Your SlideShare is downloading. ×
Subgraph vega countermeasure2012
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Subgraph vega countermeasure2012


Published on

Vega 1.0 presentation at Countermeasure 2012.

Vega 1.0 presentation at Countermeasure 2012.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Using and Extending Vega David Mirza, Subgraph Montreal
  • 2. Introduction Who We Are Open-source security startup Based in Montreal Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon
  • 3. Open Source and Security Kerckhoffs’ principle  Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer  Made an important realization: “ “  “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience”  The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ”  As opposed to “security through obscurity”
  • 4. Open Source and Security Kerckhoffs’ Principle  Well understood in the world of cryptography  New ciphers not trusted  Because cryptography is a “black box”  Once in a while, less now, companies try to market proprietary ciphers  There’s a term for this: “snake oil”  Kerckhoffs’ principle can be understood as “open source is good security”
  • 5. Commercial Web Security Software Advantages  Ease of installation, upgrade, use  User experience  Quality assurance, bug fixes  Documentation and help  Development driven by demand and need Disadvantages  Expensive  Sometimes bizarre licensing restrictions  EOL, acquisitions, other events  Proprietary / closed source
  • 6. Open Source Web Security Tools Let’s just talk about disadvantages..  No integration / sharing between tools  Poor or non-existent UI, documentation / help  Painful, broken installations  Code is of inconsistent quality  Developer / contributor unreliability  Developer interest driven by interest, skill level, whim  Forks  Abandonment   Developer finished college, got a job  Successfully reproduced
  • 7. i hurt myself today
  • 8. Our Vision One web, one web security tool  Open source  Consistent, well-designed UI  Functions really well as an automated scanner  Shouldn’t need to be a penetration tester  Advanced features for those who are  User extensibility  Community  Plus all that boring stuff  Documentation, help, business friendly features We are building the ultimate platform for web security  Rapidly prototype attacks  Nobody should have to use commercial tools  Because Vega is free
  • 9. Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0
  • 10. Vega is Built On:Eclipse RCP / Equinox OSGiApache HCJSoupMozilla RhinoEliteness
  • 11. Automated Scanner Recursive crawl over target scope 404 detection Probes path nodes to determine if files, directories Builds tree-like internal representation of target application  Vega runs injection modules on nodes, abstracted in API Response processing modules run on all responses Modules written in Javascript New for 1.0  Expanded scope, more than one base URI  Support for authentication: HTTP, form-based, NTLM  Much better scanner modules  Very annoying crawler bugs fixed 
  • 12. Vega Automated Scanner
  • 13. Start new scan and choose some of these modules:
  • 14. Which are each one of these..
  • 15. Modules produce vulnerability reports:
  • 16. ..which are based on these: Vega is very extensible.
  • 17. Request /response pair
  • 18. Can be reviewed / replayed, module highlights finding
  • 19. Vega Proxy Intercepting proxy SSL MITM, including CA signing cert  http://vega/ca.crt through the proxy Edit requests, responses Request replay Response processing modules run on all responses Modules written in Javascript New for 1.0  Proxy scanning  Fuzzes pages in target scope when enabled  Finds lots of vulnerabilities 
  • 20. Browser proxyconfiguration:
  • 21. General proxy use. Green “play” button enables proxy, red stops it.
  • 22. Configuring a Breakpoint
  • 23. Intercepted Request
  • 24. SSL MITM: Magic proxy URI
  • 25. Proxy ScanningGathers parameters and path information observing client-server interactionSees things the crawler can’t see  RPC endpoints  Links in flash, Java, other active contentVery effective at finding vulnerabilitiesTo try it, configure the proxy, create a proxy target scope, enable proxy scanning
  • 26. Configure a target scope
  • 27. Enable Proxy ScanningAlert Notification Icon, aka SQL Injection Blinker
  • 28. Proxy Scanner Alerts
  • 29. Demo (1.0!)
  • 30. Extending VegaModules written in JavascriptIn the Vega/scripts/ subdirectory tree  Well on OS X they’re in some weird placeTwo kinds of modules:  Injection, AKA “Basic”  Send fuzzing requests, do stuff with the responses  Response processing  Pattern matching, regex, checking response properties
  • 31. Extending VegaRich API  Check documentation atDOM Analysis with Jquery  E.g. file upload, password input submitted over HTTP..Alerts based on XML templates  In the XML/ subdirectoryFreemarker Macro / CSS components
  • 32. Where are we at? Feature complete for 1.0 Testing and fixing bugs Additional module refinement and testing Vega 1.0 release in November? Or early December Visit my github (or if you want what you see here  Download link on our website is the beta.. Can provide builds for OS X, Windows users  Just ask me – email, irc (#subgraph / freenode), twitter, whatever
  • 33. What’s coming? Even more improvements in detections Fuzzer / brute forcer Better reporting Better encoding, decoding, representation and manipulation of structured data Headless scanner HAR export Scriptable proxy We’re open to ideas and feedback!
  • 34. Thank you! Web  Try Vega / get the source   (newer, less stable) Twitter   Us: @subgraph (more stable)  Me: @attractr  E-mail us IRC  , #subgraph