hacking your website with vega, confoo2011
DESCRIPTION
TRANSCRIPT
http://www.subgraph.com
Hacking Your Website With
David Mirza, Subgraph Technologies Montreal
http://www.subgraph.com
Introduc>on
Who we are Open-‐source security startup Based in Montreal Experienced founders:
o Secure Networks Inc. o SecurityFocus (Symantec) o Core Security Technologies o Ne>fera o REcon
http://www.subgraph.com
About us
Subgraph is an open source security company Helping organiza>ons protect their websites
o Building high quality soRware o Penetra>on tes>ng o Code / architecture review
Incorporated in February 2010 Philosophy of openness important to us
o More than just releasing the code
http://www.subgraph.com
Open Source and Security
Kerckhoffs’ principle Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer
Made an important realiza>on: o “The security of any cryptographic system does not rest in its secrecy, it must be able to fall into the enemy’s hands without inconvenience”
o More succinctly, the adversary knows the system
As opposed to “security through obscurity”
I say!
http://www.subgraph.com
Open Source and Security
Kerckhoffs’ Principle Well understood in the world of cryptography
o New ciphers are not trusted without public scru>ny over years
o Because cryptography is used as a “black box” It’s the only way to be sure
o Once in a while, less now, companies try to market proprietary ciphers There’s a term for this: “snake oil”
But what about everyone else?
http://www.subgraph.com
Beyond Cryptography
Security Research Community Ac>ve, global community of passionate professionals, amateurs, students and
hackers o Collabora>ve o Open
Examples o Phrack magazine o Bugtraq o Defcon o Blackhat o REcon!
This community changed the soRware industry Full-‐disclosure won Beaer security for all Bug boun>es
o Google, Mozilla
http://www.subgraph.com
Open Source and Security
Tools These researchers write tools
o Exploits o Network security (e.g. nmap)
Enough to have specialized, dedicated LiveCDs.. o BackTrack – Penetra>on tes>ng LiveCD o Helix – Forensics LiveCD
The security industry owes all so much o Grassroots, open source innova>on o Some open source projects became commercial successes
Snort IDS Metasploit
http://www.subgraph.com
Open Source and Security
Open source has always been a part of security Collabora>ve, open research Open source tool development
Kerckhoffs’ Law: open code scru>ny Means beaer security, in general
Open source security soRware Is more trustworthy: read the source, compile it yourself No worries, no maaer where in the world you live
Why doesn’t everyone demand open source for security?
http://www.subgraph.com
Open Source and Security
Web applica>on security Followed the same path
Collabora>ve, open research, advocacy o E.g. OWASP
Great open source tools, frameworks
Also, the cueng edge of web applica>on development En>rely open source!
http://www.subgraph.com
Web Security Timeline
http://www.subgraph.com
Commercial Web Security SoRware
Advantages of commercial tools Ease of installa>on, upgrade, use User experience Quality Assurance, bug fixing Documenta>on/Help Development driven by demand/need
Disadvantages Expensive Bizarre license restric>ons EOL, acquisi>ons, other events Proprietary, closed source
http://www.subgraph.com
Open Source Web Security SoRware
Since I’ve already talked about the advantages.. Disadvantages
No integra>on / sharing of data between the various tools Poor or non-‐existent UI, documenta>on, help Painful, broken installa>ons Code is of inconsistent quality Developer, contributor unreliability Development driven by whim, interest, skill level Forks Abandonment
o Developer finished college, got a job o Successfully reproduced
http://www.subgraph.com
Exis>ng Landscape of Web Tools
There are very good commercial tools HP, IBM, Qualys
SAAS, such as Whitehat NetSparker BurpSuite (free version available)
Expensive Some free/community versions, crippled
Proprietary
http://www.subgraph.com
Open Source Tools
There are also some fantas>c open source tools Specialized
o Various specialized fuzzers o Standalone proxies o Standalone scanners o Standalone brute-‐forcing tools
They do not share a data model o Integrate them yourself
In our experience: o Some>mes buggy o Last commit was in 2008.. o Broken user interfaces
http://www.subgraph.com
Free/Open Source Web Security Tools
http://www.subgraph.com
Our Vision
One web, one web security tool Open source Consistent, well-‐designed UI Func>ons really well as an automated scanner
o Shouldn’t need to be a penetra>on tester o Advanced features for those who are
User extensibility o Community
Plus all that boring stuff o Documenta>on, help, business friendly features
http://www.subgraph.com
Hi, My Name Is:
Vega is a web-‐applica>on security scanner It finds vulnerabili>es in your website Wriaen in Java, runs on:
Mac OS X Windows Linux
A desktop applica>on with a nice GUI Eclipse RCP
http://www.subgraph.com
Introducing VEGA
Currently two modes of opera>on Automated scanner
o Point and click hacking Intercep>ng proxy
o Instrumenta>on o Manual closer inspec>on
o Penetra>on tes>ng
http://www.subgraph.com
Scanner
Automated scanner Crawls your web applica>on recursively Analyzes links Runs a configurable set of audit and aaack ac>ons on these
links Limited brute forcing Tests parameters for favorites, such as:
o Reflected, persistent XSS o SQL injec>on o Command injec>on o Local file include o Local file reading
Tries to iden>fy server misconfigura>ons
http://www.subgraph.com
Proxy
Intercep>ng proxy Intercepts requests, responses
o Based on request method o Filters
Can be edited Requests can be replayed or created Data decoding and encoding Customized automa>c manipula>on of requests, responses
Response processing scanner modules
http://www.subgraph.com
What’s Inside
Architecture Eclipse RCP Modularity of design enforced with OSGI Using Apache HTTPComponents JSoup Google Guava DB4O Rhino JS Interpreter
http://www.subgraph.com
Extensibility
Extending Vega with ease Scrip>ng of custom modules
o Javascript o DOM, JQuery o Clean, sensible API
Scrip>ng of proxy o Automated manipula>on of intercepted requests, responses
Custom alerts o XML Templates
http://www.subgraph.com
VEGA
DEMO
http://www.subgraph.com
Current Status
We are really close Finish a few features Polish Tes>ng Fixing bugs
Documenta>on User Developer Help
Beta! Mid-‐April
http://www.subgraph.com
Future
Fun stuff Penetra>on tes>ng
o Exploita>on of vulnerabili>es o Support for advanced aaacks
Brute Forcing o Directories o Username/password
Fuzzing o E.g. A really good web services fuzzer
Specialized support for audi>ng apps o CakePHP, Rails, J2EE
Less fun Really nice repor>ng
http://www.subgraph.com
Thank you! Interested?
Web hap://www.subgraph.com
Twiaer Company: @subgraph (we’ve been quiet) Me: @aaractr
IRC irc.freenode.org, #subgraph
E-‐mail us [email protected]
MTLSEC If you’re in Montreal, we do a monthly,
informal 5@7 hap://www.mtlsec.com, @mtlsec