SlideShare a Scribd company logo

Subgraph vega countermeasure2012

David Mirza
David Mirza

Using and Extending Vega Vega is an open-source web application vulnerability assessment platform that provides an automated scanner and intercepting proxy. The automated scanner recursively crawls targets and runs injection modules to find vulnerabilities. The intercepting proxy allows editing requests and responses and running response processing modules. Modules are written in JavaScript and Vega is highly extensible. Future plans include improving detections, adding a fuzzer, and making the platform more scriptable.

1 of 34
Download to read offline
Using and Extending Vega David Mirza, Subgraph Montreal www.subgraph.com
Introduction Who We Are  Open-source security startup  Based in Montreal  Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon www.subgraph.com
Open Source and Security  Kerckhoffs’ principle  Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer  Made an important realization: “ “  “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience”  The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ”  As opposed to “security through obscurity” www.subgraph.com
Open Source and Security  Kerckhoffs’ Principle  Well understood in the world of cryptography  New ciphers not trusted  Because cryptography is a “black box”  Once in a while, less now, companies try to market proprietary ciphers  There’s a term for this: “snake oil”  Kerckhoffs’ principle can be understood as “open source is good security” www.subgraph.com
Commercial Web Security Software  Advantages  Ease of installation, upgrade, use  User experience  Quality assurance, bug fixes  Documentation and help  Development driven by demand and need  Disadvantages  Expensive  Sometimes bizarre licensing restrictions  EOL, acquisitions, other events  Proprietary / closed source www.subgraph.com
Open Source Web Security Tools  Let’s just talk about disadvantages..  No integration / sharing between tools  Poor or non-existent UI, documentation / help  Painful, broken installations  Code is of inconsistent quality  Developer / contributor unreliability  Developer interest driven by interest, skill level, whim  Forks  Abandonment   Developer finished college, got a job  Successfully reproduced www.subgraph.com
i hurt  myself today www.subgraph.com
Our Vision  One web, one web security tool  Open source  Consistent, well-designed UI  Functions really well as an automated scanner  Shouldn’t need to be a penetration tester  Advanced features for those who are  User extensibility  Community  Plus all that boring stuff  Documentation, help, business friendly features  We are building the ultimate platform for web security  Rapidly prototype attacks  Nobody should have to use commercial tools  Because Vega is free www.subgraph.com
Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0 www.subgraph.com
Vega is Built On: Eclipse RCP / Equinox OSGi Apache HC JSoup Mozilla Rhino Eliteness www.subgraph.com
Automated Scanner  Recursive crawl over target scope  404 detection  Probes path nodes to determine if files, directories  Builds tree-like internal representation of target application  Vega runs injection modules on nodes, abstracted in API  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Expanded scope, more than one base URI  Support for authentication: HTTP, form-based, NTLM  Much better scanner modules  Very annoying crawler bugs fixed  www.subgraph.com
Vega Automated Scanner www.subgraph.com
Start new scan and choose some of these modules: www.subgraph.com
Which are each one of these.. www.subgraph.com
Modules produce vulnerability reports: www.subgraph.com
..which are based on these: Vega is very extensible. www.subgraph.com
Request / response pair www.subgraph.com
Can be reviewed / replayed, module highlights finding www.subgraph.com
Vega Proxy  Intercepting proxy  SSL MITM, including CA signing cert  http://vega/ca.crt through the proxy  Edit requests, responses  Request replay  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Proxy scanning  Fuzzes pages in target scope when enabled  Finds lots of vulnerabilities  www.subgraph.com
Browser proxy configuration: www.subgraph.com
General proxy use. Green “play” button enables proxy, red stops it. www.subgraph.com
Configuring a Breakpoint www.subgraph.com
Intercepted Request www.subgraph.com
SSL MITM: Magic proxy URI www.subgraph.com
Proxy Scanning Gathers parameters and path information observing client-server interaction Sees things the crawler can’t see  RPC endpoints  Links in flash, Java, other active content Very effective at finding vulnerabilities To try it, configure the proxy, create a proxy target scope, enable proxy scanning www.subgraph.com
Configure a target scope www.subgraph.com
Enable Proxy Scanning Alert Notification Icon, aka SQL Injection Blinker www.subgraph.com
Proxy Scanner Alerts www.subgraph.com
Demo (1.0!) www.subgraph.com
Extending Vega Modules written in Javascript In the Vega/scripts/ subdirectory tree  Well on OS X they’re in some weird place Two kinds of modules:  Injection, AKA “Basic”  Send fuzzing requests, do stuff with the responses  Response processing  Pattern matching, regex, checking response properties www.subgraph.com
Extending Vega Rich API  Check documentation at https://support.subgraph.com DOM Analysis with Jquery  E.g. file upload, password input submitted over HTTP.. Alerts based on XML templates  In the XML/ subdirectory Freemarker Macro / CSS components www.subgraph.com
Where are we at?  Feature complete for 1.0  Testing and fixing bugs  Additional module refinement and testing  Vega 1.0 release in November? Or early December  Visit my github (or github.com/brl) if you want what you see here  Download link on our website is the beta..  Can provide builds for OS X, Windows users  Just ask me – email, irc (#subgraph / freenode), twitter, whatever www.subgraph.com
What’s coming?  Even more improvements in detections  Fuzzer / brute forcer  Better reporting  Better encoding, decoding, representation and manipulation of structured data  Headless scanner  HAR export  Scriptable proxy  We’re open to ideas and feedback! www.subgraph.com
Thank you!  Web  Try Vega / get the source  http://www.subgraph.com  http://github.com/dma/Vega (newer, less stable)  Twitter  http://github.com/subgraph/Vega  Us: @subgraph (more stable)  Me: @attractr  E-mail us  IRC  info@subgraph.com  irc.freenode.org, #subgraph www.subgraph.com

Recommended

Guideline for retrospective & sprint planning
Guideline for retrospective & sprint planningGuideline for retrospective & sprint planning
Guideline for retrospective & sprint planning
Arata Fujimura
 
Jira
JiraJira
Jira
TalentAcquisitionCon1
 
Malware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxMalware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptx
Alamgir Hossain
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
Egghead redux-cheat-sheet-3-2-1
Egghead redux-cheat-sheet-3-2-1Egghead redux-cheat-sheet-3-2-1
Egghead redux-cheat-sheet-3-2-1
Augustin Bralley
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
Japneet Singh
 
An Agile Development Primer
An Agile Development PrimerAn Agile Development Primer
An Agile Development Primer
Derek Winter
 
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Bernd Ruecker
 

Recommended

Guideline for retrospective & sprint planning
Guideline for retrospective & sprint planningGuideline for retrospective & sprint planning
Guideline for retrospective & sprint planning
Arata Fujimura
 
Jira
JiraJira
Jira
TalentAcquisitionCon1
 
Malware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptxMalware Detection Approaches using Data Mining Techniques.pptx
Malware Detection Approaches using Data Mining Techniques.pptx
Alamgir Hossain
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
Egghead redux-cheat-sheet-3-2-1
Egghead redux-cheat-sheet-3-2-1Egghead redux-cheat-sheet-3-2-1
Egghead redux-cheat-sheet-3-2-1
Augustin Bralley
 
Malware classification using Machine Learning
Malware classification using Machine LearningMalware classification using Machine Learning
Malware classification using Machine Learning
Japneet Singh
 
An Agile Development Primer
An Agile Development PrimerAn Agile Development Primer
An Agile Development Primer
Derek Winter
 
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Monitoring and Orchestration of your Microservices Landscape with Kafka and Z...
Bernd Ruecker
 
The 10 Steps to Becoming a Great Agile Coach
The 10 Steps to Becoming a Great Agile CoachThe 10 Steps to Becoming a Great Agile Coach
The 10 Steps to Becoming a Great Agile Coach
LeadingAgile
 
Responding to Cobalt Strike
Responding to Cobalt StrikeResponding to Cobalt Strike
Responding to Cobalt Strike
Christopher Gerritz
 
How I started to love design patterns
How I started to love design patternsHow I started to love design patterns
How I started to love design patterns
Samuel ROZE
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)
Jason Trost
 
Agile (Scrum)
Agile (Scrum)Agile (Scrum)
Agile (Scrum)
Dom Cushnan
 
Personal Pitch Deck
Personal Pitch DeckPersonal Pitch Deck
Personal Pitch Deck
Jan-Raphael Aclan
 
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product SecurityFrom Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
Jason Chan
 
Introduction to Jira Service Management.pdf
Introduction to Jira Service Management.pdfIntroduction to Jira Service Management.pdf
Introduction to Jira Service Management.pdf
Shristi Shrestha
 
Osint
OsintOsint
Osint
Kamal Rathaur
 
Agile & SCRUM basics
Agile & SCRUM basicsAgile & SCRUM basics
Agile & SCRUM basics
Arun R
 
Lessons from 100+ ransomware recoveries
Lessons from 100+ ransomware recoveriesLessons from 100+ ransomware recoveries
Lessons from 100+ ransomware recoveries
Databarracks
 
Agile - Scrum
Agile - ScrumAgile - Scrum
Agile - Scrum
Samir Chitkara
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
Intro to Construct 2: Ghost Shooter - Step by Step
Intro to Construct 2: Ghost Shooter - Step by StepIntro to Construct 2: Ghost Shooter - Step by Step
Intro to Construct 2: Ghost Shooter - Step by Step
Shahed Chowdhuri
 
Understanding the Agile Release and Sprint Planning Process
Understanding the Agile Release and Sprint Planning Process Understanding the Agile Release and Sprint Planning Process
Understanding the Agile Release and Sprint Planning Process
John Derrico
 
Agile Teams
Agile TeamsAgile Teams
Agile Teams
Hammad Ahmad
 
Introduction to Kotlin for Android developers
Introduction to Kotlin for Android developersIntroduction to Kotlin for Android developers
Introduction to Kotlin for Android developers
Mohamed Wael
 
Scrum process framework
Scrum process frameworkScrum process framework
Scrum process framework
Mohammed Fazuluddin
 
Scrum Meetings Infographic v12
Scrum Meetings Infographic v12Scrum Meetings Infographic v12
Scrum Meetings Infographic v12Nigel Thurlow
 
CryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a HackCryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a Hack
Bryan Becker
 
hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
NullHyderabad
 

More Related Content

What's hot

The 10 Steps to Becoming a Great Agile Coach
The 10 Steps to Becoming a Great Agile CoachThe 10 Steps to Becoming a Great Agile Coach
The 10 Steps to Becoming a Great Agile Coach
LeadingAgile
 
Responding to Cobalt Strike
Responding to Cobalt StrikeResponding to Cobalt Strike
Responding to Cobalt Strike
Christopher Gerritz
 
How I started to love design patterns
How I started to love design patternsHow I started to love design patterns
How I started to love design patterns
Samuel ROZE
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)
Jason Trost
 
Agile (Scrum)
Agile (Scrum)Agile (Scrum)
Agile (Scrum)
Dom Cushnan
 
Personal Pitch Deck
Personal Pitch DeckPersonal Pitch Deck
Personal Pitch Deck
Jan-Raphael Aclan
 
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product SecurityFrom Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
Jason Chan
 
Introduction to Jira Service Management.pdf
Introduction to Jira Service Management.pdfIntroduction to Jira Service Management.pdf
Introduction to Jira Service Management.pdf
Shristi Shrestha
 
Osint
OsintOsint
Osint
Kamal Rathaur
 
Agile & SCRUM basics
Agile & SCRUM basicsAgile & SCRUM basics
Agile & SCRUM basics
Arun R
 
Lessons from 100+ ransomware recoveries
Lessons from 100+ ransomware recoveriesLessons from 100+ ransomware recoveries
Lessons from 100+ ransomware recoveries
Databarracks
 
Agile - Scrum
Agile - ScrumAgile - Scrum
Agile - Scrum
Samir Chitkara
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
Intro to Construct 2: Ghost Shooter - Step by Step
Intro to Construct 2: Ghost Shooter - Step by StepIntro to Construct 2: Ghost Shooter - Step by Step
Intro to Construct 2: Ghost Shooter - Step by Step
Shahed Chowdhuri
 
Understanding the Agile Release and Sprint Planning Process
Understanding the Agile Release and Sprint Planning Process Understanding the Agile Release and Sprint Planning Process
Understanding the Agile Release and Sprint Planning Process
John Derrico
 
Agile Teams
Agile TeamsAgile Teams
Agile Teams
Hammad Ahmad
 
Introduction to Kotlin for Android developers
Introduction to Kotlin for Android developersIntroduction to Kotlin for Android developers
Introduction to Kotlin for Android developers
Mohamed Wael
 
Scrum process framework
Scrum process frameworkScrum process framework
Scrum process framework
Mohammed Fazuluddin
 
Scrum Meetings Infographic v12
Scrum Meetings Infographic v12Scrum Meetings Infographic v12
Scrum Meetings Infographic v12Nigel Thurlow
 
CryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a HackCryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a Hack
Bryan Becker
 

What's hot (20)

The 10 Steps to Becoming a Great Agile Coach
The 10 Steps to Becoming a Great Agile CoachThe 10 Steps to Becoming a Great Agile Coach
The 10 Steps to Becoming a Great Agile Coach
 
Responding to Cobalt Strike
Responding to Cobalt StrikeResponding to Cobalt Strike
Responding to Cobalt Strike
 
How I started to love design patterns
How I started to love design patternsHow I started to love design patterns
How I started to love design patterns
 
Modern Honey Network (MHN)
Modern Honey Network (MHN)Modern Honey Network (MHN)
Modern Honey Network (MHN)
 
Agile (Scrum)
Agile (Scrum)Agile (Scrum)
Agile (Scrum)
 
Personal Pitch Deck
Personal Pitch DeckPersonal Pitch Deck
Personal Pitch Deck
 
From Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product SecurityFrom Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
 
Introduction to Jira Service Management.pdf
Introduction to Jira Service Management.pdfIntroduction to Jira Service Management.pdf
Introduction to Jira Service Management.pdf
 
Osint
OsintOsint
Osint
 
Agile & SCRUM basics
Agile & SCRUM basicsAgile & SCRUM basics
Agile & SCRUM basics
 
Lessons from 100+ ransomware recoveries
Lessons from 100+ ransomware recoveriesLessons from 100+ ransomware recoveries
Lessons from 100+ ransomware recoveries
 
Agile - Scrum
Agile - ScrumAgile - Scrum
Agile - Scrum
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Intro to Construct 2: Ghost Shooter - Step by Step
Intro to Construct 2: Ghost Shooter - Step by StepIntro to Construct 2: Ghost Shooter - Step by Step
Intro to Construct 2: Ghost Shooter - Step by Step
 
Understanding the Agile Release and Sprint Planning Process
Understanding the Agile Release and Sprint Planning Process Understanding the Agile Release and Sprint Planning Process
Understanding the Agile Release and Sprint Planning Process
 
Agile Teams
Agile TeamsAgile Teams
Agile Teams
 
Introduction to Kotlin for Android developers
Introduction to Kotlin for Android developersIntroduction to Kotlin for Android developers
Introduction to Kotlin for Android developers
 
Scrum process framework
Scrum process frameworkScrum process framework
Scrum process framework
 
Scrum Meetings Infographic v12
Scrum Meetings Infographic v12Scrum Meetings Infographic v12
Scrum Meetings Infographic v12
 
CryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a HackCryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a Hack
 

Similar to Subgraph vega countermeasure2012

hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
NullHyderabad
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
SQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
Oles Seheda
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
YaJUG
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
Himanshu Kumar Das
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
Louis Jacomet
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
Rich Helton
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
TestDevLab
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
sparkfabrik
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Adrian Cockcroft
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
n|u - The Open Security Community
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsAsynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Christian Heindel
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
gjdevos
 

Similar to Subgraph vega countermeasure2012 (20)

hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsAsynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 

Subgraph vega countermeasure2012

  • 1. Using and Extending Vega David Mirza, Subgraph Montreal www.subgraph.com
  • 2. Introduction Who We Are  Open-source security startup  Based in Montreal  Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon www.subgraph.com
  • 3. Open Source and Security  Kerckhoffs’ principle  Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer  Made an important realization: “ “  “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience”  The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ”  As opposed to “security through obscurity” www.subgraph.com
  • 4. Open Source and Security  Kerckhoffs’ Principle  Well understood in the world of cryptography  New ciphers not trusted  Because cryptography is a “black box”  Once in a while, less now, companies try to market proprietary ciphers  There’s a term for this: “snake oil”  Kerckhoffs’ principle can be understood as “open source is good security” www.subgraph.com
  • 5. Commercial Web Security Software  Advantages  Ease of installation, upgrade, use  User experience  Quality assurance, bug fixes  Documentation and help  Development driven by demand and need  Disadvantages  Expensive  Sometimes bizarre licensing restrictions  EOL, acquisitions, other events  Proprietary / closed source www.subgraph.com
  • 6. Open Source Web Security Tools  Let’s just talk about disadvantages..  No integration / sharing between tools  Poor or non-existent UI, documentation / help  Painful, broken installations  Code is of inconsistent quality  Developer / contributor unreliability  Developer interest driven by interest, skill level, whim  Forks  Abandonment   Developer finished college, got a job  Successfully reproduced www.subgraph.com
  • 7. i hurt  myself today www.subgraph.com
  • 8. Our Vision  One web, one web security tool  Open source  Consistent, well-designed UI  Functions really well as an automated scanner  Shouldn’t need to be a penetration tester  Advanced features for those who are  User extensibility  Community  Plus all that boring stuff  Documentation, help, business friendly features  We are building the ultimate platform for web security  Rapidly prototype attacks  Nobody should have to use commercial tools  Because Vega is free www.subgraph.com
  • 9. Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0 www.subgraph.com
  • 10. Vega is Built On: Eclipse RCP / Equinox OSGi Apache HC JSoup Mozilla Rhino Eliteness www.subgraph.com
  • 11. Automated Scanner  Recursive crawl over target scope  404 detection  Probes path nodes to determine if files, directories  Builds tree-like internal representation of target application  Vega runs injection modules on nodes, abstracted in API  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Expanded scope, more than one base URI  Support for authentication: HTTP, form-based, NTLM  Much better scanner modules  Very annoying crawler bugs fixed  www.subgraph.com
  • 12. Vega Automated Scanner www.subgraph.com
  • 13. Start new scan and choose some of these modules: www.subgraph.com
  • 14. Which are each one of these.. www.subgraph.com
  • 15. Modules produce vulnerability reports: www.subgraph.com
  • 16. ..which are based on these: Vega is very extensible. www.subgraph.com
  • 17. Request / response pair www.subgraph.com
  • 18. Can be reviewed / replayed, module highlights finding www.subgraph.com
  • 19. Vega Proxy  Intercepting proxy  SSL MITM, including CA signing cert  http://vega/ca.crt through the proxy  Edit requests, responses  Request replay  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Proxy scanning  Fuzzes pages in target scope when enabled  Finds lots of vulnerabilities  www.subgraph.com
  • 20. Browser proxy configuration: www.subgraph.com
  • 21. General proxy use. Green “play” button enables proxy, red stops it. www.subgraph.com
  • 22. Configuring a Breakpoint www.subgraph.com
  • 23. Intercepted Request www.subgraph.com
  • 24. SSL MITM: Magic proxy URI www.subgraph.com
  • 25. Proxy Scanning Gathers parameters and path information observing client-server interaction Sees things the crawler can’t see  RPC endpoints  Links in flash, Java, other active content Very effective at finding vulnerabilities To try it, configure the proxy, create a proxy target scope, enable proxy scanning www.subgraph.com
  • 26. Configure a target scope www.subgraph.com
  • 27. Enable Proxy Scanning Alert Notification Icon, aka SQL Injection Blinker www.subgraph.com
  • 28. Proxy Scanner Alerts www.subgraph.com
  • 29. Demo (1.0!) www.subgraph.com
  • 30. Extending Vega Modules written in Javascript In the Vega/scripts/ subdirectory tree  Well on OS X they’re in some weird place Two kinds of modules:  Injection, AKA “Basic”  Send fuzzing requests, do stuff with the responses  Response processing  Pattern matching, regex, checking response properties www.subgraph.com
  • 31. Extending Vega Rich API  Check documentation at https://support.subgraph.com DOM Analysis with Jquery  E.g. file upload, password input submitted over HTTP.. Alerts based on XML templates  In the XML/ subdirectory Freemarker Macro / CSS components www.subgraph.com
  • 32. Where are we at?  Feature complete for 1.0  Testing and fixing bugs  Additional module refinement and testing  Vega 1.0 release in November? Or early December  Visit my github (or github.com/brl) if you want what you see here  Download link on our website is the beta..  Can provide builds for OS X, Windows users  Just ask me – email, irc (#subgraph / freenode), twitter, whatever www.subgraph.com
  • 33. What’s coming?  Even more improvements in detections  Fuzzer / brute forcer  Better reporting  Better encoding, decoding, representation and manipulation of structured data  Headless scanner  HAR export  Scriptable proxy  We’re open to ideas and feedback! www.subgraph.com
  • 34. Thank you!  Web  Try Vega / get the source  http://www.subgraph.com  http://github.com/dma/Vega (newer, less stable)  Twitter  http://github.com/subgraph/Vega  Us: @subgraph (more stable)  Me: @attractr  E-mail us  IRC  info@subgraph.com  irc.freenode.org, #subgraph www.subgraph.com