1. Hacking
Your
Website
With
David
Mirza,
Subgraph
Technologies
Montreal
http://www.subgraph.com
2. Introduc>on
Who
we
are
Open-‐source
security
startup
Based
in
Montreal
Experienced
founders:
o Secure
Networks
Inc.
o SecurityFocus
(Symantec)
o Core
Security
Technologies
o Ne>fera
o REcon
http://www.subgraph.com
3. About
us
Subgraph
is
an
open
source
security
company
Helping
organiza>ons
protect
their
websites
o Building
high
quality
soRware
o Penetra>on
tes>ng
o Code
/
architecture
review
Incorporated
in
February
2010
Philosophy
of
openness
important
to
us
o More
than
just
releasing
the
code
http://www.subgraph.com
4. Open
Source
and
Security
I
say!
Kerckhoffs’
principle
Auguste
Kerckhoffs:
19th
Century
Dutch
linguist
and
cryptographer
Made
an
important
realiza>on:
o “The
security
of
any
cryptographic
system
does
not
rest
in
its
secrecy,
it
must
be
able
to
fall
into
the
enemy’s
hands
without
inconvenience”
o More
succinctly,
the
adversary
knows
the
system
As
opposed
to
“security
through
obscurity”
http://www.subgraph.com
5. Open
Source
and
Security
Kerckhoffs’
Principle
Well
understood
in
the
world
of
cryptography
o New
ciphers
are
not
trusted
without
public
scru>ny
over
years
o Because
cryptography
is
used
as
a
“black
box”
It’s
the
only
way
to
be
sure
o Once
in
a
while,
less
now,
companies
try
to
market
proprietary
ciphers
There’s
a
term
for
this:
“snake
oil”
But
what
about
everyone
else?
http://www.subgraph.com
6. Beyond
Cryptography
Security
Research
Community
Ac>ve,
global
community
of
passionate
professionals,
amateurs,
students
and
hackers
o Collabora>ve
o Open
Examples
o Phrack
magazine
o Bugtraq
o Defcon
o Blackhat
o REcon!
This
community
changed
the
soRware
industry
Full-‐disclosure
won
Beaer
security
for
all
Bug
boun>es
o Google,
Mozilla
http://www.subgraph.com
7. Open
Source
and
Security
Tools
These
researchers
write
tools
o Exploits
o Network
security
(e.g.
nmap)
Enough
to
have
specialized,
dedicated
LiveCDs..
o BackTrack
–
Penetra>on
tes>ng
LiveCD
o Helix
–
Forensics
LiveCD
The
security
industry
owes
all
so
much
o Grassroots,
open
source
innova>on
o Some
open
source
projects
became
commercial
successes
Snort
IDS
Metasploit
http://www.subgraph.com
8. Open
Source
and
Security
Open
source
has
always
been
a
part
of
security
Collabora>ve,
open
research
Open
source
tool
development
Kerckhoffs’
Law:
open
code
scru>ny
Means
beaer
security,
in
general
Open
source
security
soRware
Is
more
trustworthy:
read
the
source,
compile
it
yourself
No
worries,
no
maaer
where
in
the
world
you
live
Why
doesn’t
everyone
demand
open
source
for
security?
http://www.subgraph.com
9. Open
Source
and
Security
Web
applica>on
security
Followed
the
same
path
Collabora>ve,
open
research,
advocacy
o E.g.
OWASP
Great
open
source
tools,
frameworks
Also,
the
cueng
edge
of
web
applica>on
development
En>rely
open
source!
http://www.subgraph.com
11. Commercial
Web
Security
SoRware
Advantages
of
commercial
tools
Ease
of
installa>on,
upgrade,
use
User
experience
Quality
Assurance,
bug
fixing
Documenta>on/Help
Development
driven
by
demand/need
Disadvantages
Expensive
Bizarre
license
restric>ons
EOL,
acquisi>ons,
other
events
Proprietary,
closed
source
http://www.subgraph.com
12. Open
Source
Web
Security
SoRware
Since
I’ve
already
talked
about
the
advantages..
Disadvantages
No
integra>on
/
sharing
of
data
between
the
various
tools
Poor
or
non-‐existent
UI,
documenta>on,
help
Painful,
broken
installa>ons
Code
is
of
inconsistent
quality
Developer,
contributor
unreliability
Development
driven
by
whim,
interest,
skill
level
Forks
Abandonment
o Developer
finished
college,
got
a
job
o Successfully
reproduced
http://www.subgraph.com
13. Exis>ng
Landscape
of
Web
Tools
There
are
very
good
commercial
tools
HP,
IBM,
Qualys
SAAS,
such
as
Whitehat
NetSparker
BurpSuite
(free
version
available)
Expensive
Some
free/community
versions,
crippled
Proprietary
http://www.subgraph.com
14. Open
Source
Tools
There
are
also
some
fantas>c
open
source
tools
Specialized
o Various
specialized
fuzzers
o Standalone
proxies
o Standalone
scanners
o Standalone
brute-‐forcing
tools
They
do
not
share
a
data
model
o Integrate
them
yourself
In
our
experience:
o Some>mes
buggy
o Last
commit
was
in
2008..
o Broken
user
interfaces
http://www.subgraph.com
16. Our
Vision
One
web,
one
web
security
tool
Open
source
Consistent,
well-‐designed
UI
Func>ons
really
well
as
an
automated
scanner
o Shouldn’t
need
to
be
a
penetra>on
tester
o Advanced
features
for
those
who
are
User
extensibility
o Community
Plus
all
that
boring
stuff
o Documenta>on,
help,
business
friendly
features
http://www.subgraph.com
17. Hi,
My
Name
Is:
Vega
is
a
web-‐applica>on
security
scanner
It
finds
vulnerabili>es
in
your
website
Wriaen
in
Java,
runs
on:
Mac
OS
X
Windows
Linux
A
desktop
applica>on
with
a
nice
GUI
Eclipse
RCP
http://www.subgraph.com
18. Introducing
VEGA
Currently
two
modes
of
opera>on
Automated
scanner
o Point
and
click
hacking
Intercep>ng
proxy
o Instrumenta>on
o Manual
closer
inspec>on
o Penetra>on
tes>ng
http://www.subgraph.com
19. Scanner
Automated
scanner
Crawls
your
web
applica>on
recursively
Analyzes
links
Runs
a
configurable
set
of
audit
and
aaack
ac>ons
on
these
links
Limited
brute
forcing
Tests
parameters
for
favorites,
such
as:
o Reflected,
persistent
XSS
o SQL
injec>on
o Command
injec>on
o Local
file
include
o Local
file
reading
Tries
to
iden>fy
server
misconfigura>ons
http://www.subgraph.com
20. Proxy
Intercep>ng
proxy
Intercepts
requests,
responses
o Based
on
request
method
o Filters
Can
be
edited
Requests
can
be
replayed
or
created
Data
decoding
and
encoding
Customized
automa>c
manipula>on
of
requests,
responses
Response
processing
scanner
modules
http://www.subgraph.com
21. What’s
Inside
Architecture
Eclipse
RCP
Modularity
of
design
enforced
with
OSGI
Using
Apache
HTTPComponents
JSoup
Google
Guava
DB4O
Rhino
JS
Interpreter
http://www.subgraph.com
22. Extensibility
Extending
Vega
with
ease
Scrip>ng
of
custom
modules
o Javascript
o DOM,
JQuery
o Clean,
sensible
API
Scrip>ng
of
proxy
o Automated
manipula>on
of
intercepted
requests,
responses
Custom
alerts
o XML
Templates
http://www.subgraph.com
24. Current
Status
We
are
really
close
Finish
a
few
features
Polish
Tes>ng
Fixing
bugs
Documenta>on
User
Developer
Help
Beta!
Mid-‐April
http://www.subgraph.com
25. Future
Fun
stuff
Penetra>on
tes>ng
o Exploita>on
of
vulnerabili>es
o Support
for
advanced
aaacks
Brute
Forcing
o Directories
o Username/password
Fuzzing
o E.g.
A
really
good
web
services
fuzzer
Specialized
support
for
audi>ng
apps
o CakePHP,
Rails,
J2EE
Less
fun
Really
nice
repor>ng
http://www.subgraph.com
26. Thank
you!
Interested?
Web
E-‐mail
us
hap://www.subgraph.com
info@subgraph.com
Twiaer
MTLSEC
Company:
@subgraph
(we’ve
been
quiet)
If
you’re
in
Montreal,
we
do
a
monthly,
Me:
@aaractr
informal
5@7
hap://www.mtlsec.com,
@mtlsec
IRC
irc.freenode.org,
#subgraph
http://www.subgraph.com