Hacking	  Your	  Website	  With	         David	  Mirza,	  Subgraph	  Technologies	                            Montreal	   ...
Introduc>on	    Who	  we	  are	       Open-­‐source	  security	  startup	  	       Based	  in	  Montreal	       Experi...
About	  us	    Subgraph	  is	  an	  open	  source	  security	  company	      Helping	  organiza>ons	  protect	  their	  ...
Open	  Source	  and	  Security	                                                                       	  	  	  I	  say!	  ...
Open	  Source	  and	  Security	    Kerckhoffs’	  Principle	      Well	  understood	  in	  the	  world	  of	  cryptography...
Beyond	  Cryptography	    Security	  Research	  Community	         Ac>ve,	  global	  community	  of	  passionate	  profe...
Open	  Source	  and	  Security	    Tools	        These	  researchers	  write	  tools	           o Exploits	           o ...
Open	  Source	  and	  Security	    Open	  source	  has	  always	  been	  a	  part	  of	  security	         Collabora>ve,...
Open	  Source	  and	  Security	    Web	  applica>on	  security	       Followed	  the	  same	  path	       Collabora>ve,...
Web	  Security	  Timeline	         http://www.subgraph.com
Commercial	  Web	  Security	  SoRware	    Advantages	  of	  commercial	  tools	        Ease	  of	  installa>on,	  upgrad...
Open	  Source	  Web	  Security	  SoRware	    Since	  I’ve	  already	  talked	  about	  the	  advantages..	    Disadvanta...
Exis>ng	  Landscape	  of	  Web	  Tools	    There	  are	  very	  good	  commercial	  tools	      HP,	  IBM,	  Qualys	    ...
Open	  Source	  Tools	  	    There	  are	  also	  some	  fantas>c	  open	  source	  tools	        Specialized	          ...
Free/Open	  Source	  Web	  Security	  Tools	                   http://www.subgraph.com
Our	  Vision	    One	  web,	  one	  web	  security	  tool	        Open	  source	        Consistent,	  well-­‐designed	 ...
Hi,	  My	  Name	  Is:	    Vega	  is	  a	  web-­‐applica>on	  security	  scanner	    It	  finds	  vulnerabili>es	  in	  yo...
Introducing	  VEGA	    Currently	  two	  modes	  of	  opera>on	      Automated	  scanner	         o Point	  and	  click	...
Scanner	    Automated	  scanner	        Crawls	  your	  web	  applica>on	  recursively	        Analyzes	  links	      ...
Proxy	    Intercep>ng	  proxy	       Intercepts	  requests,	  responses	         o Based	  on	  request	  method	       ...
What’s	  Inside	    Architecture	      Eclipse	  RCP	      Modularity	  of	  design	  enforced	  with	  OSGI	      Usi...
Extensibility	    Extending	  Vega	  with	  ease	      Scrip>ng	  of	  custom	  modules	         o Javascript	         o...
VEGA	        DEMO	  http://www.subgraph.com
Current	  Status	    We	  are	  really	  close	         Finish	  a	  few	  features	         Polish	         Tes>ng	  ...
Future	    Fun	  stuff	         Penetra>on	  tes>ng	  	             o Exploita>on	  of	  vulnerabili>es	             o Su...
Thank	  you!	  Interested?	  	    Web	                                                           E-­‐mail	  us	        ...
Upcoming SlideShare
Loading in …5

hacking your website with vega, confoo2011


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

hacking your website with vega, confoo2011

  1. 1. Hacking  Your  Website  With   David  Mirza,  Subgraph  Technologies   Montreal   http://www.subgraph.com
  2. 2. Introduc>on    Who  we  are    Open-­‐source  security  startup      Based  in  Montreal    Experienced  founders:   o Secure  Networks  Inc.   o SecurityFocus  (Symantec)     o Core  Security  Technologies   o Ne>fera   o REcon   http://www.subgraph.com
  3. 3. About  us    Subgraph  is  an  open  source  security  company    Helping  organiza>ons  protect  their  websites   o Building  high  quality  soRware   o Penetra>on  tes>ng   o Code  /  architecture  review    Incorporated  in  February  2010    Philosophy  of  openness  important  to  us   o More  than  just  releasing  the  code   http://www.subgraph.com
  4. 4. Open  Source  and  Security        I  say!    Kerckhoffs’  principle     Auguste  Kerckhoffs:  19th  Century   Dutch  linguist  and  cryptographer     Made  an  important  realiza>on:   o “The  security  of  any  cryptographic   system  does  not  rest  in  its  secrecy,  it   must  be  able  to  fall  into  the  enemy’s   hands  without  inconvenience”   o More  succinctly,  the  adversary  knows   the  system     As  opposed  to  “security  through   obscurity”   http://www.subgraph.com
  5. 5. Open  Source  and  Security    Kerckhoffs’  Principle    Well  understood  in  the  world  of  cryptography   o New  ciphers  are  not  trusted  without  public  scru>ny   over  years   o Because  cryptography  is  used  as  a  “black  box”     It’s  the  only  way  to  be  sure   o Once  in  a  while,  less  now,  companies  try  to  market   proprietary  ciphers     There’s  a  term  for  this:  “snake  oil”    But  what  about  everyone  else?   http://www.subgraph.com
  6. 6. Beyond  Cryptography    Security  Research  Community     Ac>ve,  global  community  of  passionate  professionals,  amateurs,  students  and   hackers   o  Collabora>ve   o  Open     Examples   o  Phrack  magazine   o  Bugtraq   o  Defcon   o  Blackhat   o  REcon!    This  community  changed  the  soRware  industry     Full-­‐disclosure  won     Beaer  security  for  all     Bug  boun>es   o  Google,  Mozilla   http://www.subgraph.com
  7. 7. Open  Source  and  Security    Tools     These  researchers  write  tools   o Exploits   o Network  security  (e.g.  nmap)     Enough  to  have  specialized,  dedicated  LiveCDs..   o BackTrack  –  Penetra>on  tes>ng  LiveCD   o Helix  –  Forensics  LiveCD     The  security  industry  owes  all  so  much   o Grassroots,  open  source  innova>on   o Some  open  source  projects  became  commercial  successes     Snort  IDS     Metasploit   http://www.subgraph.com
  8. 8. Open  Source  and  Security    Open  source  has  always  been  a  part  of  security     Collabora>ve,  open  research     Open  source  tool  development    Kerckhoffs’  Law:  open  code  scru>ny     Means  beaer  security,  in  general    Open  source  security  soRware     Is  more  trustworthy:  read  the  source,  compile  it  yourself     No  worries,  no  maaer  where  in  the  world  you  live    Why  doesn’t  everyone  demand  open  source  for   security?   http://www.subgraph.com
  9. 9. Open  Source  and  Security    Web  applica>on  security    Followed  the  same  path    Collabora>ve,  open  research,  advocacy   o E.g.  OWASP    Great  open  source  tools,  frameworks    Also,  the  cueng  edge  of  web  applica>on   development    En>rely  open  source!   http://www.subgraph.com
  10. 10. Web  Security  Timeline   http://www.subgraph.com
  11. 11. Commercial  Web  Security  SoRware    Advantages  of  commercial  tools     Ease  of  installa>on,  upgrade,  use     User  experience     Quality  Assurance,  bug  fixing     Documenta>on/Help     Development  driven  by  demand/need    Disadvantages     Expensive     Bizarre  license  restric>ons     EOL,  acquisi>ons,  other  events     Proprietary,  closed  source   http://www.subgraph.com
  12. 12. Open  Source  Web  Security  SoRware    Since  I’ve  already  talked  about  the  advantages..    Disadvantages     No  integra>on  /  sharing  of  data  between  the  various  tools     Poor  or  non-­‐existent  UI,  documenta>on,  help     Painful,  broken  installa>ons     Code  is  of  inconsistent  quality     Developer,  contributor  unreliability     Development  driven  by  whim,  interest,  skill  level     Forks     Abandonment       o Developer  finished  college,  got  a  job   o Successfully  reproduced   http://www.subgraph.com
  13. 13. Exis>ng  Landscape  of  Web  Tools    There  are  very  good  commercial  tools    HP,  IBM,  Qualys    SAAS,  such  as  Whitehat    NetSparker    BurpSuite  (free  version  available)    Expensive    Some  free/community  versions,  crippled    Proprietary   http://www.subgraph.com
  14. 14. Open  Source  Tools      There  are  also  some  fantas>c  open  source  tools     Specialized   o Various  specialized  fuzzers   o Standalone  proxies   o Standalone  scanners   o Standalone  brute-­‐forcing  tools     They  do  not  share  a  data  model   o Integrate  them  yourself     In  our  experience:   o Some>mes  buggy   o Last  commit  was  in  2008..   o Broken  user  interfaces   http://www.subgraph.com
  15. 15. Free/Open  Source  Web  Security  Tools   http://www.subgraph.com
  16. 16. Our  Vision    One  web,  one  web  security  tool     Open  source     Consistent,  well-­‐designed  UI     Func>ons  really  well  as  an  automated  scanner   o Shouldn’t  need  to  be  a  penetra>on  tester   o Advanced  features  for  those  who  are     User  extensibility   o Community     Plus  all  that  boring  stuff   o Documenta>on,  help,  business  friendly  features     http://www.subgraph.com
  17. 17. Hi,  My  Name  Is:    Vega  is  a  web-­‐applica>on  security  scanner    It  finds  vulnerabili>es  in  your  website    Wriaen  in  Java,  runs  on:     Mac  OS  X     Windows     Linux    A  desktop  applica>on  with  a  nice  GUI     Eclipse  RCP   http://www.subgraph.com
  18. 18. Introducing  VEGA    Currently  two  modes  of  opera>on    Automated  scanner   o Point  and  click  hacking    Intercep>ng  proxy   o Instrumenta>on   o Manual  closer  inspec>on   o Penetra>on  tes>ng   http://www.subgraph.com
  19. 19. Scanner    Automated  scanner     Crawls  your  web  applica>on  recursively     Analyzes  links     Runs  a  configurable  set  of  audit  and  aaack  ac>ons  on  these   links     Limited  brute  forcing     Tests  parameters  for  favorites,  such  as:   o Reflected,  persistent  XSS   o SQL  injec>on   o Command  injec>on   o Local  file  include   o Local  file  reading     Tries  to  iden>fy  server  misconfigura>ons   http://www.subgraph.com
  20. 20. Proxy    Intercep>ng  proxy     Intercepts  requests,  responses   o Based  on  request  method   o Filters       Can  be  edited     Requests  can  be  replayed  or  created     Data  decoding  and  encoding     Customized  automa>c  manipula>on  of  requests,   responses     Response  processing  scanner  modules   http://www.subgraph.com
  21. 21. What’s  Inside    Architecture    Eclipse  RCP    Modularity  of  design  enforced  with  OSGI    Using  Apache  HTTPComponents    JSoup    Google  Guava    DB4O    Rhino  JS  Interpreter   http://www.subgraph.com
  22. 22. Extensibility    Extending  Vega  with  ease    Scrip>ng  of  custom  modules   o Javascript   o DOM,  JQuery   o Clean,  sensible  API      Scrip>ng  of  proxy   o Automated  manipula>on  of  intercepted  requests,   responses    Custom  alerts   o XML  Templates   http://www.subgraph.com
  23. 23. VEGA   DEMO  http://www.subgraph.com
  24. 24. Current  Status    We  are  really  close     Finish  a  few  features     Polish     Tes>ng     Fixing  bugs    Documenta>on     User     Developer     Help    Beta!     Mid-­‐April   http://www.subgraph.com
  25. 25. Future    Fun  stuff     Penetra>on  tes>ng     o Exploita>on  of  vulnerabili>es   o Support  for  advanced  aaacks     Brute  Forcing   o Directories   o Username/password     Fuzzing   o E.g.  A  really  good  web  services  fuzzer     Specialized  support  for  audi>ng  apps   o CakePHP,  Rails,  J2EE    Less  fun     Really  nice  repor>ng   http://www.subgraph.com
  26. 26. Thank  you!  Interested?      Web     E-­‐mail  us     hap://www.subgraph.com     info@subgraph.com    Twiaer     MTLSEC     Company:  @subgraph  (we’ve  been  quiet)     If  you’re  in  Montreal,  we  do  a  monthly,     Me:  @aaractr   informal  5@7     hap://www.mtlsec.com,  @mtlsec    IRC     irc.freenode.org,  #subgraph   http://www.subgraph.com