Subgraph vega countermeasure2012
-
Upload
david-mirza -
Category
Technology
-
view
6.279 -
download
0
description
Transcript of Subgraph vega countermeasure2012
![Page 2: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/2.jpg)
Who We Are
Open-source security startup
Based in Montreal
Experienced founders:
•Secure Networks Inc.
•SecurityFocus (Symantec)
•Core Security Technologies
•Netifera
•REcon
Introduction
www.subgraph.com
![Page 3: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/3.jpg)
Open Source and Security Kerckhoffs’ principle
Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer
Made an important realization:
“The security of any cryptographic
system does not rest in its secrecy, it
must be able to fall into the enemy’s
hands without inconvenience”
The adversary knows the system (Claude
Shannon)
As opposed to “security through obscurity”
“ ”
“ ”
The security of any cryptographic system does
not rest in its secrecy, it must be able to fall
into the enemy’s hands without inconvenience.
The adversary knows the system (Claude Shannon)
www.subgraph.com
![Page 4: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/4.jpg)
Open Source and Security
Kerckhoffs’ Principle
Well understood in the world of cryptography
New ciphers not trusted
Because cryptography is a
“black box”
Once in a while, less now, companies try to market proprietary ciphers There’s a term for this: “snake oil”
Kerckhoffs’ principle can be understood as “open source is good security”
www.subgraph.com
![Page 5: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/5.jpg)
Commercial Web Security Software Advantages
Ease of installation, upgrade, use
User experience
Quality assurance, bug fixes
Documentation and help
Development driven by demand and need
Disadvantages
Expensive
Sometimes bizarre licensing restrictions
EOL, acquisitions, other events
Proprietary / closed source
www.subgraph.com
![Page 6: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/6.jpg)
Open Source Web Security Tools
Let’s just talk about disadvantages..
No integration / sharing between tools
Poor or non-existent UI, documentation / help
Painful, broken installations
Code is of inconsistent quality
Developer / contributor unreliability
Developer interest driven by interest, skill level, whim
Forks
Abandonment Developer finished college, got a job
Successfully reproduced
www.subgraph.com
![Page 8: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/8.jpg)
Our Vision One web, one web security tool
Open source
Consistent, well-designed UI
Functions really well as an automated scanner Shouldn’t need to be a penetration tester
Advanced features for those who are
User extensibility Community
Plus all that boring stuff Documentation, help, business friendly features
We are building the ultimate platform for web security Rapidly prototype attacks
Nobody should have to use commercial tools Because Vega is free
www.subgraph.com
![Page 9: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/9.jpg)
Introducing Vega Platform
‣ Open-source web application vulnerability assessment platform
‣ Easy to use Graphical Interface
‣ Works on Windows, Mac, Linux
‣ Automated scanner, attacking proxy finds vulnerabilities
‣ Based on Eclipse RCP
‣ Extensible: Javascript – language every web developer knows
‣ Shipped first release July 1
‣ EPL 1.0
www.subgraph.com
![Page 10: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/10.jpg)
Vega is Built On:
Eclipse RCP / Equinox OSGi
Apache HC
JSoup
Mozilla Rhino
Eliteness
www.subgraph.com
![Page 11: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/11.jpg)
Automated Scanner
Recursive crawl over target scope 404 detection Probes path nodes to determine if files, directories Builds tree-like internal representation of target
application Vega runs injection modules on nodes, abstracted in API
Response processing modules run on all responses Modules written in Javascript New for 1.0
Expanded scope, more than one base URI Support for authentication: HTTP, form-based, NTLM Much better scanner modules Very annoying crawler bugs fixed
www.subgraph.com
![Page 19: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/19.jpg)
Vega Proxy
Intercepting proxy SSL MITM, including CA signing cert
http://vega/ca.crt through the proxy
Edit requests, responses Request replay Response processing modules run on all responses Modules written in Javascript New for 1.0
Proxy scanning Fuzzes pages in target scope when enabled Finds lots of vulnerabilities
www.subgraph.com
![Page 21: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/21.jpg)
www.subgraph.com
General proxy use. Green “play” button enables proxy, red stops it.
![Page 25: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/25.jpg)
Proxy Scanning
Gathers parameters and path information observing client-server interaction
Sees things the crawler can’t see
RPC endpoints
Links in flash, Java, other active content
Very effective at finding vulnerabilities
To try it, configure the proxy, create a proxy target scope, enable proxy scanning
www.subgraph.com
![Page 27: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/27.jpg)
www.subgraph.com
Alert Notification Icon, aka SQL Injection Blinker
Enable Proxy Scanning
![Page 30: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/30.jpg)
Extending Vega
Modules written in Javascript
In the Vega/scripts/ subdirectory tree
Well on OS X they’re in some weird place
Two kinds of modules:
Injection, AKA “Basic”
Send fuzzing requests, do stuff with the responses
Response processing
Pattern matching, regex, checking response properties
www.subgraph.com
![Page 31: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/31.jpg)
Extending Vega
Rich API
Check documentation at https://support.subgraph.com
DOM Analysis with Jquery
E.g. file upload, password input submitted over HTTP..
Alerts based on XML templates
In the XML/ subdirectory
Freemarker Macro / CSS components www.subgraph.com
![Page 32: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/32.jpg)
Where are we at?
Feature complete for 1.0 Testing and fixing bugs Additional module refinement and testing Vega 1.0 release in November? Or early December Visit my github (or github.com/brl) if you want what you
see here Download link on our website is the beta..
Can provide builds for OS X, Windows users Just ask me – email, irc (#subgraph / freenode), twitter, whatever
www.subgraph.com
![Page 33: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/33.jpg)
What’s coming?
Even more improvements in detections Fuzzer / brute forcer Better reporting Better encoding, decoding, representation and
manipulation of structured data Headless scanner HAR export Scriptable proxy We’re open to ideas and feedback!
www.subgraph.com
![Page 34: Subgraph vega countermeasure2012](https://reader034.fdocuments.net/reader034/viewer/2022052223/55999a631a28ab730d8b4631/html5/thumbnails/34.jpg)
Thank you!
Web
http://www.subgraph.com
Us: @subgraph
Me: @attractr
IRC
irc.freenode.org, #subgraph
Try Vega / get the source
http://github.com/dma/Vega (newer, less stable)
http://github.com/subgraph/Vega (more stable)
E-mail us
www.subgraph.com