How-To Request: Running Real Time feedback inside Visual Studio with C# REPL

[CallMe Steve]

Hello, 

I've been reading all about the O2 Platform and the wonderful things it can achieve. The post that caught my attention the most is: http://blog.diniscruz.com/p/real-time-vulnerability-feedback-in.html 

However, I still haven't been able to get that working INSIDE Visual Studio. I ran the scripts provided with the O2 Platform to run a standalone version of the scanner: "TM - RealTime Security Scan v1.4", but I cannot seem to run it on Visual Studio 2010. 

Can someone provide a How-To for this? 

Thanks

[Dinis Cruz]

Hi Steve

That PoC was created using the https://visualstudiogallery.msdn.microsoft.com/295fa0f6-37d1-49a3-b51d-ea4741905dc2 extension together with the realtime Cat.NET modules

Have you got that extension to run?

I actually can't find the exact script that I used on that video (created for OWASP AppSecEU 2012 in Greece), but I can quickly re-create it if you want to have a go. You will need the O2 Platform VS extension in VS2010 (or maybe we can look at upgrading that VS extension to VS 2013 or even VS 2015)

Dinis

--
You received this message because you are subscribed to the Google Groups "O2 Platform" group.
To post to this group, send email to o2-pl...@owasp.org.
Visit this group at http://groups.google.com/a/owasp.org/group/o2-platform/.

[CallMe Steve]

Hey Dinis,

You have no idea how relieved I feel to see your response! I've been banging my head against the wall trying to get this to work for about a month now.. lol

I'm not sure which exact script you used in your video because in O2 Platform's 5.5 Release (https://github.com/o2platform/O2.Platform.Scripts/tree/master/3rdParty/Microsoft/CatNet), there are multiple scripts that seem to do similar things. I think you were using this one: https://github.com/o2platform/O2.Platform.Scripts/blob/master/3rdParty/Microsoft/CatNet/PoC%20-%20CatNet%20Scan%20on%20Local%20File%20(with%20Findings).h2

I would love it if you can help me get it working for VS2010 and beyond! 

I would also love to help you develop this for more vulnerabilities and more languages. Cat.Net hasn't gotten any support yet, unfortunately. There was a brief beta for version 2.0, but that got quickly shutdown and there are only dead links now.. 

Anyway, I would really really appreciate any help you can give me.

Thanks!

[CallMe Steve]

I have gotten the plugin to run. I can execute the sample script you provided in the plugin's dropdown menu, but executing any other script just leads to unreferenced assemblies compilation errors. I have manually pathed all the missing assemblies using //O2Ref and //O2File tags, but they still give me missing assemblies errors.. The most prominent one is "XRules" in the "O2" namespace. I followed your walkthrough here to add the missing assemblies. 

On Tuesday, July 21, 2015 at 4:32:10 AM UTC-4, Dinis Cruz wrote:

[Michael Hidalgo]

Hi Steve, at the moment the Visual Studio Plugin is available for the following versions of VS :

7/21/2015 5:39:02 AM -     Supported Products : 
7/21/2015 5:39:02 AM -         Microsoft.VisualStudio.Ultimate
7/21/2015 5:39:02 AM -             Version : [10.0]
7/21/2015 5:39:02 AM -         Microsoft.VisualStudio.Premium
7/21/2015 5:39:02 AM -             Version : [10.0]
7/21/2015 5:39:02 AM -         Microsoft.VisualStudio.Pro
7/21/2015 5:39:02 AM -             Version : [10.0]

I'm adding this task to my list, since I'm trying to participate on a O2 Platform workshop on OWASP AppSec 2015 in San Francisco. 

I would like to trace a map on what features should be implemented and what issues fixed, and it sounds like adding support to newest versions of VS is an asset.

As far as the error you are having, could you please send us a screenshot?

Thanks.

--
You received this message because you are subscribed to the Google Groups "O2 Platform" group.
To post to this group, send email to o2-pl...@owasp.org.
Visit this group at http://groups.google.com/a/owasp.org/group/o2-platform/.

--

Michael Hidalgo.
OWASP Chapter Leader & Researcher

Blog: http://michaelhidalgocr.blogspot.com

[Michael Hidalgo]

[CallMe Steve]

Hey Michael, 

Thanks for your help. I get different errors based on which script I run. Which script am I supposed to run to mimic Dinis' video that I linked above? 

[Dinis Cruz]

inline...

On 21 July 2015 at 11:08, CallMe Steve <sccall...@gmail.com> wrote:

Hey Dinis,

You have no idea how relieved I feel to see your response! I've been banging my head against the wall trying to get this to work for about a month now.. lol

well, next time ask this list :) 

or drop a note in O2Platform's Slack channel

 

I'm not sure which exact script you used in your video because in O2 Platform's 5.5 Release (https://github.com/o2platform/O2.Platform.Scripts/tree/master/3rdParty/Microsoft/CatNet), there are multiple scripts that seem to do similar things. I think you were using this one: https://github.com/o2platform/O2.Platform.Scripts/blob/master/3rdParty/Microsoft/CatNet/PoC%20-%20CatNet%20Scan%20on%20Local%20File%20(with%20Findings).h2

Those scripts are running the CatNet plugin outside VS, did they worked? Is this the scripts you mentioned you fix in one of the next emails? If so can you send a PR with your fixes?

Btw, you can also run these tools using this stand-alone exes: https://bintray.com/o2-platform/O2-Tools/DotNet/view

 

I would love it if you can help me get it working for VS2010 and beyond! 

Sure, lets do it :)

 

I would also love to help you develop this for more vulnerabilities and more languages.

well the cat.net scanner will run on any .NET language, so if it compiles into MSIL, we can use it.

Other options are:

 to use the compilation objects created when inside VS (which I think are starting to be

 

Cat.Net hasn't gotten any support yet, unfortunately. There was a brief beta for version 2.0, but that got quickly shutdown and there are only dead links now.. 

yeah, it died since MS gave up on it. it looks like the FxCop team won that battle, which is unfortunate since FxCop is not able to make the kind of 'taint-flow analysis' that Cat.NET can

Dinis

[Dinis Cruz]

sorry pressed 'Send too soon'

The 'Other options are:' should had been:

  1) work on our own scanner, which the O2 Platform MethodStreams is a great foundation (have you seen them in action?).

  2) use Roslyn objects and APIs (which I think already contain a basic type of taint analysis'

  3) use the compilation objects created when inside VS (which I think are starting to be

  4) patch the .NET framework to add 'Tainted Strings' to it

[Dinis Cruz]

Have you been able to run Cat.NET inside VisualStudio? and control it using the O2 Scripts?

Can you create a couple https://gist.github.com/ with the scripts you are writing (specially the ones that are not working)

Also can you fork the https://github.com/o2platform/Book_WebAutomation and send a PR of a page that talks about the VS plugin?

Thx

[Dinis Cruz]

nice, it's pretty cool how one can just import any .NET DLL into that REPL script :)

On 21 July 2015 at 11:37, CallMe Steve <sccall...@gmail.com> wrote:

[CallMe Steve]

Those scripts are running the CatNet plugin outside VS, did they worked? Is this the scripts you mentioned you fix in one of the next emails? If so can you send a PR with your fixes?

Oh. So those scripts aren't supposed to work inside VS? Yes, they worked through the O2 platform, after I fixed them, and of course the bintray exes always worked.  

Yes, I fixed a few of those scripts to have the right references, but they are specific to my computer, as in specific to where I put my assembly files. I don't think my PR will help..

 

well the cat.net scanner will run on any .NET language, so if it compiles into MSIL, we can use it.

As someone who has some undying love for Java and Python, how do you think we can get it to work on those languages? 

If I understand you correctly, the scripts in your repo aren't meant to run the PoC you showed inside VS. How can I run the real-time feedback system inside VS? I tried following this, but it didn't get me anywhere...

[CallMe Steve]

Have you been able to run Cat.NET inside VisualStudio? and control it using the O2 Scripts?

I have gotten Cat.NET running on VS, but I cannot control it with O2. 

 

Can you create a couple https://gist.github.com/ with the scripts you are writing (specially the ones that are not working)

The scripts that I created are very basic. Just doing browser based automation inside VS.  

Also can you fork the https://github.com/o2platform/Book_WebAutomation and send a PR of a page that talks about the VS plugin?

Definitely! I'd love to write the entire section for the plugin, if only I could get it working... Grrr 

[Dinis Cruz]

On 21 July 2015 at 14:39, CallMe Steve <sccall...@gmail.com> wrote:

Those scripts are running the CatNet plugin outside VS, did they worked? Is this the scripts you mentioned you fix in one of the next emails? If so can you send a PR with your fixes? 

Oh. So those scripts aren't supposed to work inside VS? Yes, they worked through the O2 platform, after I fixed them,

well they can run, but If I remember correctly the VS studio plugin does not (by default) checks our the O2.Platform.Scripts folder which contains the code of those scripts (so you will get a number of missing dependencies)

That said it is possible to run them, but it most likely will require a couple extra includes

 

and of course the bintray exes always worked.  

cool

 

Yes, I fixed a few of those scripts to have the right references, but they are specific to my computer, as in specific to where I put my assembly files. I don't think my PR will help..

Can you paste here an example of those fixes, there is good support for virtual paths inside the //O2File: and //O2Dir: includes , so you shouldn't need hardcoded paths

 

 

well the cat.net scanner will run on any .NET language, so if it compiles into MSIL, we can use it.

As someone who has some undying love for Java and Python, how do you think we can get it to work on those languages? 

have you seen the Python and Java modules that are inside O2?

There is already good support for IronPython, and for java you can use Jni4Net (see code examples) to code in pure Java

If you miss your java classes/APIs, you can also use IKVM to access the Java APIs from C# (the entire OpenJDK is already there). See the XmlDecoder exploit for a good example of this (i.e. the Java's XmlDecoder exploit also works in C#)

 

If I understand you correctly, the scripts in your repo aren't meant to run the PoC you showed inside VS. How can I run the real-time feedback system inside VS?

So the real-time feedback loop as 3 parts:

1) trigger auto compilation of code change. In the video I was using the O2 Platforms code editor (which is kinda cheating :) ), but with roslyn we can also get the compiled dlls in real time (one of the stand-alone Pocs does this). In VS 2010 there is also some kind of real-time compilation, which could be used (for example I used that to dynamically/real-time visualise WinForms controls without needing to run the app)

2) once you have an assembly you need to run cat.net on it (this should be done in memory (i..e not via CLI) so that we get the 'real-time-speed')

3) after cat.net executes it is just a case of:

   i) opening a new VS panel (if not available already)

   ii) colour code it depending on the Cat.Net results

:)

 

I tried following this, but it didn't get me anywhere...

did you get any errors on those code samples?

Dinis 

[Dinis Cruz]

On 22 July 2015 at 15:21, CallMe Steve <sccall...@gmail.com> wrote:

Have you been able to run Cat.NET inside VisualStudio? and control it using the O2 Scripts?

I have gotten Cat.NET running on VS, but I cannot control it with O2. 

ok, so you're not that far off, have you got it where you control that CAT.NET panel from the O2 script?

get a reference to the open VS panels and use the O2 FluentSharp APis to control it :)

 

 

Can you create a couple https://gist.github.com/ with the scripts you are writing (specially the ones that are not working)

The scripts that I created are very basic. Just doing browser based automation inside VS.  

don't worry about it, nobody is going to judge your code :)

the reason I'm asking is that there are lots of ways to code in O2 and it will help me to help you if I can see how you are coding it

 

Also can you fork the https://github.com/o2platform/Book_WebAutomation and send a PR of a page that talks about the VS plugin?

Definitely! I'd love to write the entire section for the plugin, if only I could get it working... Grrr 

you're getting there :)

are you able to start a screensharing session? For example using join.me? I'm around over the next couple hours and it might be easier for me to help you if I can see what you are doing

If that doesn't work, we could always start a windows VM on EC2 of Google Cloud and use that 

[CallMe Steve]

I'm still a little confused as to how to use FluentSharp's APIs to control VS's Cat.NET extension :/ 

I responded to the other thread about setting up a Google Cloud VM. I hope using that interface can clear up these confusions. 

Again, thank you so much for your help!

[CallMe Steve]

Hey Dinis,

Awesome archives blog over at https://owasp.slack.com/archives/project-o2/

I just finished reading up on it and I was able to replicate all your results. I'm going to try to make the trigger scan on every keystroke now instead of on build to make it actually really time. 

[Dinis Cruz]

Glad you liked it.

Can you now see what I mean by 'controlling Cat.NET from the O2 REPL' ?