem)
{
}
private static void addTraceToO2Finding(string traces, IO2Finding o2Finding, AssessmentRun assessmentRun)
{
if (false == string.IsNullOrEmpty(traces))
{
var splittedTraces = traces.Split(',');
var traceStack = new Stack<List<IO2Trace>>(); // use to keep track of where we add the trace
traceStack.Push(o2Finding.o2Traces); // the first one is the main o2Findings.o2Traces
foreach(var traceItem in splittedTraces)
{
var splittedTrace = traceItem.Split('.'); // in this version the dots mean how many nodes we have to go up
int traceIndex;
if (Int32.TryParse(splittedTrace[0], out traceIndex))
{
AssessmentRunTaint taint = assessmentRun.TaintPool[traceIndex - 1];
AssessmentRunSite siteData = assessmentRun.SitePool[taint.site_id - 1];
var o2Trace = new O2Trace
{
caller = getStringIndexValue(siteData.caller, assessmentRun),
columnNumber = siteData.cn,
context = getStringIndexValue(siteData.cxt, assessmentRun),
file = getFileIndexValue(siteData.file_id, assessmentRun),
lineNumber = siteData.ln,
method = getStringIndexValue(siteData.method, assessmentRun),
ordinal = siteData.ord,
signature = getStringIndexValue(siteData.sig, assessmentRun),
argument = taint.arg,
direction = taint.dir,
traceType =((TraceType) Enum.Parse(typeof (TraceType), taint.trace_type.ToString()))
};
//o2Trace.clazz = getStringIndexValue(,assessmentRun); // check if siteData.caller is a good match for clazz
//o2Trace.taintPropagation = ;
//o2Trace.text = ;
traceStack.Peek().Add(o2Trace); // add the current trace as a child of the the item on the top of traceStack
traceStack.Push(o2Trace.childTraces); // and make the current trace the item on the top of traceStack (which will be changed if there were dots in the traceItem (handled below))
}
else
{
"in addTraceToO2Finding , could not parse into int {0} from {1}".error(splittedTrace[0], traceItem);
}
if (splittedTrace.Length > 1) // means there were dots in the traceitem
for (var i = 1; i < splittedTrace.Length; i++)
traceStack.Pop();
}
o2Finding.o2Traces[0].signature += traces;
}
}
public static void createJspELTraces(List<IO2Finding> o2Findings)
{
foreach (var o2Finding in o2Findings)
{
// root trace
var rootTrace = new O2Trace(getRootNodeStringValue(o2Finding.file));
var jspElValue = extractJspElValue(o2Finding.context);
// trace with JSP EL value
var jspElTrace = new O2Trace(jspElValue);
jspElTrace.traceType = TraceType.Source;
rootTrace.childTraces.Add(jspElTrace); // add jspElTrace as a child trace of rootTrace
//sink trace
var sinkTrace = new O2Trace(jspElValue); // also map this to the JSPEl value since that is the one we will want to filter by
sinkTrace.traceType = TraceType.Known_Sink;
jspElTrace.childTraces.Add(sinkTrace); // add sinkTrace as a child trace of jspElTrace
// add the vulnName (println in most cases) as an extrasink trace
var extraSinkTrace = new O2Trace(o2Finding.vulnName);
sinkTrace.childTraces.Add(extraSinkTrace); // add extraSinkTrace as a child trace of sinkTrace
// add root trace to finding's traces colection
o2Finding.o2Traces.Add(rootTrace);
// add source code mappings to all traces:
rootTrace.file = jspElTrace.file = sinkTrace.file = o2Finding.file;
rootTrace.lineNumber = jspElTrace.lineNumber = sinkTrace.lineNumber = o2Finding.lineNumber;
}
}
public static List<IO2Finding> joinTracesWhereSinkMatchesSource(List<IO2Finding> sinkFindings, List<IO2Finding> sourceFindings)
{
var results = new List<IO2Finding>();
foreach (var o2SinkFinding in sinkFindings)
foreach (var o2SourcesFinding in sourceFindings)
if (o2SourcesFinding.vulnName.IndexOf(o2SinkFinding.vulnName) > -1)
{
var o2NewFinding = (O2Finding)OzasmtCopy.createCopy(o2SinkFinding);
results.Add(o2NewFinding);
var sink = o2NewFinding.getSink();
var newTrace = new O2Trace(
string.Format("O2 Auto Join Point::: {0} -> {1}", o2SinkFinding.vulnName, o2SourcesFinding.vulnName));
newTrace.traceType = TraceType.Type_4;
sink.childTraces.Add(newTrace);
newTrace.childTraces.AddRange(o2SourcesFinding.o2Traces);
log.info("we have a match: {0} -> {1}", o2SinkFinding.vulnName, o2SourcesFinding.vulnName);
}
return results;
}
public static void showO2TraceInDataGridView(O2Trace o2Trace, DataGridView dataGridView)
{
}
public List<IO2Trace> addTraces(string prefixText, TraceType _traceType, params string[] traceSignatures)
{
var newTraces = new List<IO2Trace>();
foreach (var traceSignature in traceSignatures)
{
var newTrace = new O2Trace(prefixText + traceSignature)
{
traceType = _traceType
};
childTraces.Add(newTrace);
newTraces.Add(newTrace);
}
return newTraces;
}
public static void createFindingsFromSpringMvcMappings(bool createFindingForUsesOfModelAttribute,
bool createFindingForUsesOfGetParameter,
ascx_FindingsViewer findingsViewer,
Dictionary<SpringMvcController, TreeNode> treeNodesForloadedSpringMvcControllers, ICirData cirData) //IEnumerable<SpringMvcController> springMvcControllers)
{
var findingsCreated = new List<IO2Finding>();
if (createFindingForUsesOfModelAttribute)
{
foreach (SpringMvcController springMvcController in treeNodesForloadedSpringMvcControllers.Keys)
{
var modelAttributeParameter = SpringMvcUtils.getMethodUsedInController(springMvcController, "ModelAttribute");
if (modelAttributeParameter != null)
{
var findingType = "SpringMvc.Use of ModelAttribute";
var findingText = string.Format("{0} {1} {2}", springMvcController.HttpRequestMethod,
springMvcController.HttpRequestUrl,
springMvcController.HttpMappingParameter);
var o2Finding = new O2Finding(findingText, findingType)
{
file = springMvcController.FileName,
lineNumber = springMvcController.LineNumber
};
var rootTrace = new O2Trace(findingType);
var sourceTrace = new O2Trace(springMvcController.HttpRequestUrl) { traceType = TraceType.Source };
var modelAttribute = new O2Trace("ModelAttribute Class: " + modelAttributeParameter.className);
var sinkTrace = new O2Trace(springMvcController.JavaClass) { traceType = TraceType.Known_Sink };
var postTrace = new O2Trace(springMvcController.JavaClassAndFunction);
rootTrace.childTraces.Add(sourceTrace);
sourceTrace.childTraces.Add(modelAttribute);
modelAttribute.childTraces.Add(sinkTrace);
sinkTrace.childTraces.Add(postTrace);
o2Finding.o2Traces.Add(rootTrace);
rootTrace.file = sourceTrace.file = sinkTrace.file = o2Finding.file;
rootTrace.lineNumber = sourceTrace.lineNumber = sinkTrace.lineNumber = o2Finding.lineNumber;
findingsCreated.Add(o2Finding);
//tvControllers.Nodes.Add(
// O2Forms.cloneTreeNode(treeNodesForloadedSpingMvcControllers[springMcvController]));
}
}
}
if (createFindingForUsesOfGetParameter)
{
try
{
var nodesWithGetParameter = getNodes_ThatUseGetParameter_RecursiveSearch(cirData, treeNodesForloadedSpringMvcControllers);
foreach (var treeNode in nodesWithGetParameter)
{
var springMvcController = (SpringMvcController)treeNode.Tag;
/*var o2Finding = new O2Finding(springMvcController.JavaFunction, "SpringMvc.Use of GetParameter")
{
file = springMvcController.FileName,
lineNumber = springMvcController.LineNumber
};
findingsCreated.Add(o2Finding);*/
var findingType = "SpringMvc.Use of GetParameter";
var findingText = string.Format("{0} {1} {2}", springMvcController.HttpRequestMethod,
springMvcController.HttpRequestUrl,
springMvcController.HttpMappingParameter);
var o2Finding = new O2Finding(findingText, findingType)
{
file = springMvcController.FileName,
lineNumber = springMvcController.LineNumber
};
var rootTrace = new O2Trace(findingType);
var sourceTrace = new O2Trace(springMvcController.HttpRequestUrl) { traceType = TraceType.Source };
var sinkTrace = new O2Trace(springMvcController.JavaClass) { traceType = TraceType.Known_Sink };
var postTrace = new O2Trace(springMvcController.JavaClassAndFunction);
rootTrace.childTraces.Add(sourceTrace);
sourceTrace.childTraces.Add(sinkTrace);
sinkTrace.childTraces.Add(postTrace);
o2Finding.o2Traces.Add(rootTrace);
rootTrace.file = sourceTrace.file = sinkTrace.file = o2Finding.file;
rootTrace.lineNumber = sourceTrace.lineNumber = sinkTrace.lineNumber = o2Finding.lineNumber;
findingsCreated.Add(o2Finding);
}
}
catch (Exception ex)
{
DI.log.ex(ex, "in createFindingForUsesOfGetParameter");
}
}
// findingsCreated.Add(o2Finding);
findingsViewer.clearO2Findings();
findingsViewer.loadO2Findings(findingsCreated);
}
public static List<IO2Trace> getO2TraceFromCallInvocation(CallInvocation[] callInvocations,
AssessmentRun assessmentRun)
{
var o2Traces = new List<IO2Trace>();
if (callInvocations != null)
{
foreach (CallInvocation callInvocation in callInvocations)
{
var o2Trace = new O2Trace
{
clazz = getStringIndexValue(callInvocation.cn_id, assessmentRun),
columnNumber = callInvocation.column_number,
context = getStringIndexValue(callInvocation.cxt_id, assessmentRun),
file = getFileIndexValue(callInvocation.fn_id, assessmentRun),
lineNumber = callInvocation.line_number,
method = getStringIndexValue(callInvocation.mn_id, assessmentRun),
ordinal = callInvocation.ordinal,
// for the signature try to use the sig_id and if that is 0 then use mn_id
signature = getStringIndexValue((callInvocation.sig_id != 0) ? callInvocation.sig_id : callInvocation.mn_id, assessmentRun),
taintPropagation = callInvocation.taint_propagation,
traceType =
(TraceType)
Enum.Parse(typeof(TraceType),
callInvocation.trace_type.ToString())
};
if (callInvocation.Text != null)
o2Trace.text = new List<string>(callInvocation.Text);
//if (callInvocation.CallInvocation1 != null) // means there are child traces
//{
o2Trace.childTraces = getO2TraceFromCallInvocation(callInvocation.CallInvocation1, assessmentRun);
/*new List<O2Trace>();
foreach (CallInvocation childCallInvocation in callInvocation.CallInvocation1)
o2Trace.childTraces.Add(getO2TraceFromCallInvocation(childCallInvocation, assessmentRun));*/
//}
o2Traces.Add(o2Trace);
}
}
return o2Traces;
}
private void addTrace(string filename, int line, string traceText)
{
if (traceText == null)
return;
var o2Trace = new O2Trace(traceText);
o2Trace.file = filename ?? "";
o2Trace.lineNumber = (uint)line;
if (true || currentO2Trace == null)
{
o2Trace.traceType = TraceType.Source;
currentDynamicO2Finding.o2Traces.Add(o2Trace);
currentO2Trace = o2Trace;
}
else
{
currentO2Trace.childTraces.Add(o2Trace);
currentO2Trace = o2Trace;
}
reloadTraceViewer();
}
public static void showO2TraceInTreeView(O2Trace o2Trace, DataGridView dataGridView, String showItem)
{
}
public static void showO2TraceInDataGridView(O2Trace o2Trace, DataGridView dataGridView)
{
}
public void insertTrace(string traceSignature, TraceType traceType)
{
var newO2Trace = new O2Trace(traceSignature, traceType);
newO2Trace.childTraces.AddRange(o2Traces);
o2Traces = new List<IO2Trace> { newO2Trace };
}
public void CreateFinding_WithTrace()
{
string sFileToCreate = DI.config.TempFileNameInTempDirectory;
const uint line_number = 2;
const uint column_number = 3;
const uint ordinal = 1;
const string context = "TraceContext";
const string signature = "TraceSignature";
const string clazz = "class.this.trace.is.in";
const string file = @"c:\o2\temp\file\trace\is\in.cs";
const string method = "methodExectuted";
const uint taintPropagation = 0;
var text = new List<string> {"this is a text inside a trace"};
var o2Assessment = new O2Assessment();
// Finding #1
var o2Finding1 = new O2Finding("vulnName.Testing.TraceCreation", "vulnType.CustomType",
"This is the Context",
"This is the caller");
o2Finding1.o2Traces.Add(new O2Trace
{
clazz = clazz,
columnNumber = column_number,
context = context,
file = file,
lineNumber = line_number,
method = method,
ordinal = ordinal,
signature = signature,
taintPropagation = taintPropagation,
text = text,
});
o2Assessment.o2Findings.Add(o2Finding1);
// Finding #1
const string sinkText = "this is a sink";
const string methodOnSinkPath = "method call on sink path";
const string methodOnSourcePath = "method call on source path";
const string sourceText = "this is a source";
var o2Finding2 = new O2Finding("Vulnerability.Name", "Vulnerability.Type");
var o2Trace = new O2Trace("Class.Signature", "Method executed");
var o2TraceOnSinkPath = new O2Trace(methodOnSinkPath, TraceType.Type_0);
o2TraceOnSinkPath.childTraces.Add(new O2Trace(sinkText, TraceType.Known_Sink));
var o2TraceOnSourcePath = new O2Trace(methodOnSourcePath, TraceType.Type_0);
o2TraceOnSourcePath.childTraces.Add(new O2Trace(sourceText, TraceType.Source));
o2Trace.childTraces.Add(o2TraceOnSourcePath);
o2Trace.childTraces.Add(o2TraceOnSinkPath);
o2Finding2.o2Traces = new List<IO2Trace> {o2Trace};
o2Assessment.o2Findings.Add(o2Finding2);
// save assessment file
o2Assessment.save(o2AssessmentSave, sFileToCreate);
// check if data was saved correctly
var loadedO2Assessment = new O2Assessment(o2AssessmentLoad, sFileToCreate);
List<IO2Finding> loadedO2Findings = loadedO2Assessment.o2Findings;
Assert.IsTrue(loadedO2Assessment.o2Findings.Count == 2, "There should be 2 findings in the Assessment File");
// in o2Findings1
Assert.IsTrue(loadedO2Assessment.o2Findings[0].o2Traces.Count == 1,
"There should be 1 Trace in the Finding #1");
IO2Trace loadedO2Trace = loadedO2Findings[0].o2Traces[0];
Assert.IsTrue(loadedO2Trace.clazz == clazz, "clazz");
Assert.IsTrue(loadedO2Trace.columnNumber == column_number, "columnNumber");
Assert.IsTrue(loadedO2Trace.context == context, "context");
Assert.IsTrue(loadedO2Trace.file == file, "file");
Assert.IsTrue(loadedO2Trace.lineNumber == line_number, "lineNumber");
Assert.IsTrue(loadedO2Trace.method == method, "method");
Assert.IsTrue(loadedO2Trace.ordinal == ordinal, "ordinal");
Assert.IsTrue(loadedO2Trace.signature == signature, "signature");
Assert.IsTrue(loadedO2Trace.taintPropagation == taintPropagation, "taintPropagation");
Assert.IsTrue(loadedO2Trace.text[0] == text[0], "text");
// in o2Findings2
Assert.IsTrue(loadedO2Assessment.o2Findings[1].o2Traces.Count == 1,
"There should be 1 Trace in the Finding #2");
Assert.IsTrue(loadedO2Assessment.o2Findings[1].o2Traces[0].childTraces.Count == 2,
"There should be 2 child traces in this trace");
Assert.IsNotNull(OzasmtUtils.getKnownSink(loadedO2Assessment.o2Findings[1].o2Traces), "Could not find Sink");
Assert.IsTrue(OzasmtUtils.getKnownSink(loadedO2Assessment.o2Findings[1].o2Traces).clazz == sinkText,
"Sink text didn't match");
Assert.IsTrue(OzasmtUtils.getSource(loadedO2Assessment.o2Findings[1].o2Traces).clazz == sourceText,
"Source text didn't match");
}
private IO2Assessment createO2AssessmentFromFindBugsObject(Xsd.BugCollection findBugsObject, String fileName)
{
var o2Assessment = new O2Assessment();
o2Assessment.name = "FindBugs Import of: " + fileName;
foreach (var bug in findBugsObject.BugInstance)
{
var o2Finding = new O2Finding
{
vulnName = bug.type,
vulnType = bug.category + "." + bug.abbrev,
severity = bug.priority,
confidence = 2
};
// o2Finding.text.Add(threat.Description);
foreach (var item in bug.Items)
{
var o2Trace = new O2Trace();
switch (item.GetType().Name)
{
case "BugCollectionBugInstanceClass":
var clazz = (BugCollectionBugInstanceClass) item;
o2Trace.signature = "Class: " + clazz.classname;
o2Trace.context = "Class: " + clazz.role;
o2Trace.file = tryToResolveFullFilePath(clazz.SourceLine.sourcepath, findBugsObject);
o2Trace.lineNumber = 0;
break;
case "BugCollectionBugInstanceSourceLine":
var sourceLine = (BugCollectionBugInstanceSourceLine)item;
o2Trace.signature = "SourceLine: " + sourceLine.sourcefile + " on line " + sourceLine.start;
o2Trace.file = tryToResolveFullFilePath(sourceLine.sourcepath , findBugsObject);
o2Trace.lineNumber = sourceLine.start;
break;
case "BugCollectionBugInstanceMethod":
var method = (BugCollectionBugInstanceMethod)item;
o2Trace.signature = "Method: + " + method.signature;
o2Trace.file = tryToResolveFullFilePath(method.SourceLine.sourcepath, findBugsObject);
o2Trace.lineNumber = method.SourceLine.start;
break;
case "BugCollectionBugInstanceClassSourceLine":
o2Trace.signature = "ClassSourceLine";
break;
case "BugCollectionBugInstanceField":
o2Trace.signature = "Field";
break;
case "BugCollectionBugInstanceFieldSourceLine":
o2Trace.signature = "FieldSourceLine";
break;
case "BugCollectionBugInstanceMethodSourceLine":
o2Trace.signature = "MethodSourceLine";
break;
case "BugCollectionBugInstanceInt":
o2Trace.signature = "Int";
break;
case "BugCollectionBugInstanceLocalVariable":
o2Trace.signature = "LocalVariable";
break;
case "BugCollectionBugInstanceString":
o2Trace.signature = "String";
break;
case "BugCollectionBugInstanceProperty":
o2Trace.signature = "Property";
break;
case "BugCollectionBugInstanceType":
o2Trace.signature = "Type";
break;
case "BugCollectionBugInstanceTypeSourceLine":
o2Trace.signature = "TypeSourceLine";
break;
case "Object": // ignore it
break;
default:
o2Trace.signature = item.GetType().Name;
break;
}
o2Finding.o2Traces.Add(o2Trace);
}
o2Assessment.o2Findings.Add(o2Finding);
}
return o2Assessment;
}
public static IO2Trace add_Trace(this List<IO2Trace> iO2Traces, string text)
{
var newTrace = new O2Trace(text);
iO2Traces.Add(newTrace);
return newTrace;
}
public static List<IO2Finding> loadWebInspectResultsAndReturnO2FindingsFor_SqlInjection_PoC2(
string webInspectResultsFile)
{
var results = new List<IO2Finding>();
var webInspectResults = new XmlDocument();
webInspectResults.Load(webInspectResultsFile);
List<XmlNode> sessionsCheckFoundWithEngineId = getSessionsCheckFoundWithEngineId(webInspectResults,
sqlInjectionEngineId);
foreach (XmlNode sessionCheckFound in sessionsCheckFoundWithEngineId)
{
// ReSharper disable PossibleNullReferenceException
string sessionId = sessionCheckFound["VulnerableSessionID"].InnerText;
List<XmlNode> sessionsFoundWithSessionId = getSessionsWithSessionID(webInspectResults, sessionId);
foreach (XmlNode session in sessionsFoundWithSessionId)
{
string attackParam = session["AttackParamDescriptor"].InnerText;
// Hack to handle crl#: form parameter names in ASP.NET
if (attackParam.IndexOf(':') > -1)
attackParam = attackParam.Split(new[] {':'})[1];
string attackPayload = session["AttackDescriptor"].InnerText;
var filteredUrl = new FilteredUrl(session["FullURL"].InnerText);
foreach (var word in filteredUrl.words)
{
var sink = new O2Trace("WebInspect: " + filteredUrl.pathAndPageAndParameters,
TraceType.Known_Sink)
{
context = attackPayload,
method = attackParam
};
//var sink = new O2Trace("WebInspect: " + attackParam, TraceType.Known_Sink);
//source.childTraces.Add(sink);
var o2Trace = new O2Trace("WebInspect -> Ounce Mapping (Sql Injection)");
//o2Trace.childTraces.Add(source);
o2Trace.childTraces.Add(sink);
//source.context = "This is the context of the Source";
//sink.context = attackPayload;
var o2Finding = new O2Finding
{
o2Traces = new List<IO2Trace> { o2Trace},
context = attackPayload,
vulnName = word + "_" + attackParam,
vulnType = "Sql Injection (from WebInspect)"
};
results.Add(o2Finding);
}
/*
var o2Finding = new O2Finding
{
o2Trace = new O2Trace("WebInspect -> Ounce Mapping"),
context = attackDescriptor,
vulnName = fullURL,
vulnType = "WebInspect Vulnerability"
};
var source = new O2Trace(fullURL, TraceType.Source);
source.childTraces.Add(new O2Trace(attackDescriptor));
var Sink = new O2Trace(attackParamDescriptor)
{
traceType = TraceType.Known_Sink
};
source.childTraces.Add(Sink);
o2Finding.o2Trace.childTraces.Add(source);
results.Add(o2Finding);*/
}
// ReSharper restore PossibleNullReferenceException
}
return results;
}