SlideShare uma empresa Scribd logo

Subgraph vega countermeasure2012

David Mirza
David Mirza

Vega 1.0 presentation at Countermeasure 2012.

Tecnologia
1 de 34
Baixar para ler offline
Using and Extending Vega David Mirza, Subgraph Montreal www.subgraph.com
Introduction Who We Are  Open-source security startup  Based in Montreal  Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon www.subgraph.com
Open Source and Security  Kerckhoffs’ principle  Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer  Made an important realization: “ “  “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience”  The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ”  As opposed to “security through obscurity” www.subgraph.com
Open Source and Security  Kerckhoffs’ Principle  Well understood in the world of cryptography  New ciphers not trusted  Because cryptography is a “black box”  Once in a while, less now, companies try to market proprietary ciphers  There’s a term for this: “snake oil”  Kerckhoffs’ principle can be understood as “open source is good security” www.subgraph.com
Commercial Web Security Software  Advantages  Ease of installation, upgrade, use  User experience  Quality assurance, bug fixes  Documentation and help  Development driven by demand and need  Disadvantages  Expensive  Sometimes bizarre licensing restrictions  EOL, acquisitions, other events  Proprietary / closed source www.subgraph.com
Open Source Web Security Tools  Let’s just talk about disadvantages..  No integration / sharing between tools  Poor or non-existent UI, documentation / help  Painful, broken installations  Code is of inconsistent quality  Developer / contributor unreliability  Developer interest driven by interest, skill level, whim  Forks  Abandonment   Developer finished college, got a job  Successfully reproduced www.subgraph.com
i hurt  myself today www.subgraph.com
Our Vision  One web, one web security tool  Open source  Consistent, well-designed UI  Functions really well as an automated scanner  Shouldn’t need to be a penetration tester  Advanced features for those who are  User extensibility  Community  Plus all that boring stuff  Documentation, help, business friendly features  We are building the ultimate platform for web security  Rapidly prototype attacks  Nobody should have to use commercial tools  Because Vega is free www.subgraph.com
Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0 www.subgraph.com
Vega is Built On: Eclipse RCP / Equinox OSGi Apache HC JSoup Mozilla Rhino Eliteness www.subgraph.com
Automated Scanner  Recursive crawl over target scope  404 detection  Probes path nodes to determine if files, directories  Builds tree-like internal representation of target application  Vega runs injection modules on nodes, abstracted in API  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Expanded scope, more than one base URI  Support for authentication: HTTP, form-based, NTLM  Much better scanner modules  Very annoying crawler bugs fixed  www.subgraph.com
Vega Automated Scanner www.subgraph.com
Start new scan and choose some of these modules: www.subgraph.com
Which are each one of these.. www.subgraph.com
Modules produce vulnerability reports: www.subgraph.com
..which are based on these: Vega is very extensible. www.subgraph.com
Request / response pair www.subgraph.com
Can be reviewed / replayed, module highlights finding www.subgraph.com
Vega Proxy  Intercepting proxy  SSL MITM, including CA signing cert  http://vega/ca.crt through the proxy  Edit requests, responses  Request replay  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Proxy scanning  Fuzzes pages in target scope when enabled  Finds lots of vulnerabilities  www.subgraph.com
Browser proxy configuration: www.subgraph.com
General proxy use. Green “play” button enables proxy, red stops it. www.subgraph.com
Configuring a Breakpoint www.subgraph.com
Intercepted Request www.subgraph.com
SSL MITM: Magic proxy URI www.subgraph.com
Proxy Scanning Gathers parameters and path information observing client-server interaction Sees things the crawler can’t see  RPC endpoints  Links in flash, Java, other active content Very effective at finding vulnerabilities To try it, configure the proxy, create a proxy target scope, enable proxy scanning www.subgraph.com
Configure a target scope www.subgraph.com
Enable Proxy Scanning Alert Notification Icon, aka SQL Injection Blinker www.subgraph.com
Proxy Scanner Alerts www.subgraph.com
Demo (1.0!) www.subgraph.com
Extending Vega Modules written in Javascript In the Vega/scripts/ subdirectory tree  Well on OS X they’re in some weird place Two kinds of modules:  Injection, AKA “Basic”  Send fuzzing requests, do stuff with the responses  Response processing  Pattern matching, regex, checking response properties www.subgraph.com
Extending Vega Rich API  Check documentation at https://support.subgraph.com DOM Analysis with Jquery  E.g. file upload, password input submitted over HTTP.. Alerts based on XML templates  In the XML/ subdirectory Freemarker Macro / CSS components www.subgraph.com
Where are we at?  Feature complete for 1.0  Testing and fixing bugs  Additional module refinement and testing  Vega 1.0 release in November? Or early December  Visit my github (or github.com/brl) if you want what you see here  Download link on our website is the beta..  Can provide builds for OS X, Windows users  Just ask me – email, irc (#subgraph / freenode), twitter, whatever www.subgraph.com
What’s coming?  Even more improvements in detections  Fuzzer / brute forcer  Better reporting  Better encoding, decoding, representation and manipulation of structured data  Headless scanner  HAR export  Scriptable proxy  We’re open to ideas and feedback! www.subgraph.com
Thank you!  Web  Try Vega / get the source  http://www.subgraph.com  http://github.com/dma/Vega (newer, less stable)  Twitter  http://github.com/subgraph/Vega  Us: @subgraph (more stable)  Me: @attractr  E-mail us  IRC  info@subgraph.com  irc.freenode.org, #subgraph www.subgraph.com

Recomendados

hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011
Bachkoutou Toutou
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012
David Mirza
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
Mykhailo Antonishyn
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
OWASP
 
Web tools ppt
Web tools pptWeb tools ppt
Web tools ppt
Tamara Pia Agavi
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 

Recomendados

hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011
Bachkoutou Toutou
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012
David Mirza
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
Mykhailo Antonishyn
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
OWASP
 
Web tools ppt
Web tools pptWeb tools ppt
Web tools ppt
Tamara Pia Agavi
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
Mykhailo Antonishyn
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
Shawn Gorrell
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
n|u - The Open Security Community
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
IMMUNIO
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
ClubHack
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
Mikhail Shcherbakov
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
OWASP
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
NullHyderabad
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
SQALab
 

Mais conteúdo relacionado

Mais procurados

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
Mykhailo Antonishyn
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
IMMUNIO
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
OWASP
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 

Mais procurados (20)

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 

Semelhante a Subgraph vega countermeasure2012

Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Open source technology
Open source technologyOpen source technology
Open source technology
aparnaz1
 

Semelhante a Subgraph vega countermeasure2012 (20)

Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsAsynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Open source technology
Open source technologyOpen source technology
Open source technology
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Subgraph vega countermeasure2012

  • 1. Using and Extending Vega David Mirza, Subgraph Montreal www.subgraph.com
  • 2. Introduction Who We Are  Open-source security startup  Based in Montreal  Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon www.subgraph.com
  • 3. Open Source and Security  Kerckhoffs’ principle  Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer  Made an important realization: “ “  “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience”  The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ”  As opposed to “security through obscurity” www.subgraph.com
  • 4. Open Source and Security  Kerckhoffs’ Principle  Well understood in the world of cryptography  New ciphers not trusted  Because cryptography is a “black box”  Once in a while, less now, companies try to market proprietary ciphers  There’s a term for this: “snake oil”  Kerckhoffs’ principle can be understood as “open source is good security” www.subgraph.com
  • 5. Commercial Web Security Software  Advantages  Ease of installation, upgrade, use  User experience  Quality assurance, bug fixes  Documentation and help  Development driven by demand and need  Disadvantages  Expensive  Sometimes bizarre licensing restrictions  EOL, acquisitions, other events  Proprietary / closed source www.subgraph.com
  • 6. Open Source Web Security Tools  Let’s just talk about disadvantages..  No integration / sharing between tools  Poor or non-existent UI, documentation / help  Painful, broken installations  Code is of inconsistent quality  Developer / contributor unreliability  Developer interest driven by interest, skill level, whim  Forks  Abandonment   Developer finished college, got a job  Successfully reproduced www.subgraph.com
  • 7. i hurt  myself today www.subgraph.com
  • 8. Our Vision  One web, one web security tool  Open source  Consistent, well-designed UI  Functions really well as an automated scanner  Shouldn’t need to be a penetration tester  Advanced features for those who are  User extensibility  Community  Plus all that boring stuff  Documentation, help, business friendly features  We are building the ultimate platform for web security  Rapidly prototype attacks  Nobody should have to use commercial tools  Because Vega is free www.subgraph.com
  • 9. Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0 www.subgraph.com
  • 10. Vega is Built On: Eclipse RCP / Equinox OSGi Apache HC JSoup Mozilla Rhino Eliteness www.subgraph.com
  • 11. Automated Scanner  Recursive crawl over target scope  404 detection  Probes path nodes to determine if files, directories  Builds tree-like internal representation of target application  Vega runs injection modules on nodes, abstracted in API  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Expanded scope, more than one base URI  Support for authentication: HTTP, form-based, NTLM  Much better scanner modules  Very annoying crawler bugs fixed  www.subgraph.com
  • 12. Vega Automated Scanner www.subgraph.com
  • 13. Start new scan and choose some of these modules: www.subgraph.com
  • 14. Which are each one of these.. www.subgraph.com
  • 15. Modules produce vulnerability reports: www.subgraph.com
  • 16. ..which are based on these: Vega is very extensible. www.subgraph.com
  • 17. Request / response pair www.subgraph.com
  • 18. Can be reviewed / replayed, module highlights finding www.subgraph.com
  • 19. Vega Proxy  Intercepting proxy  SSL MITM, including CA signing cert  http://vega/ca.crt through the proxy  Edit requests, responses  Request replay  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Proxy scanning  Fuzzes pages in target scope when enabled  Finds lots of vulnerabilities  www.subgraph.com
  • 20. Browser proxy configuration: www.subgraph.com
  • 21. General proxy use. Green “play” button enables proxy, red stops it. www.subgraph.com
  • 22. Configuring a Breakpoint www.subgraph.com
  • 23. Intercepted Request www.subgraph.com
  • 24. SSL MITM: Magic proxy URI www.subgraph.com
  • 25. Proxy Scanning Gathers parameters and path information observing client-server interaction Sees things the crawler can’t see  RPC endpoints  Links in flash, Java, other active content Very effective at finding vulnerabilities To try it, configure the proxy, create a proxy target scope, enable proxy scanning www.subgraph.com
  • 26. Configure a target scope www.subgraph.com
  • 27. Enable Proxy Scanning Alert Notification Icon, aka SQL Injection Blinker www.subgraph.com
  • 28. Proxy Scanner Alerts www.subgraph.com
  • 29. Demo (1.0!) www.subgraph.com
  • 30. Extending Vega Modules written in Javascript In the Vega/scripts/ subdirectory tree  Well on OS X they’re in some weird place Two kinds of modules:  Injection, AKA “Basic”  Send fuzzing requests, do stuff with the responses  Response processing  Pattern matching, regex, checking response properties www.subgraph.com
  • 31. Extending Vega Rich API  Check documentation at https://support.subgraph.com DOM Analysis with Jquery  E.g. file upload, password input submitted over HTTP.. Alerts based on XML templates  In the XML/ subdirectory Freemarker Macro / CSS components www.subgraph.com
  • 32. Where are we at?  Feature complete for 1.0  Testing and fixing bugs  Additional module refinement and testing  Vega 1.0 release in November? Or early December  Visit my github (or github.com/brl) if you want what you see here  Download link on our website is the beta..  Can provide builds for OS X, Windows users  Just ask me – email, irc (#subgraph / freenode), twitter, whatever www.subgraph.com
  • 33. What’s coming?  Even more improvements in detections  Fuzzer / brute forcer  Better reporting  Better encoding, decoding, representation and manipulation of structured data  Headless scanner  HAR export  Scriptable proxy  We’re open to ideas and feedback! www.subgraph.com
  • 34. Thank you!  Web  Try Vega / get the source  http://www.subgraph.com  http://github.com/dma/Vega (newer, less stable)  Twitter  http://github.com/subgraph/Vega  Us: @subgraph (more stable)  Me: @attractr  E-mail us  IRC  info@subgraph.com  irc.freenode.org, #subgraph www.subgraph.com