SlideShare une entreprise Scribd logo

Subgraph vega countermeasure2012

David Mirza
David Mirza

Vega 1.0 presentation at Countermeasure 2012.

Technologie
1  sur  34
Télécharger pour lire hors ligne
Using and Extending Vega David Mirza, Subgraph Montreal www.subgraph.com
Introduction Who We Are  Open-source security startup  Based in Montreal  Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon www.subgraph.com
Open Source and Security  Kerckhoffs’ principle  Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer  Made an important realization: “ “  “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience”  The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ”  As opposed to “security through obscurity” www.subgraph.com
Open Source and Security  Kerckhoffs’ Principle  Well understood in the world of cryptography  New ciphers not trusted  Because cryptography is a “black box”  Once in a while, less now, companies try to market proprietary ciphers  There’s a term for this: “snake oil”  Kerckhoffs’ principle can be understood as “open source is good security” www.subgraph.com
Commercial Web Security Software  Advantages  Ease of installation, upgrade, use  User experience  Quality assurance, bug fixes  Documentation and help  Development driven by demand and need  Disadvantages  Expensive  Sometimes bizarre licensing restrictions  EOL, acquisitions, other events  Proprietary / closed source www.subgraph.com
Open Source Web Security Tools  Let’s just talk about disadvantages..  No integration / sharing between tools  Poor or non-existent UI, documentation / help  Painful, broken installations  Code is of inconsistent quality  Developer / contributor unreliability  Developer interest driven by interest, skill level, whim  Forks  Abandonment   Developer finished college, got a job  Successfully reproduced www.subgraph.com
i hurt  myself today www.subgraph.com
Our Vision  One web, one web security tool  Open source  Consistent, well-designed UI  Functions really well as an automated scanner  Shouldn’t need to be a penetration tester  Advanced features for those who are  User extensibility  Community  Plus all that boring stuff  Documentation, help, business friendly features  We are building the ultimate platform for web security  Rapidly prototype attacks  Nobody should have to use commercial tools  Because Vega is free www.subgraph.com
Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0 www.subgraph.com
Vega is Built On: Eclipse RCP / Equinox OSGi Apache HC JSoup Mozilla Rhino Eliteness www.subgraph.com
Automated Scanner  Recursive crawl over target scope  404 detection  Probes path nodes to determine if files, directories  Builds tree-like internal representation of target application  Vega runs injection modules on nodes, abstracted in API  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Expanded scope, more than one base URI  Support for authentication: HTTP, form-based, NTLM  Much better scanner modules  Very annoying crawler bugs fixed  www.subgraph.com
Vega Automated Scanner www.subgraph.com
Start new scan and choose some of these modules: www.subgraph.com
Which are each one of these.. www.subgraph.com
Modules produce vulnerability reports: www.subgraph.com
..which are based on these: Vega is very extensible. www.subgraph.com
Request / response pair www.subgraph.com
Can be reviewed / replayed, module highlights finding www.subgraph.com
Vega Proxy  Intercepting proxy  SSL MITM, including CA signing cert  http://vega/ca.crt through the proxy  Edit requests, responses  Request replay  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Proxy scanning  Fuzzes pages in target scope when enabled  Finds lots of vulnerabilities  www.subgraph.com
Browser proxy configuration: www.subgraph.com
General proxy use. Green “play” button enables proxy, red stops it. www.subgraph.com
Configuring a Breakpoint www.subgraph.com
Intercepted Request www.subgraph.com
SSL MITM: Magic proxy URI www.subgraph.com
Proxy Scanning Gathers parameters and path information observing client-server interaction Sees things the crawler can’t see  RPC endpoints  Links in flash, Java, other active content Very effective at finding vulnerabilities To try it, configure the proxy, create a proxy target scope, enable proxy scanning www.subgraph.com
Configure a target scope www.subgraph.com
Enable Proxy Scanning Alert Notification Icon, aka SQL Injection Blinker www.subgraph.com
Proxy Scanner Alerts www.subgraph.com
Demo (1.0!) www.subgraph.com
Extending Vega Modules written in Javascript In the Vega/scripts/ subdirectory tree  Well on OS X they’re in some weird place Two kinds of modules:  Injection, AKA “Basic”  Send fuzzing requests, do stuff with the responses  Response processing  Pattern matching, regex, checking response properties www.subgraph.com
Extending Vega Rich API  Check documentation at https://support.subgraph.com DOM Analysis with Jquery  E.g. file upload, password input submitted over HTTP.. Alerts based on XML templates  In the XML/ subdirectory Freemarker Macro / CSS components www.subgraph.com
Where are we at?  Feature complete for 1.0  Testing and fixing bugs  Additional module refinement and testing  Vega 1.0 release in November? Or early December  Visit my github (or github.com/brl) if you want what you see here  Download link on our website is the beta..  Can provide builds for OS X, Windows users  Just ask me – email, irc (#subgraph / freenode), twitter, whatever www.subgraph.com
What’s coming?  Even more improvements in detections  Fuzzer / brute forcer  Better reporting  Better encoding, decoding, representation and manipulation of structured data  Headless scanner  HAR export  Scriptable proxy  We’re open to ideas and feedback! www.subgraph.com
Thank you!  Web  Try Vega / get the source  http://www.subgraph.com  http://github.com/dma/Vega (newer, less stable)  Twitter  http://github.com/subgraph/Vega  Us: @subgraph (more stable)  Me: @attractr  E-mail us  IRC  info@subgraph.com  irc.freenode.org, #subgraph www.subgraph.com

Recommandé

hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Web tools ppt
Web tools pptWeb tools ppt
Web tools pptTamara Pia Agavi
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 

Recommandé

hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Web tools ppt
Web tools pptWeb tools ppt
Web tools pptTamara Pia Agavi
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NETMikhail Shcherbakov
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applicationsOWASP
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfNullHyderabad
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 

Contenu connexe

Tendances

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applicationsOWASP
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 

Tendances (20)

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 

Similaire à Subgraph vega countermeasure2012

Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfNullHyderabad
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...YaJUG
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemLouis Jacomet
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)TestDevLab
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesSimon Bennetts
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONAdrian Cockcroft
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsAsynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsChristian Heindel
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Open source technology
Open source technologyOpen source technology
Open source technologyaparnaz1
 

Similaire à Subgraph vega countermeasure2012 (20)

Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsAsynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Open source technology
Open source technologyOpen source technology
Open source technology
 

Dernier

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Dernier (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Subgraph vega countermeasure2012

  • 1. Using and Extending Vega David Mirza, Subgraph Montreal www.subgraph.com
  • 2. Introduction Who We Are  Open-source security startup  Based in Montreal  Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon www.subgraph.com
  • 3. Open Source and Security  Kerckhoffs’ principle  Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer  Made an important realization: “ “  “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience”  The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ”  As opposed to “security through obscurity” www.subgraph.com
  • 4. Open Source and Security  Kerckhoffs’ Principle  Well understood in the world of cryptography  New ciphers not trusted  Because cryptography is a “black box”  Once in a while, less now, companies try to market proprietary ciphers  There’s a term for this: “snake oil”  Kerckhoffs’ principle can be understood as “open source is good security” www.subgraph.com
  • 5. Commercial Web Security Software  Advantages  Ease of installation, upgrade, use  User experience  Quality assurance, bug fixes  Documentation and help  Development driven by demand and need  Disadvantages  Expensive  Sometimes bizarre licensing restrictions  EOL, acquisitions, other events  Proprietary / closed source www.subgraph.com
  • 6. Open Source Web Security Tools  Let’s just talk about disadvantages..  No integration / sharing between tools  Poor or non-existent UI, documentation / help  Painful, broken installations  Code is of inconsistent quality  Developer / contributor unreliability  Developer interest driven by interest, skill level, whim  Forks  Abandonment   Developer finished college, got a job  Successfully reproduced www.subgraph.com
  • 7. i hurt  myself today www.subgraph.com
  • 8. Our Vision  One web, one web security tool  Open source  Consistent, well-designed UI  Functions really well as an automated scanner  Shouldn’t need to be a penetration tester  Advanced features for those who are  User extensibility  Community  Plus all that boring stuff  Documentation, help, business friendly features  We are building the ultimate platform for web security  Rapidly prototype attacks  Nobody should have to use commercial tools  Because Vega is free www.subgraph.com
  • 9. Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0 www.subgraph.com
  • 10. Vega is Built On: Eclipse RCP / Equinox OSGi Apache HC JSoup Mozilla Rhino Eliteness www.subgraph.com
  • 11. Automated Scanner  Recursive crawl over target scope  404 detection  Probes path nodes to determine if files, directories  Builds tree-like internal representation of target application  Vega runs injection modules on nodes, abstracted in API  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Expanded scope, more than one base URI  Support for authentication: HTTP, form-based, NTLM  Much better scanner modules  Very annoying crawler bugs fixed  www.subgraph.com
  • 12. Vega Automated Scanner www.subgraph.com
  • 13. Start new scan and choose some of these modules: www.subgraph.com
  • 14. Which are each one of these.. www.subgraph.com
  • 15. Modules produce vulnerability reports: www.subgraph.com
  • 16. ..which are based on these: Vega is very extensible. www.subgraph.com
  • 17. Request / response pair www.subgraph.com
  • 18. Can be reviewed / replayed, module highlights finding www.subgraph.com
  • 19. Vega Proxy  Intercepting proxy  SSL MITM, including CA signing cert  http://vega/ca.crt through the proxy  Edit requests, responses  Request replay  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Proxy scanning  Fuzzes pages in target scope when enabled  Finds lots of vulnerabilities  www.subgraph.com
  • 20. Browser proxy configuration: www.subgraph.com
  • 21. General proxy use. Green “play” button enables proxy, red stops it. www.subgraph.com
  • 22. Configuring a Breakpoint www.subgraph.com
  • 23. Intercepted Request www.subgraph.com
  • 24. SSL MITM: Magic proxy URI www.subgraph.com
  • 25. Proxy Scanning Gathers parameters and path information observing client-server interaction Sees things the crawler can’t see  RPC endpoints  Links in flash, Java, other active content Very effective at finding vulnerabilities To try it, configure the proxy, create a proxy target scope, enable proxy scanning www.subgraph.com
  • 26. Configure a target scope www.subgraph.com
  • 27. Enable Proxy Scanning Alert Notification Icon, aka SQL Injection Blinker www.subgraph.com
  • 28. Proxy Scanner Alerts www.subgraph.com
  • 29. Demo (1.0!) www.subgraph.com
  • 30. Extending Vega Modules written in Javascript In the Vega/scripts/ subdirectory tree  Well on OS X they’re in some weird place Two kinds of modules:  Injection, AKA “Basic”  Send fuzzing requests, do stuff with the responses  Response processing  Pattern matching, regex, checking response properties www.subgraph.com
  • 31. Extending Vega Rich API  Check documentation at https://support.subgraph.com DOM Analysis with Jquery  E.g. file upload, password input submitted over HTTP.. Alerts based on XML templates  In the XML/ subdirectory Freemarker Macro / CSS components www.subgraph.com
  • 32. Where are we at?  Feature complete for 1.0  Testing and fixing bugs  Additional module refinement and testing  Vega 1.0 release in November? Or early December  Visit my github (or github.com/brl) if you want what you see here  Download link on our website is the beta..  Can provide builds for OS X, Windows users  Just ask me – email, irc (#subgraph / freenode), twitter, whatever www.subgraph.com
  • 33. What’s coming?  Even more improvements in detections  Fuzzer / brute forcer  Better reporting  Better encoding, decoding, representation and manipulation of structured data  Headless scanner  HAR export  Scriptable proxy  We’re open to ideas and feedback! www.subgraph.com
  • 34. Thank you!  Web  Try Vega / get the source  http://www.subgraph.com  http://github.com/dma/Vega (newer, less stable)  Twitter  http://github.com/subgraph/Vega  Us: @subgraph (more stable)  Me: @attractr  E-mail us  IRC  info@subgraph.com  irc.freenode.org, #subgraph www.subgraph.com