SlideShare ist ein Scribd-Unternehmen logo

Subgraph vega countermeasure2012

David Mirza
David Mirza

Vega 1.0 presentation at Countermeasure 2012.

Technologie
1 von 34
Downloaden Sie, um offline zu lesen
Using and Extending Vega David Mirza, Subgraph Montreal www.subgraph.com
Introduction Who We Are  Open-source security startup  Based in Montreal  Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon www.subgraph.com
Open Source and Security  Kerckhoffs’ principle  Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer  Made an important realization: “ “  “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience”  The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ”  As opposed to “security through obscurity” www.subgraph.com
Open Source and Security  Kerckhoffs’ Principle  Well understood in the world of cryptography  New ciphers not trusted  Because cryptography is a “black box”  Once in a while, less now, companies try to market proprietary ciphers  There’s a term for this: “snake oil”  Kerckhoffs’ principle can be understood as “open source is good security” www.subgraph.com
Commercial Web Security Software  Advantages  Ease of installation, upgrade, use  User experience  Quality assurance, bug fixes  Documentation and help  Development driven by demand and need  Disadvantages  Expensive  Sometimes bizarre licensing restrictions  EOL, acquisitions, other events  Proprietary / closed source www.subgraph.com
Open Source Web Security Tools  Let’s just talk about disadvantages..  No integration / sharing between tools  Poor or non-existent UI, documentation / help  Painful, broken installations  Code is of inconsistent quality  Developer / contributor unreliability  Developer interest driven by interest, skill level, whim  Forks  Abandonment   Developer finished college, got a job  Successfully reproduced www.subgraph.com
i hurt  myself today www.subgraph.com
Our Vision  One web, one web security tool  Open source  Consistent, well-designed UI  Functions really well as an automated scanner  Shouldn’t need to be a penetration tester  Advanced features for those who are  User extensibility  Community  Plus all that boring stuff  Documentation, help, business friendly features  We are building the ultimate platform for web security  Rapidly prototype attacks  Nobody should have to use commercial tools  Because Vega is free www.subgraph.com
Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0 www.subgraph.com
Vega is Built On: Eclipse RCP / Equinox OSGi Apache HC JSoup Mozilla Rhino Eliteness www.subgraph.com
Automated Scanner  Recursive crawl over target scope  404 detection  Probes path nodes to determine if files, directories  Builds tree-like internal representation of target application  Vega runs injection modules on nodes, abstracted in API  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Expanded scope, more than one base URI  Support for authentication: HTTP, form-based, NTLM  Much better scanner modules  Very annoying crawler bugs fixed  www.subgraph.com
Vega Automated Scanner www.subgraph.com
Start new scan and choose some of these modules: www.subgraph.com
Which are each one of these.. www.subgraph.com
Modules produce vulnerability reports: www.subgraph.com
..which are based on these: Vega is very extensible. www.subgraph.com
Request / response pair www.subgraph.com
Can be reviewed / replayed, module highlights finding www.subgraph.com
Vega Proxy  Intercepting proxy  SSL MITM, including CA signing cert  http://vega/ca.crt through the proxy  Edit requests, responses  Request replay  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Proxy scanning  Fuzzes pages in target scope when enabled  Finds lots of vulnerabilities  www.subgraph.com
Browser proxy configuration: www.subgraph.com
General proxy use. Green “play” button enables proxy, red stops it. www.subgraph.com
Configuring a Breakpoint www.subgraph.com
Intercepted Request www.subgraph.com
SSL MITM: Magic proxy URI www.subgraph.com
Proxy Scanning Gathers parameters and path information observing client-server interaction Sees things the crawler can’t see  RPC endpoints  Links in flash, Java, other active content Very effective at finding vulnerabilities To try it, configure the proxy, create a proxy target scope, enable proxy scanning www.subgraph.com
Configure a target scope www.subgraph.com
Enable Proxy Scanning Alert Notification Icon, aka SQL Injection Blinker www.subgraph.com
Proxy Scanner Alerts www.subgraph.com
Demo (1.0!) www.subgraph.com
Extending Vega Modules written in Javascript In the Vega/scripts/ subdirectory tree  Well on OS X they’re in some weird place Two kinds of modules:  Injection, AKA “Basic”  Send fuzzing requests, do stuff with the responses  Response processing  Pattern matching, regex, checking response properties www.subgraph.com
Extending Vega Rich API  Check documentation at https://support.subgraph.com DOM Analysis with Jquery  E.g. file upload, password input submitted over HTTP.. Alerts based on XML templates  In the XML/ subdirectory Freemarker Macro / CSS components www.subgraph.com
Where are we at?  Feature complete for 1.0  Testing and fixing bugs  Additional module refinement and testing  Vega 1.0 release in November? Or early December  Visit my github (or github.com/brl) if you want what you see here  Download link on our website is the beta..  Can provide builds for OS X, Windows users  Just ask me – email, irc (#subgraph / freenode), twitter, whatever www.subgraph.com
What’s coming?  Even more improvements in detections  Fuzzer / brute forcer  Better reporting  Better encoding, decoding, representation and manipulation of structured data  Headless scanner  HAR export  Scriptable proxy  We’re open to ideas and feedback! www.subgraph.com
Thank you!  Web  Try Vega / get the source  http://www.subgraph.com  http://github.com/dma/Vega (newer, less stable)  Twitter  http://github.com/subgraph/Vega  Us: @subgraph (more stable)  Me: @attractr  E-mail us  IRC  info@subgraph.com  irc.freenode.org, #subgraph www.subgraph.com

Empfohlen

hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Web tools ppt
Web tools pptWeb tools ppt
Web tools pptTamara Pia Agavi
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 

Empfohlen

hacking your website with vega, confoo2011
hacking your website with vega, confoo2011hacking your website with vega, confoo2011
hacking your website with vega, confoo2011Bachkoutou Toutou
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Web tools ppt
Web tools pptWeb tools ppt
Web tools pptTamara Pia Agavi
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NETMikhail Shcherbakov
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applicationsOWASP
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfNullHyderabad
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 

Weitere ähnliche Inhalte

Was ist angesagt?

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applicationsOWASP
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 

Was ist angesagt? (20)

[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 

Ähnlich wie Subgraph vega countermeasure2012

Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfNullHyderabad
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...YaJUG
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemLouis Jacomet
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)TestDevLab
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesSimon Bennetts
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONAdrian Cockcroft
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsAsynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsChristian Heindel
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Open source technology
Open source technologyOpen source technology
Open source technologyaparnaz1
 

Ähnlich wie Subgraph vega countermeasure2012 (20)

Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsAsynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Open source technology
Open source technologyOpen source technology
Open source technology
 

Kürzlich hochgeladen

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 

Kürzlich hochgeladen (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 

Subgraph vega countermeasure2012

  • 1. Using and Extending Vega David Mirza, Subgraph Montreal www.subgraph.com
  • 2. Introduction Who We Are  Open-source security startup  Based in Montreal  Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon www.subgraph.com
  • 3. Open Source and Security  Kerckhoffs’ principle  Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer  Made an important realization: “ “  “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience”  The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ”  As opposed to “security through obscurity” www.subgraph.com
  • 4. Open Source and Security  Kerckhoffs’ Principle  Well understood in the world of cryptography  New ciphers not trusted  Because cryptography is a “black box”  Once in a while, less now, companies try to market proprietary ciphers  There’s a term for this: “snake oil”  Kerckhoffs’ principle can be understood as “open source is good security” www.subgraph.com
  • 5. Commercial Web Security Software  Advantages  Ease of installation, upgrade, use  User experience  Quality assurance, bug fixes  Documentation and help  Development driven by demand and need  Disadvantages  Expensive  Sometimes bizarre licensing restrictions  EOL, acquisitions, other events  Proprietary / closed source www.subgraph.com
  • 6. Open Source Web Security Tools  Let’s just talk about disadvantages..  No integration / sharing between tools  Poor or non-existent UI, documentation / help  Painful, broken installations  Code is of inconsistent quality  Developer / contributor unreliability  Developer interest driven by interest, skill level, whim  Forks  Abandonment   Developer finished college, got a job  Successfully reproduced www.subgraph.com
  • 7. i hurt  myself today www.subgraph.com
  • 8. Our Vision  One web, one web security tool  Open source  Consistent, well-designed UI  Functions really well as an automated scanner  Shouldn’t need to be a penetration tester  Advanced features for those who are  User extensibility  Community  Plus all that boring stuff  Documentation, help, business friendly features  We are building the ultimate platform for web security  Rapidly prototype attacks  Nobody should have to use commercial tools  Because Vega is free www.subgraph.com
  • 9. Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0 www.subgraph.com
  • 10. Vega is Built On: Eclipse RCP / Equinox OSGi Apache HC JSoup Mozilla Rhino Eliteness www.subgraph.com
  • 11. Automated Scanner  Recursive crawl over target scope  404 detection  Probes path nodes to determine if files, directories  Builds tree-like internal representation of target application  Vega runs injection modules on nodes, abstracted in API  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Expanded scope, more than one base URI  Support for authentication: HTTP, form-based, NTLM  Much better scanner modules  Very annoying crawler bugs fixed  www.subgraph.com
  • 12. Vega Automated Scanner www.subgraph.com
  • 13. Start new scan and choose some of these modules: www.subgraph.com
  • 14. Which are each one of these.. www.subgraph.com
  • 15. Modules produce vulnerability reports: www.subgraph.com
  • 16. ..which are based on these: Vega is very extensible. www.subgraph.com
  • 17. Request / response pair www.subgraph.com
  • 18. Can be reviewed / replayed, module highlights finding www.subgraph.com
  • 19. Vega Proxy  Intercepting proxy  SSL MITM, including CA signing cert  http://vega/ca.crt through the proxy  Edit requests, responses  Request replay  Response processing modules run on all responses  Modules written in Javascript  New for 1.0  Proxy scanning  Fuzzes pages in target scope when enabled  Finds lots of vulnerabilities  www.subgraph.com
  • 20. Browser proxy configuration: www.subgraph.com
  • 21. General proxy use. Green “play” button enables proxy, red stops it. www.subgraph.com
  • 22. Configuring a Breakpoint www.subgraph.com
  • 23. Intercepted Request www.subgraph.com
  • 24. SSL MITM: Magic proxy URI www.subgraph.com
  • 25. Proxy Scanning Gathers parameters and path information observing client-server interaction Sees things the crawler can’t see  RPC endpoints  Links in flash, Java, other active content Very effective at finding vulnerabilities To try it, configure the proxy, create a proxy target scope, enable proxy scanning www.subgraph.com
  • 26. Configure a target scope www.subgraph.com
  • 27. Enable Proxy Scanning Alert Notification Icon, aka SQL Injection Blinker www.subgraph.com
  • 28. Proxy Scanner Alerts www.subgraph.com
  • 29. Demo (1.0!) www.subgraph.com
  • 30. Extending Vega Modules written in Javascript In the Vega/scripts/ subdirectory tree  Well on OS X they’re in some weird place Two kinds of modules:  Injection, AKA “Basic”  Send fuzzing requests, do stuff with the responses  Response processing  Pattern matching, regex, checking response properties www.subgraph.com
  • 31. Extending Vega Rich API  Check documentation at https://support.subgraph.com DOM Analysis with Jquery  E.g. file upload, password input submitted over HTTP.. Alerts based on XML templates  In the XML/ subdirectory Freemarker Macro / CSS components www.subgraph.com
  • 32. Where are we at?  Feature complete for 1.0  Testing and fixing bugs  Additional module refinement and testing  Vega 1.0 release in November? Or early December  Visit my github (or github.com/brl) if you want what you see here  Download link on our website is the beta..  Can provide builds for OS X, Windows users  Just ask me – email, irc (#subgraph / freenode), twitter, whatever www.subgraph.com
  • 33. What’s coming?  Even more improvements in detections  Fuzzer / brute forcer  Better reporting  Better encoding, decoding, representation and manipulation of structured data  Headless scanner  HAR export  Scriptable proxy  We’re open to ideas and feedback! www.subgraph.com
  • 34. Thank you!  Web  Try Vega / get the source  http://www.subgraph.com  http://github.com/dma/Vega (newer, less stable)  Twitter  http://github.com/subgraph/Vega  Us: @subgraph (more stable)  Me: @attractr  E-mail us  IRC  info@subgraph.com  irc.freenode.org, #subgraph www.subgraph.com