SlideShare ist ein Scribd-Unternehmen logo

hacking your website with vega, confoo2011

Bachkoutou Toutou
Bachkoutou Toutou
1 von 26
Downloaden Sie, um offline zu lesen
Hacking  Your  Website  With   David  Mirza,  Subgraph  Technologies   Montreal   http://www.subgraph.com
Introduc>on     Who  we  are    Open-­‐source  security  startup      Based  in  Montreal    Experienced  founders:   o Secure  Networks  Inc.   o SecurityFocus  (Symantec)     o Core  Security  Technologies   o Ne>fera   o REcon   http://www.subgraph.com
About  us     Subgraph  is  an  open  source  security  company    Helping  organiza>ons  protect  their  websites   o Building  high  quality  soRware   o Penetra>on  tes>ng   o Code  /  architecture  review    Incorporated  in  February  2010    Philosophy  of  openness  important  to  us   o More  than  just  releasing  the  code   http://www.subgraph.com
Open  Source  and  Security        I  say!     Kerckhoffs’  principle     Auguste  Kerckhoffs:  19th  Century   Dutch  linguist  and  cryptographer     Made  an  important  realiza>on:   o “The  security  of  any  cryptographic   system  does  not  rest  in  its  secrecy,  it   must  be  able  to  fall  into  the  enemy’s   hands  without  inconvenience”   o More  succinctly,  the  adversary  knows   the  system     As  opposed  to  “security  through   obscurity”   http://www.subgraph.com
Open  Source  and  Security     Kerckhoffs’  Principle    Well  understood  in  the  world  of  cryptography   o New  ciphers  are  not  trusted  without  public  scru>ny   over  years   o Because  cryptography  is  used  as  a  “black  box”     It’s  the  only  way  to  be  sure   o Once  in  a  while,  less  now,  companies  try  to  market   proprietary  ciphers     There’s  a  term  for  this:  “snake  oil”    But  what  about  everyone  else?   http://www.subgraph.com
Beyond  Cryptography     Security  Research  Community     Ac>ve,  global  community  of  passionate  professionals,  amateurs,  students  and   hackers   o  Collabora>ve   o  Open     Examples   o  Phrack  magazine   o  Bugtraq   o  Defcon   o  Blackhat   o  REcon!     This  community  changed  the  soRware  industry     Full-­‐disclosure  won     Beaer  security  for  all     Bug  boun>es   o  Google,  Mozilla   http://www.subgraph.com
Open  Source  and  Security     Tools     These  researchers  write  tools   o Exploits   o Network  security  (e.g.  nmap)     Enough  to  have  specialized,  dedicated  LiveCDs..   o BackTrack  –  Penetra>on  tes>ng  LiveCD   o Helix  –  Forensics  LiveCD     The  security  industry  owes  all  so  much   o Grassroots,  open  source  innova>on   o Some  open  source  projects  became  commercial  successes     Snort  IDS     Metasploit   http://www.subgraph.com
Open  Source  and  Security     Open  source  has  always  been  a  part  of  security     Collabora>ve,  open  research     Open  source  tool  development     Kerckhoffs’  Law:  open  code  scru>ny     Means  beaer  security,  in  general     Open  source  security  soRware     Is  more  trustworthy:  read  the  source,  compile  it  yourself     No  worries,  no  maaer  where  in  the  world  you  live     Why  doesn’t  everyone  demand  open  source  for   security?   http://www.subgraph.com
Open  Source  and  Security     Web  applica>on  security    Followed  the  same  path    Collabora>ve,  open  research,  advocacy   o E.g.  OWASP    Great  open  source  tools,  frameworks     Also,  the  cueng  edge  of  web  applica>on   development    En>rely  open  source!   http://www.subgraph.com
Web  Security  Timeline   http://www.subgraph.com
Commercial  Web  Security  SoRware     Advantages  of  commercial  tools     Ease  of  installa>on,  upgrade,  use     User  experience     Quality  Assurance,  bug  fixing     Documenta>on/Help     Development  driven  by  demand/need     Disadvantages     Expensive     Bizarre  license  restric>ons     EOL,  acquisi>ons,  other  events     Proprietary,  closed  source   http://www.subgraph.com
Open  Source  Web  Security  SoRware     Since  I’ve  already  talked  about  the  advantages..     Disadvantages     No  integra>on  /  sharing  of  data  between  the  various  tools     Poor  or  non-­‐existent  UI,  documenta>on,  help     Painful,  broken  installa>ons     Code  is  of  inconsistent  quality     Developer,  contributor  unreliability     Development  driven  by  whim,  interest,  skill  level     Forks     Abandonment       o Developer  finished  college,  got  a  job   o Successfully  reproduced   http://www.subgraph.com
Exis>ng  Landscape  of  Web  Tools     There  are  very  good  commercial  tools    HP,  IBM,  Qualys    SAAS,  such  as  Whitehat    NetSparker    BurpSuite  (free  version  available)     Expensive    Some  free/community  versions,  crippled     Proprietary   http://www.subgraph.com
Open  Source  Tools       There  are  also  some  fantas>c  open  source  tools     Specialized   o Various  specialized  fuzzers   o Standalone  proxies   o Standalone  scanners   o Standalone  brute-­‐forcing  tools     They  do  not  share  a  data  model   o Integrate  them  yourself     In  our  experience:   o Some>mes  buggy   o Last  commit  was  in  2008..   o Broken  user  interfaces   http://www.subgraph.com
Free/Open  Source  Web  Security  Tools   http://www.subgraph.com
Our  Vision     One  web,  one  web  security  tool     Open  source     Consistent,  well-­‐designed  UI     Func>ons  really  well  as  an  automated  scanner   o Shouldn’t  need  to  be  a  penetra>on  tester   o Advanced  features  for  those  who  are     User  extensibility   o Community     Plus  all  that  boring  stuff   o Documenta>on,  help,  business  friendly  features     http://www.subgraph.com
Hi,  My  Name  Is:     Vega  is  a  web-­‐applica>on  security  scanner     It  finds  vulnerabili>es  in  your  website     Wriaen  in  Java,  runs  on:     Mac  OS  X     Windows     Linux     A  desktop  applica>on  with  a  nice  GUI     Eclipse  RCP   http://www.subgraph.com
Introducing  VEGA     Currently  two  modes  of  opera>on    Automated  scanner   o Point  and  click  hacking    Intercep>ng  proxy   o Instrumenta>on   o Manual  closer  inspec>on   o Penetra>on  tes>ng   http://www.subgraph.com
Scanner     Automated  scanner     Crawls  your  web  applica>on  recursively     Analyzes  links     Runs  a  configurable  set  of  audit  and  aaack  ac>ons  on  these   links     Limited  brute  forcing     Tests  parameters  for  favorites,  such  as:   o Reflected,  persistent  XSS   o SQL  injec>on   o Command  injec>on   o Local  file  include   o Local  file  reading     Tries  to  iden>fy  server  misconfigura>ons   http://www.subgraph.com
Proxy     Intercep>ng  proxy     Intercepts  requests,  responses   o Based  on  request  method   o Filters       Can  be  edited     Requests  can  be  replayed  or  created     Data  decoding  and  encoding     Customized  automa>c  manipula>on  of  requests,   responses     Response  processing  scanner  modules   http://www.subgraph.com
What’s  Inside     Architecture    Eclipse  RCP    Modularity  of  design  enforced  with  OSGI    Using  Apache  HTTPComponents    JSoup    Google  Guava    DB4O    Rhino  JS  Interpreter   http://www.subgraph.com
Extensibility     Extending  Vega  with  ease    Scrip>ng  of  custom  modules   o Javascript   o DOM,  JQuery   o Clean,  sensible  API      Scrip>ng  of  proxy   o Automated  manipula>on  of  intercepted  requests,   responses    Custom  alerts   o XML  Templates   http://www.subgraph.com
VEGA   DEMO   http://www.subgraph.com
Current  Status     We  are  really  close     Finish  a  few  features     Polish     Tes>ng     Fixing  bugs     Documenta>on     User     Developer     Help     Beta!     Mid-­‐April   http://www.subgraph.com
Future     Fun  stuff     Penetra>on  tes>ng     o Exploita>on  of  vulnerabili>es   o Support  for  advanced  aaacks     Brute  Forcing   o Directories   o Username/password     Fuzzing   o E.g.  A  really  good  web  services  fuzzer     Specialized  support  for  audi>ng  apps   o CakePHP,  Rails,  J2EE     Less  fun     Really  nice  repor>ng   http://www.subgraph.com
Thank  you!  Interested?       Web     E-­‐mail  us     hap://www.subgraph.com     info@subgraph.com     Twiaer     MTLSEC     Company:  @subgraph  (we’ve  been  quiet)     If  you’re  in  Montreal,  we  do  a  monthly,     Me:  @aaractr   informal  5@7     hap://www.mtlsec.com,  @mtlsec     IRC     irc.freenode.org,  #subgraph   http://www.subgraph.com

Empfohlen

Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 

Empfohlen

Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
Cyber ppt
Cyber pptCyber ppt
Cyber pptkarthik menon
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsSecuRing
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Guy Podjarny
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 

Weitere ähnliche Inhalte

Was ist angesagt?

[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafIMMUNIO
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsSecuRing
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Guy Podjarny
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 

Was ist angesagt? (20)

[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
HackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs wafHackFest 2015 - Rasp vs waf
HackFest 2015 - Rasp vs waf
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
 
Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)Secure Node Code (workshop, O'Reilly Security)
Secure Node Code (workshop, O'Reilly Security)
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 

Ähnlich wie hacking your website with vega, confoo2011

Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Open source technology
Open source technologyOpen source technology
Open source technologyaparnaz1
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
[CB19] tknk_scanner v2:community-based integrated malware identification syst...
[CB19] tknk_scanner v2:community-based integrated malware identification syst...[CB19] tknk_scanner v2:community-based integrated malware identification syst...
[CB19] tknk_scanner v2:community-based integrated malware identification syst...CODE BLUE
 
Sandboxing - Malware detection.pptx
Sandboxing - Malware detection.pptxSandboxing - Malware detection.pptx
Sandboxing - Malware detection.pptxArshadFarhad4
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Construye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open sourceConstruye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open sourceSoftware Guru
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitationprimeteacher32
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayYusuf Hadiwinata Sutandar
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
 
Eliz seminar
Eliz seminar Eliz seminar
Eliz seminar henelpj
 
Open Source, Sourceforge Projects, & Apache Foundation
Open Source, Sourceforge Projects, & Apache FoundationOpen Source, Sourceforge Projects, & Apache Foundation
Open Source, Sourceforge Projects, & Apache FoundationMohammad Kotb
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetessparkfabrik
 

Ähnlich wie hacking your website with vega, confoo2011 (20)

Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Open source technology
Open source technologyOpen source technology
Open source technology
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
[CB19] tknk_scanner v2:community-based integrated malware identification syst...
[CB19] tknk_scanner v2:community-based integrated malware identification syst...[CB19] tknk_scanner v2:community-based integrated malware identification syst...
[CB19] tknk_scanner v2:community-based integrated malware identification syst...
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
 
Sandboxing - Malware detection.pptx
Sandboxing - Malware detection.pptxSandboxing - Malware detection.pptx
Sandboxing - Malware detection.pptx
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Construye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open sourceConstruye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open source
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Sandbox
SandboxSandbox
Sandbox
 
Computer security
Computer securityComputer security
Computer security
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
 
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP EcosystemWhat is the Secure Supply Chain and the Current State of the PHP Ecosystem
What is the Secure Supply Chain and the Current State of the PHP Ecosystem
 
Eliz seminar
Eliz seminar Eliz seminar
Eliz seminar
 
Open Source, Sourceforge Projects, & Apache Foundation
Open Source, Sourceforge Projects, & Apache FoundationOpen Source, Sourceforge Projects, & Apache Foundation
Open Source, Sourceforge Projects, & Apache Foundation
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
 

Mehr von Bachkoutou Toutou

Making php see, confoo 2011
Making php see, confoo 2011 Making php see, confoo 2011
Making php see, confoo 2011 Bachkoutou Toutou
 
Sean coates fifty things and tricks, confoo 2011
Sean coates fifty things and tricks, confoo 2011Sean coates fifty things and tricks, confoo 2011
Sean coates fifty things and tricks, confoo 2011Bachkoutou Toutou
 
Premiers pas dans les extensions PHP, Pierrick Charron, Confoo 2011
Premiers pas dans les extensions PHP, Pierrick Charron, Confoo 2011Premiers pas dans les extensions PHP, Pierrick Charron, Confoo 2011
Premiers pas dans les extensions PHP, Pierrick Charron, Confoo 2011Bachkoutou Toutou
 
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011Bachkoutou Toutou
 
Zend Framework 2, What's new, Confoo 2011
Zend Framework 2, What's new, Confoo 2011Zend Framework 2, What's new, Confoo 2011
Zend Framework 2, What's new, Confoo 2011Bachkoutou Toutou
 
Connecting web Applications with Desktop, confoo 2011
Connecting web Applications with Desktop, confoo 2011Connecting web Applications with Desktop, confoo 2011
Connecting web Applications with Desktop, confoo 2011Bachkoutou Toutou
 
Connecting Web Application and Desktop, confoo 2011, qafoo
Connecting Web Application and Desktop, confoo 2011, qafooConnecting Web Application and Desktop, confoo 2011, qafoo
Connecting Web Application and Desktop, confoo 2011, qafooBachkoutou Toutou
 
99 problems but the search aint one, confoo 2011, andrei zmievski
99 problems but the search aint one, confoo 2011, andrei zmievski99 problems but the search aint one, confoo 2011, andrei zmievski
99 problems but the search aint one, confoo 2011, andrei zmievskiBachkoutou Toutou
 
Php Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansPhp Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansBachkoutou Toutou
 
WebShell - confoo 2011 - sean coates
WebShell - confoo 2011 - sean coatesWebShell - confoo 2011 - sean coates
WebShell - confoo 2011 - sean coatesBachkoutou Toutou
 
Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011Bachkoutou Toutou
 
Confoo 2011 - Advanced OO Patterns
Confoo 2011 - Advanced OO PatternsConfoo 2011 - Advanced OO Patterns
Confoo 2011 - Advanced OO PatternsBachkoutou Toutou
 

Mehr von Bachkoutou Toutou (14)

Making php see, confoo 2011
Making php see, confoo 2011 Making php see, confoo 2011
Making php see, confoo 2011
 
Sean coates fifty things and tricks, confoo 2011
Sean coates fifty things and tricks, confoo 2011Sean coates fifty things and tricks, confoo 2011
Sean coates fifty things and tricks, confoo 2011
 
Premiers pas dans les extensions PHP, Pierrick Charron, Confoo 2011
Premiers pas dans les extensions PHP, Pierrick Charron, Confoo 2011Premiers pas dans les extensions PHP, Pierrick Charron, Confoo 2011
Premiers pas dans les extensions PHP, Pierrick Charron, Confoo 2011
 
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
Kill bottlenecks with gearman, sphinx, and memcached, Confoo 2011
 
Zend Framework 2, What's new, Confoo 2011
Zend Framework 2, What's new, Confoo 2011Zend Framework 2, What's new, Confoo 2011
Zend Framework 2, What's new, Confoo 2011
 
Connecting web Applications with Desktop, confoo 2011
Connecting web Applications with Desktop, confoo 2011Connecting web Applications with Desktop, confoo 2011
Connecting web Applications with Desktop, confoo 2011
 
Connecting Web Application and Desktop, confoo 2011, qafoo
Connecting Web Application and Desktop, confoo 2011, qafooConnecting Web Application and Desktop, confoo 2011, qafoo
Connecting Web Application and Desktop, confoo 2011, qafoo
 
99 problems but the search aint one, confoo 2011, andrei zmievski
99 problems but the search aint one, confoo 2011, andrei zmievski99 problems but the search aint one, confoo 2011, andrei zmievski
99 problems but the search aint one, confoo 2011, andrei zmievski
 
Php Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansPhp Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick Rethans
 
WebShell - confoo 2011 - sean coates
WebShell - confoo 2011 - sean coatesWebShell - confoo 2011 - sean coates
WebShell - confoo 2011 - sean coates
 
Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011Stress Free Deployment - Confoo 2011
Stress Free Deployment - Confoo 2011
 
Apc Memcached Confoo 2011
Apc Memcached Confoo 2011Apc Memcached Confoo 2011
Apc Memcached Confoo 2011
 
Xdebug confoo11
Xdebug confoo11Xdebug confoo11
Xdebug confoo11
 
Confoo 2011 - Advanced OO Patterns
Confoo 2011 - Advanced OO PatternsConfoo 2011 - Advanced OO Patterns
Confoo 2011 - Advanced OO Patterns
 

hacking your website with vega, confoo2011

  • 1. Hacking  Your  Website  With   David  Mirza,  Subgraph  Technologies   Montreal   http://www.subgraph.com
  • 2. Introduc>on     Who  we  are    Open-­‐source  security  startup      Based  in  Montreal    Experienced  founders:   o Secure  Networks  Inc.   o SecurityFocus  (Symantec)     o Core  Security  Technologies   o Ne>fera   o REcon   http://www.subgraph.com
  • 3. About  us     Subgraph  is  an  open  source  security  company    Helping  organiza>ons  protect  their  websites   o Building  high  quality  soRware   o Penetra>on  tes>ng   o Code  /  architecture  review    Incorporated  in  February  2010    Philosophy  of  openness  important  to  us   o More  than  just  releasing  the  code   http://www.subgraph.com
  • 4. Open  Source  and  Security        I  say!     Kerckhoffs’  principle     Auguste  Kerckhoffs:  19th  Century   Dutch  linguist  and  cryptographer     Made  an  important  realiza>on:   o “The  security  of  any  cryptographic   system  does  not  rest  in  its  secrecy,  it   must  be  able  to  fall  into  the  enemy’s   hands  without  inconvenience”   o More  succinctly,  the  adversary  knows   the  system     As  opposed  to  “security  through   obscurity”   http://www.subgraph.com
  • 5. Open  Source  and  Security     Kerckhoffs’  Principle    Well  understood  in  the  world  of  cryptography   o New  ciphers  are  not  trusted  without  public  scru>ny   over  years   o Because  cryptography  is  used  as  a  “black  box”     It’s  the  only  way  to  be  sure   o Once  in  a  while,  less  now,  companies  try  to  market   proprietary  ciphers     There’s  a  term  for  this:  “snake  oil”    But  what  about  everyone  else?   http://www.subgraph.com
  • 6. Beyond  Cryptography     Security  Research  Community     Ac>ve,  global  community  of  passionate  professionals,  amateurs,  students  and   hackers   o  Collabora>ve   o  Open     Examples   o  Phrack  magazine   o  Bugtraq   o  Defcon   o  Blackhat   o  REcon!     This  community  changed  the  soRware  industry     Full-­‐disclosure  won     Beaer  security  for  all     Bug  boun>es   o  Google,  Mozilla   http://www.subgraph.com
  • 7. Open  Source  and  Security     Tools     These  researchers  write  tools   o Exploits   o Network  security  (e.g.  nmap)     Enough  to  have  specialized,  dedicated  LiveCDs..   o BackTrack  –  Penetra>on  tes>ng  LiveCD   o Helix  –  Forensics  LiveCD     The  security  industry  owes  all  so  much   o Grassroots,  open  source  innova>on   o Some  open  source  projects  became  commercial  successes     Snort  IDS     Metasploit   http://www.subgraph.com
  • 8. Open  Source  and  Security     Open  source  has  always  been  a  part  of  security     Collabora>ve,  open  research     Open  source  tool  development     Kerckhoffs’  Law:  open  code  scru>ny     Means  beaer  security,  in  general     Open  source  security  soRware     Is  more  trustworthy:  read  the  source,  compile  it  yourself     No  worries,  no  maaer  where  in  the  world  you  live     Why  doesn’t  everyone  demand  open  source  for   security?   http://www.subgraph.com
  • 9. Open  Source  and  Security     Web  applica>on  security    Followed  the  same  path    Collabora>ve,  open  research,  advocacy   o E.g.  OWASP    Great  open  source  tools,  frameworks     Also,  the  cueng  edge  of  web  applica>on   development    En>rely  open  source!   http://www.subgraph.com
  • 10. Web  Security  Timeline   http://www.subgraph.com
  • 11. Commercial  Web  Security  SoRware     Advantages  of  commercial  tools     Ease  of  installa>on,  upgrade,  use     User  experience     Quality  Assurance,  bug  fixing     Documenta>on/Help     Development  driven  by  demand/need     Disadvantages     Expensive     Bizarre  license  restric>ons     EOL,  acquisi>ons,  other  events     Proprietary,  closed  source   http://www.subgraph.com
  • 12. Open  Source  Web  Security  SoRware     Since  I’ve  already  talked  about  the  advantages..     Disadvantages     No  integra>on  /  sharing  of  data  between  the  various  tools     Poor  or  non-­‐existent  UI,  documenta>on,  help     Painful,  broken  installa>ons     Code  is  of  inconsistent  quality     Developer,  contributor  unreliability     Development  driven  by  whim,  interest,  skill  level     Forks     Abandonment       o Developer  finished  college,  got  a  job   o Successfully  reproduced   http://www.subgraph.com
  • 13. Exis>ng  Landscape  of  Web  Tools     There  are  very  good  commercial  tools    HP,  IBM,  Qualys    SAAS,  such  as  Whitehat    NetSparker    BurpSuite  (free  version  available)     Expensive    Some  free/community  versions,  crippled     Proprietary   http://www.subgraph.com
  • 14. Open  Source  Tools       There  are  also  some  fantas>c  open  source  tools     Specialized   o Various  specialized  fuzzers   o Standalone  proxies   o Standalone  scanners   o Standalone  brute-­‐forcing  tools     They  do  not  share  a  data  model   o Integrate  them  yourself     In  our  experience:   o Some>mes  buggy   o Last  commit  was  in  2008..   o Broken  user  interfaces   http://www.subgraph.com
  • 15. Free/Open  Source  Web  Security  Tools   http://www.subgraph.com
  • 16. Our  Vision     One  web,  one  web  security  tool     Open  source     Consistent,  well-­‐designed  UI     Func>ons  really  well  as  an  automated  scanner   o Shouldn’t  need  to  be  a  penetra>on  tester   o Advanced  features  for  those  who  are     User  extensibility   o Community     Plus  all  that  boring  stuff   o Documenta>on,  help,  business  friendly  features     http://www.subgraph.com
  • 17. Hi,  My  Name  Is:     Vega  is  a  web-­‐applica>on  security  scanner     It  finds  vulnerabili>es  in  your  website     Wriaen  in  Java,  runs  on:     Mac  OS  X     Windows     Linux     A  desktop  applica>on  with  a  nice  GUI     Eclipse  RCP   http://www.subgraph.com
  • 18. Introducing  VEGA     Currently  two  modes  of  opera>on    Automated  scanner   o Point  and  click  hacking    Intercep>ng  proxy   o Instrumenta>on   o Manual  closer  inspec>on   o Penetra>on  tes>ng   http://www.subgraph.com
  • 19. Scanner     Automated  scanner     Crawls  your  web  applica>on  recursively     Analyzes  links     Runs  a  configurable  set  of  audit  and  aaack  ac>ons  on  these   links     Limited  brute  forcing     Tests  parameters  for  favorites,  such  as:   o Reflected,  persistent  XSS   o SQL  injec>on   o Command  injec>on   o Local  file  include   o Local  file  reading     Tries  to  iden>fy  server  misconfigura>ons   http://www.subgraph.com
  • 20. Proxy     Intercep>ng  proxy     Intercepts  requests,  responses   o Based  on  request  method   o Filters       Can  be  edited     Requests  can  be  replayed  or  created     Data  decoding  and  encoding     Customized  automa>c  manipula>on  of  requests,   responses     Response  processing  scanner  modules   http://www.subgraph.com
  • 21. What’s  Inside     Architecture    Eclipse  RCP    Modularity  of  design  enforced  with  OSGI    Using  Apache  HTTPComponents    JSoup    Google  Guava    DB4O    Rhino  JS  Interpreter   http://www.subgraph.com
  • 22. Extensibility     Extending  Vega  with  ease    Scrip>ng  of  custom  modules   o Javascript   o DOM,  JQuery   o Clean,  sensible  API      Scrip>ng  of  proxy   o Automated  manipula>on  of  intercepted  requests,   responses    Custom  alerts   o XML  Templates   http://www.subgraph.com
  • 23. VEGA   DEMO   http://www.subgraph.com
  • 24. Current  Status     We  are  really  close     Finish  a  few  features     Polish     Tes>ng     Fixing  bugs     Documenta>on     User     Developer     Help     Beta!     Mid-­‐April   http://www.subgraph.com
  • 25. Future     Fun  stuff     Penetra>on  tes>ng     o Exploita>on  of  vulnerabili>es   o Support  for  advanced  aaacks     Brute  Forcing   o Directories   o Username/password     Fuzzing   o E.g.  A  really  good  web  services  fuzzer     Specialized  support  for  audi>ng  apps   o CakePHP,  Rails,  J2EE     Less  fun     Really  nice  repor>ng   http://www.subgraph.com
  • 26. Thank  you!  Interested?       Web     E-­‐mail  us     hap://www.subgraph.com     info@subgraph.com     Twiaer     MTLSEC     Company:  @subgraph  (we’ve  been  quiet)     If  you’re  in  Montreal,  we  do  a  monthly,     Me:  @aaractr   informal  5@7     hap://www.mtlsec.com,  @mtlsec     IRC     irc.freenode.org,  #subgraph   http://www.subgraph.com