Using and Extending Vega       David Mirza, Subgraph             Montreal         www.subgraph.com
Introduction                  Who We Are   Open-source security startup   Based in Montreal   Experienced founders:    ...
Open Source and Security Kerckhoffs’ principle     Auguste Kerckhoffs: 19th Century Dutch      linguist and cryptographe...
Open Source and Security Kerckhoffs’ Principle      Well understood in the world of       cryptography      New ciphers...
Commercial Web Security Software Advantages     Ease of installation, upgrade, use     User experience     Quality ass...
Open Source Web Security Tools Let’s just talk about disadvantages..     No integration / sharing between tools     Poo...
i hurt                      myself                       today    www.subgraph.com
Our Vision One web, one web security tool    Open source    Consistent, well-designed UI    Functions really well as a...
Introducing Vega Platform                ‣ Open-source web application                  vulnerability assessment platform ...
Vega is Built On:Eclipse RCP / Equinox OSGiApache HCJSoupMozilla RhinoEliteness                 www.subgraph.com
Automated Scanner Recursive crawl over target scope 404 detection Probes path nodes to determine if files, directories...
Vega Automated Scanner       www.subgraph.com
Start new scan and choose some of these modules:                        www.subgraph.com
Which are each one of these..         www.subgraph.com
Modules produce vulnerability   reports:                  www.subgraph.com
..which are based on these:  Vega is very extensible.         www.subgraph.com
Request /response pair                www.subgraph.com
Can be reviewed / replayed, module         highlights finding              www.subgraph.com
Vega Proxy Intercepting proxy SSL MITM, including CA signing cert     http://vega/ca.crt through the proxy Edit reques...
Browser proxyconfiguration:                 www.subgraph.com
General proxy use. Green “play” button     enables proxy, red stops it.             www.subgraph.com
Configuring a Breakpoint      www.subgraph.com
Intercepted Request    www.subgraph.com
SSL MITM: Magic proxy URI      www.subgraph.com
Proxy ScanningGathers parameters and path information observing client-server interactionSees things the crawler can’t s...
Configure a target scope              www.subgraph.com
Enable Proxy ScanningAlert Notification Icon, aka SQL Injection Blinker                           www.subgraph.com
Proxy Scanner Alerts    www.subgraph.com
Demo   (1.0!)www.subgraph.com
Extending VegaModules written in JavascriptIn the Vega/scripts/ subdirectory tree   Well on OS X they’re in some weird ...
Extending VegaRich API   Check documentation   at    https://support.subgraph.comDOM Analysis with Jquery   E.g. file ...
Where are we at? Feature complete for 1.0 Testing and fixing bugs Additional module refinement and testing Vega 1.0 re...
What’s coming? Even more improvements in detections Fuzzer / brute forcer Better reporting Better encoding, decoding, ...
Thank you! Web                                         Try Vega / get the source       http://www.subgraph.com         ...
Upcoming SlideShare
Loading in …5
×

Subgraph vega countermeasure2012

6,509 views

Published on

Vega 1.0 presentation at Countermeasure 2012.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,509
On SlideShare
0
From Embeds
0
Number of Embeds
5,333
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Subgraph vega countermeasure2012

  1. 1. Using and Extending Vega David Mirza, Subgraph Montreal www.subgraph.com
  2. 2. Introduction Who We Are Open-source security startup Based in Montreal Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon www.subgraph.com
  3. 3. Open Source and Security Kerckhoffs’ principle  Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer  Made an important realization: “ “  “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience”  The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ”  As opposed to “security through obscurity” www.subgraph.com
  4. 4. Open Source and Security Kerckhoffs’ Principle  Well understood in the world of cryptography  New ciphers not trusted  Because cryptography is a “black box”  Once in a while, less now, companies try to market proprietary ciphers  There’s a term for this: “snake oil”  Kerckhoffs’ principle can be understood as “open source is good security” www.subgraph.com
  5. 5. Commercial Web Security Software Advantages  Ease of installation, upgrade, use  User experience  Quality assurance, bug fixes  Documentation and help  Development driven by demand and need Disadvantages  Expensive  Sometimes bizarre licensing restrictions  EOL, acquisitions, other events  Proprietary / closed source www.subgraph.com
  6. 6. Open Source Web Security Tools Let’s just talk about disadvantages..  No integration / sharing between tools  Poor or non-existent UI, documentation / help  Painful, broken installations  Code is of inconsistent quality  Developer / contributor unreliability  Developer interest driven by interest, skill level, whim  Forks  Abandonment   Developer finished college, got a job  Successfully reproduced www.subgraph.com
  7. 7. i hurt myself today www.subgraph.com
  8. 8. Our Vision One web, one web security tool  Open source  Consistent, well-designed UI  Functions really well as an automated scanner  Shouldn’t need to be a penetration tester  Advanced features for those who are  User extensibility  Community  Plus all that boring stuff  Documentation, help, business friendly features We are building the ultimate platform for web security  Rapidly prototype attacks  Nobody should have to use commercial tools  Because Vega is free www.subgraph.com
  9. 9. Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0 www.subgraph.com
  10. 10. Vega is Built On:Eclipse RCP / Equinox OSGiApache HCJSoupMozilla RhinoEliteness www.subgraph.com
  11. 11. Automated Scanner Recursive crawl over target scope 404 detection Probes path nodes to determine if files, directories Builds tree-like internal representation of target application  Vega runs injection modules on nodes, abstracted in API Response processing modules run on all responses Modules written in Javascript New for 1.0  Expanded scope, more than one base URI  Support for authentication: HTTP, form-based, NTLM  Much better scanner modules  Very annoying crawler bugs fixed  www.subgraph.com
  12. 12. Vega Automated Scanner www.subgraph.com
  13. 13. Start new scan and choose some of these modules: www.subgraph.com
  14. 14. Which are each one of these.. www.subgraph.com
  15. 15. Modules produce vulnerability reports: www.subgraph.com
  16. 16. ..which are based on these: Vega is very extensible. www.subgraph.com
  17. 17. Request /response pair www.subgraph.com
  18. 18. Can be reviewed / replayed, module highlights finding www.subgraph.com
  19. 19. Vega Proxy Intercepting proxy SSL MITM, including CA signing cert  http://vega/ca.crt through the proxy Edit requests, responses Request replay Response processing modules run on all responses Modules written in Javascript New for 1.0  Proxy scanning  Fuzzes pages in target scope when enabled  Finds lots of vulnerabilities  www.subgraph.com
  20. 20. Browser proxyconfiguration: www.subgraph.com
  21. 21. General proxy use. Green “play” button enables proxy, red stops it. www.subgraph.com
  22. 22. Configuring a Breakpoint www.subgraph.com
  23. 23. Intercepted Request www.subgraph.com
  24. 24. SSL MITM: Magic proxy URI www.subgraph.com
  25. 25. Proxy ScanningGathers parameters and path information observing client-server interactionSees things the crawler can’t see  RPC endpoints  Links in flash, Java, other active contentVery effective at finding vulnerabilitiesTo try it, configure the proxy, create a proxy target scope, enable proxy scanning www.subgraph.com
  26. 26. Configure a target scope www.subgraph.com
  27. 27. Enable Proxy ScanningAlert Notification Icon, aka SQL Injection Blinker www.subgraph.com
  28. 28. Proxy Scanner Alerts www.subgraph.com
  29. 29. Demo (1.0!)www.subgraph.com
  30. 30. Extending VegaModules written in JavascriptIn the Vega/scripts/ subdirectory tree  Well on OS X they’re in some weird placeTwo kinds of modules:  Injection, AKA “Basic”  Send fuzzing requests, do stuff with the responses  Response processing  Pattern matching, regex, checking response properties www.subgraph.com
  31. 31. Extending VegaRich API  Check documentation at https://support.subgraph.comDOM Analysis with Jquery  E.g. file upload, password input submitted over HTTP..Alerts based on XML templates  In the XML/ subdirectoryFreemarker Macro / CSS components www.subgraph.com
  32. 32. Where are we at? Feature complete for 1.0 Testing and fixing bugs Additional module refinement and testing Vega 1.0 release in November? Or early December Visit my github (or github.com/brl) if you want what you see here  Download link on our website is the beta.. Can provide builds for OS X, Windows users  Just ask me – email, irc (#subgraph / freenode), twitter, whatever www.subgraph.com
  33. 33. What’s coming? Even more improvements in detections Fuzzer / brute forcer Better reporting Better encoding, decoding, representation and manipulation of structured data Headless scanner HAR export Scriptable proxy We’re open to ideas and feedback! www.subgraph.com
  34. 34. Thank you! Web  Try Vega / get the source  http://www.subgraph.com  http://github.com/dma/Vega (newer, less stable) Twitter  http://github.com/subgraph/Vega  Us: @subgraph (more stable)  Me: @attractr  E-mail us IRC  info@subgraph.com  irc.freenode.org, #subgraph www.subgraph.com

×