2. Introduction
Who We Are
Open-source security startup
Based in Montreal
Experienced founders:
• Secure Networks Inc.
• SecurityFocus (Symantec)
• Core Security Technologies
• Netifera
• REcon
www.subgraph.com
3. Open Source and Security
Kerckhoffs’ principle
Auguste Kerckhoffs: 19th Century Dutch
linguist and cryptographer
Made an important realization:
“
“
“The security of any cryptographic
The security of any cryptographic system does
system doessecrecy, it in itsbe able to fall
not rest in its
not rest must secrecy, it
mustthe enemy’s hands without inconvenience.
into be able to fall into the enemy’s
hands without inconvenience”
The adversary knows the system (Claude
The adversary knows the system
Shannon) (Claude Shannon)
”
”
As opposed to “security through
obscurity”
www.subgraph.com
4. Open Source and Security
Kerckhoffs’ Principle
Well understood in the world of
cryptography
New ciphers not trusted
Because cryptography is a
“black box”
Once in a while, less now,
companies try to market
proprietary ciphers
There’s a term for this: “snake oil”
Kerckhoffs’ principle can be
understood as “open source is
good security”
www.subgraph.com
5. Commercial Web Security Software
Advantages
Ease of installation, upgrade, use
User experience
Quality assurance, bug fixes
Documentation and help
Development driven by demand and need
Disadvantages
Expensive
Sometimes bizarre licensing restrictions
EOL, acquisitions, other events
Proprietary / closed source
www.subgraph.com
6. Open Source Web Security Tools
Let’s just talk about disadvantages..
No integration / sharing between tools
Poor or non-existent UI, documentation / help
Painful, broken installations
Code is of inconsistent quality
Developer / contributor unreliability
Developer interest driven by interest, skill level, whim
Forks
Abandonment
Developer finished college, got a job
Successfully reproduced
www.subgraph.com
8. Our Vision
One web, one web security tool
Open source
Consistent, well-designed UI
Functions really well as an automated scanner
Shouldn’t need to be a penetration tester
Advanced features for those who are
User extensibility
Community
Plus all that boring stuff
Documentation, help, business friendly features
We are building the ultimate platform for web security
Rapidly prototype attacks
Nobody should have to use commercial tools
Because Vega is free
www.subgraph.com
9. Introducing Vega Platform
‣ Open-source web application
vulnerability assessment platform
‣ Easy to use Graphical Interface
‣ Works on Windows, Mac, Linux
‣ Automated scanner, attacking proxy
finds vulnerabilities
‣ Based on Eclipse RCP
‣ Extensible: Javascript – language
every web developer knows
‣ Shipped first release July 1
‣ EPL 1.0
www.subgraph.com
10. Vega is Built On:
Eclipse RCP / Equinox OSGi
Apache HC
JSoup
Mozilla Rhino
Eliteness
www.subgraph.com
11. Automated Scanner
Recursive crawl over target scope
404 detection
Probes path nodes to determine if files, directories
Builds tree-like internal representation of target
application
Vega runs injection modules on nodes, abstracted in API
Response processing modules run on all responses
Modules written in Javascript
New for 1.0
Expanded scope, more than one base URI
Support for authentication: HTTP, form-based, NTLM
Much better scanner modules
Very annoying crawler bugs fixed
www.subgraph.com
18. Can be reviewed / replayed, module
highlights finding
www.subgraph.com
19. Vega Proxy
Intercepting proxy
SSL MITM, including CA signing cert
http://vega/ca.crt through the proxy
Edit requests, responses
Request replay
Response processing modules run on all responses
Modules written in Javascript
New for 1.0
Proxy scanning
Fuzzes pages in target scope when enabled
Finds lots of vulnerabilities
www.subgraph.com
25. Proxy Scanning
Gathers parameters and path information
observing client-server interaction
Sees things the crawler can’t see
RPC endpoints
Links in flash, Java, other active content
Very effective at finding vulnerabilities
To try it, configure the proxy, create a
proxy target scope, enable proxy scanning
www.subgraph.com
30. Extending Vega
Modules written in Javascript
In the Vega/scripts/ subdirectory tree
Well on OS X they’re in some weird place
Two kinds of modules:
Injection, AKA “Basic”
Send fuzzing requests, do stuff with the responses
Response processing
Pattern matching, regex, checking response
properties
www.subgraph.com
31. Extending Vega
Rich API
Check documentation at
https://support.subgraph.com
DOM Analysis with Jquery
E.g. file
upload, password input submitted
over HTTP..
Alerts based on XML templates
In the XML/ subdirectory
Freemarker Macro / CSS components
www.subgraph.com
32. Where are we at?
Feature complete for 1.0
Testing and fixing bugs
Additional module refinement and testing
Vega 1.0 release in November? Or early December
Visit my github (or github.com/brl) if you want what you
see here
Download link on our website is the beta..
Can provide builds for OS X, Windows users
Just ask me – email, irc (#subgraph / freenode), twitter, whatever
www.subgraph.com
33. What’s coming?
Even more improvements in detections
Fuzzer / brute forcer
Better reporting
Better encoding, decoding, representation and
manipulation of structured data
Headless scanner
HAR export
Scriptable proxy
We’re open to ideas and feedback!
www.subgraph.com
34. Thank you!
Web Try Vega / get the source
http://www.subgraph.com http://github.com/dma/Vega (newer,
less stable)
Twitter
http://github.com/subgraph/Vega
Us: @subgraph (more stable)
Me: @attractr
E-mail us
IRC info@subgraph.com
irc.freenode.org, #subgraph
www.subgraph.com