New ANBS Tool: OWASP Asp.Net Reflector

[Dinis Cruz <dinis () ddplus net>]

{as posted in the Owasp-DotNet blog: 
http://www.ernw.de/owasp-dotnet/PermaLink.aspx?guid=1727d444-cdbb-4d6c-b3c6-64b71328abd1}

I am happy to announce the release of the first BETA version (v0.1a) of  
the Owasp Asp.Net Reflector (downloadable from 
http://www.ddplus.net/projects/ANBS_AspNet_Reflector_V0.1a.zip)

Note: This tool will be soon added to the OWASP ANBS (Asp.Net Baseline 
Security) suite.

1) Description

The Owasp Asp.net Reflector is an online tool which allows the browsing 
of all available methods (public and private) of an Asp.Net web 
application. It basically lists (for the current selected object) the 
Properties, Methods and fields available; and:

   * for properties: allows to open and lists it's Properties, Methods 
and Fields (i.e. go down one level)
   * for Methods: allows the execution of the methods that have no 
parameters (for example ToString())
   * for Fields: displays its current contents (although this version 
already supports the further expansion of each Field into its 
Properties, Methods and Fields)

This functionality is somehow equivalent of the one provided by Visual 
Studio's Watch Window 
(http://msdn.microsoft.com/library/en-us/vsdebug/html/vcurfwatchwindow.asp) 
and Locals Window 
(http://msdn.microsoft.com/library/en-us/vsdebug/html/vcurflocalswindow.asp) 
when in debugging mode (it would be quite interesting to see how the 
OWASP Asp.Net Reflector could provide step-by-step debugging information 
in dynamic web applications).

This tool can be used for Asp.Net Security Audits, Debugging and 
Learning. It is also a very good example of the power (and dangers) of 
Full Trust Asp.Net.

2) How it works

There are two main components for this tool:

   * The WebService "/webservice/ResultReflectedData.asmx"which is 
handling all the data requests and is the one being 'reflected' (i.e. is 
the one running the 'live' objects)
   * The XML/XSL pages which creates the user interface and the nice 
environment where only one page is loaded: default.xml. Once default.xml 
page is loaded, all data requests are processed by Javascript and 
XML/XSL transformations )

3) Installation

  1. unzip "ANBS_AspNet_Reflector V0.1a.zip"
  2. Create an IIS application:
        1. by creating a new website whose root is 
"..\ANBS_AspNet_Reflector", or
        2. by adding the folder ANBS_AspNet_Reflector to an existing 
website and making the ANBS_AspNet_Reflector folder (in IIS) an Application
  3. Open the root of your new website (or 
http://xxx.xxx.xxx.xxx/.../ANBS_AspNet_Reflector) in a browser

If this doesn't work contact me and I will work with you to solve the 
problem

4) License
As with all the other Owasp-DotNet tools, the Owasp Asp.Net Reflector is 
licensed under the LGPL (http://www.gnu.org/copyleft/lesser.html). For 
further information on OWASP licenses, please consult the licenses page 
(http://www.owasp.org/about/licenses.html)

6) Potential uses for Asp.Net web applications

   * Security audits
   * Debugging
   * Learning


7) Ideas for next development (anybody interested?)

   * module to invoke methods using parameters (currently it is only 
possible to invoke methods that don't have any parameters)
   * module that displays the source code of each method (ala Reflector)
   * module that reads the current web.config's parameters as mapped in 
Asp.Net internal functions (which will allow a deeper understanding of 
the current Asp.Net Authentication vulnerabilities)
   * Custom object parsers which will process and display information 
from objects like System.String[] (and others)
   * Ability to Create customs objects and assign them to 'live' 
objects (for example creating a new custom Security Identity/Principal 
and assigning it to the Current HttpContext)
   * make it FireFox friendly (since this doesn't work in FireFox: 
xslObject = new ActiveXObject("Microsoft.XMLDOM"))
   * Improve the GUI and create a 'design' for this tool (i.e. make it 
look professional)
   * Add the ability to impersonate other accounts by using their token 
(if available in the worker process) or by providing the user's details
   * Further research
         o See if there are other objects that exist on the server 
which are not accessible via the 'this' object
         o See if one can bind into other AppDomains also hosted in the 
current worker process
         o Automatically serialize complex objects on the server and 
deserialize them on the client

8) Screen Shots ('Shift+Click' on link to see image in a new window (or 
'Ctrl+Click' for FireFox users))

a) AspNet_Reflector-1.jpg : Default view (containing the Properties, 
Methods and Fields of the object "this") -

b) AspNet_Reflector-2.jpg : Browsing "this:Context"

c) AspNet_Reflector-3.jpg  and AspNet_Reflector-4.jpg : Browsing 
"this:Context:Request" (note the value of Properties on the 2nd image)

d) AspNet_Reflector-5.jpg : Browsing "this:Context:User" and invoking 
the method get_Identity

e) AspNet_Reflector-6.jpg : Browsing "this:Context:User:Identity" and 
invoking the method get_Token (note that most properties of this object 
(this.Context.User.Identity) are not populated when the anonymous user 
is used)

9) Feedback

Please send your feedback with criticisms, ideas, suggestions and offers 
to help with the development of the next version to the Owasp-DotNet 
list (owasp-dotnet () lists sourceforge net) or to me directly 
(dinis_owasp () ddplus net).

Best Regards

Dinis Cruz
.Net Security Consultant
DDPlus