Subgraph vega countermeasure2012
0 likes1,554 views
Using and Extending Vega Vega is an open-source web application vulnerability assessment platform that provides an automated scanner and intercepting proxy. The automated scanner recursively crawls targets and runs injection modules to find vulnerabilities. The intercepting proxy allows editing requests and responses and running response processing modules. Modules are written in JavaScript and Vega is highly extensible. Future plans include improving detections, adding a fuzzer, and making the platform more scriptable.
Subgraph vega countermeasure2012
- 1. Using and Extending Vega David Mirza, Subgraph Montreal www.subgraph.com
- 2. Introduction Who We Are Open-source security startup Based in Montreal Experienced founders: • Secure Networks Inc. • SecurityFocus (Symantec) • Core Security Technologies • Netifera • REcon www.subgraph.com
- 3. Open Source and Security Kerckhoffs’ principle Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer Made an important realization: “ “ “The security of any cryptographic The security of any cryptographic system does system doessecrecy, it in itsbe able to fall not rest in its not rest must secrecy, it mustthe enemy’s hands without inconvenience. into be able to fall into the enemy’s hands without inconvenience” The adversary knows the system (Claude The adversary knows the system Shannon) (Claude Shannon) ” ” As opposed to “security through obscurity” www.subgraph.com
- 4. Open Source and Security Kerckhoffs’ Principle Well understood in the world of cryptography New ciphers not trusted Because cryptography is a “black box” Once in a while, less now, companies try to market proprietary ciphers There’s a term for this: “snake oil” Kerckhoffs’ principle can be understood as “open source is good security” www.subgraph.com
- 5. Commercial Web Security Software Advantages Ease of installation, upgrade, use User experience Quality assurance, bug fixes Documentation and help Development driven by demand and need Disadvantages Expensive Sometimes bizarre licensing restrictions EOL, acquisitions, other events Proprietary / closed source www.subgraph.com
- 6. Open Source Web Security Tools Let’s just talk about disadvantages.. No integration / sharing between tools Poor or non-existent UI, documentation / help Painful, broken installations Code is of inconsistent quality Developer / contributor unreliability Developer interest driven by interest, skill level, whim Forks Abandonment Developer finished college, got a job Successfully reproduced www.subgraph.com
- 7. i hurt myself today www.subgraph.com
- 8. Our Vision One web, one web security tool Open source Consistent, well-designed UI Functions really well as an automated scanner Shouldn’t need to be a penetration tester Advanced features for those who are User extensibility Community Plus all that boring stuff Documentation, help, business friendly features We are building the ultimate platform for web security Rapidly prototype attacks Nobody should have to use commercial tools Because Vega is free www.subgraph.com
- 9. Introducing Vega Platform ‣ Open-source web application vulnerability assessment platform ‣ Easy to use Graphical Interface ‣ Works on Windows, Mac, Linux ‣ Automated scanner, attacking proxy finds vulnerabilities ‣ Based on Eclipse RCP ‣ Extensible: Javascript – language every web developer knows ‣ Shipped first release July 1 ‣ EPL 1.0 www.subgraph.com
- 10. Vega is Built On: Eclipse RCP / Equinox OSGi Apache HC JSoup Mozilla Rhino Eliteness www.subgraph.com
- 11. Automated Scanner Recursive crawl over target scope 404 detection Probes path nodes to determine if files, directories Builds tree-like internal representation of target application Vega runs injection modules on nodes, abstracted in API Response processing modules run on all responses Modules written in Javascript New for 1.0 Expanded scope, more than one base URI Support for authentication: HTTP, form-based, NTLM Much better scanner modules Very annoying crawler bugs fixed www.subgraph.com
- 12. Vega Automated Scanner www.subgraph.com
- 13. Start new scan and choose some of these modules: www.subgraph.com
- 14. Which are each one of these.. www.subgraph.com
- 15. Modules produce vulnerability reports: www.subgraph.com
- 16. ..which are based on these: Vega is very extensible. www.subgraph.com
- 17. Request / response pair www.subgraph.com
- 18. Can be reviewed / replayed, module highlights finding www.subgraph.com
- 19. Vega Proxy Intercepting proxy SSL MITM, including CA signing cert http://vega/ca.crt through the proxy Edit requests, responses Request replay Response processing modules run on all responses Modules written in Javascript New for 1.0 Proxy scanning Fuzzes pages in target scope when enabled Finds lots of vulnerabilities www.subgraph.com
- 20. Browser proxy configuration: www.subgraph.com
- 21. General proxy use. Green “play” button enables proxy, red stops it. www.subgraph.com
- 22. Configuring a Breakpoint www.subgraph.com
- 23. Intercepted Request www.subgraph.com
- 24. SSL MITM: Magic proxy URI www.subgraph.com
- 25. Proxy Scanning Gathers parameters and path information observing client-server interaction Sees things the crawler can’t see RPC endpoints Links in flash, Java, other active content Very effective at finding vulnerabilities To try it, configure the proxy, create a proxy target scope, enable proxy scanning www.subgraph.com
- 26. Configure a target scope www.subgraph.com
- 27. Enable Proxy Scanning Alert Notification Icon, aka SQL Injection Blinker www.subgraph.com
- 28. Proxy Scanner Alerts www.subgraph.com
- 29. Demo (1.0!) www.subgraph.com
- 30. Extending Vega Modules written in Javascript In the Vega/scripts/ subdirectory tree Well on OS X they’re in some weird place Two kinds of modules: Injection, AKA “Basic” Send fuzzing requests, do stuff with the responses Response processing Pattern matching, regex, checking response properties www.subgraph.com
- 31. Extending Vega Rich API Check documentation at https://support.subgraph.com DOM Analysis with Jquery E.g. file upload, password input submitted over HTTP.. Alerts based on XML templates In the XML/ subdirectory Freemarker Macro / CSS components www.subgraph.com
- 32. Where are we at? Feature complete for 1.0 Testing and fixing bugs Additional module refinement and testing Vega 1.0 release in November? Or early December Visit my github (or github.com/brl) if you want what you see here Download link on our website is the beta.. Can provide builds for OS X, Windows users Just ask me – email, irc (#subgraph / freenode), twitter, whatever www.subgraph.com
- 33. What’s coming? Even more improvements in detections Fuzzer / brute forcer Better reporting Better encoding, decoding, representation and manipulation of structured data Headless scanner HAR export Scriptable proxy We’re open to ideas and feedback! www.subgraph.com
- 34. Thank you! Web Try Vega / get the source http://www.subgraph.com http://github.com/dma/Vega (newer, less stable) Twitter http://github.com/subgraph/Vega Us: @subgraph (more stable) Me: @attractr E-mail us IRC info@subgraph.com irc.freenode.org, #subgraph www.subgraph.com