hacking your website with vega, confoo2011

http://www.subgraph.com

Hacking Your Website With

David Mirza, Subgraph Technologies Montreal


Introduc>on

Who we are Open-‐source security startup Based in Montreal Experienced founders:

o Secure Networks Inc. o SecurityFocus (Symantec) o Core Security Technologies o Ne>fera o REcon


About us

Subgraph is an open source security company Helping organiza>ons protect their websites

o Building high quality soRware o Penetra>on tes>ng o Code / architecture review

Incorporated in February 2010 Philosophy of openness important to us

o More than just releasing the code


Open Source and Security

Kerckhoffs’ principle Auguste Kerckhoffs: 19th Century Dutch linguist and cryptographer

Made an important realiza>on: o “The security of any cryptographic system does not rest in its secrecy, it must be able to fall into the enemy’s hands without inconvenience”

o More succinctly, the adversary knows the system

As opposed to “security through obscurity”

I say!



Kerckhoffs’ Principle Well understood in the world of cryptography

o New ciphers are not trusted without public scru>ny over years

o Because cryptography is used as a “black box” It’s the only way to be sure

o Once in a while, less now, companies try to market proprietary ciphers There’s a term for this: “snake oil”

But what about everyone else?


Beyond Cryptography

Security Research Community Ac>ve, global community of passionate professionals, amateurs, students and

hackers o Collabora>ve o Open

Examples o Phrack magazine o Bugtraq o Defcon o Blackhat o REcon!

This community changed the soRware industry Full-‐disclosure won Beaer security for all Bug boun>es

o Google, Mozilla



Tools These researchers write tools

o Exploits o Network security (e.g. nmap)

Enough to have specialized, dedicated LiveCDs.. o BackTrack – Penetra>on tes>ng LiveCD o Helix – Forensics LiveCD

The security industry owes all so much o Grassroots, open source innova>on o Some open source projects became commercial successes

Snort IDS Metasploit



Open source has always been a part of security Collabora>ve, open research Open source tool development

Kerckhoffs’ Law: open code scru>ny Means beaer security, in general

Open source security soRware Is more trustworthy: read the source, compile it yourself No worries, no maaer where in the world you live

Why doesn’t everyone demand open source for security?



Web applica>on security Followed the same path

Collabora>ve, open research, advocacy o E.g. OWASP

Great open source tools, frameworks

Also, the cueng edge of web applica>on development En>rely open source!


Web Security Timeline


Commercial Web Security SoRware

Advantages of commercial tools Ease of installa>on, upgrade, use User experience Quality Assurance, bug fixing Documenta>on/Help Development driven by demand/need

Disadvantages Expensive Bizarre license restric>ons EOL, acquisi>ons, other events Proprietary, closed source


Open Source Web Security SoRware

Since I’ve already talked about the advantages.. Disadvantages

No integra>on / sharing of data between the various tools Poor or non-‐existent UI, documenta>on, help Painful, broken installa>ons Code is of inconsistent quality Developer, contributor unreliability Development driven by whim, interest, skill level Forks Abandonment

o Developer finished college, got a job o Successfully reproduced


Exis>ng Landscape of Web Tools

There are very good commercial tools HP, IBM, Qualys

SAAS, such as Whitehat NetSparker BurpSuite (free version available)

Expensive Some free/community versions, crippled

Proprietary


Open Source Tools

There are also some fantas>c open source tools Specialized

o Various specialized fuzzers o Standalone proxies o Standalone scanners o Standalone brute-‐forcing tools

They do not share a data model o Integrate them yourself

In our experience: o Some>mes buggy o Last commit was in 2008.. o Broken user interfaces


Free/Open Source Web Security Tools


Our Vision

One web, one web security tool Open source Consistent, well-‐designed UI Func>ons really well as an automated scanner

o Shouldn’t need to be a penetra>on tester o Advanced features for those who are

User extensibility o Community

Plus all that boring stuff o Documenta>on, help, business friendly features


Hi, My Name Is:

Vega is a web-‐applica>on security scanner It finds vulnerabili>es in your website Wriaen in Java, runs on:

Mac OS X Windows Linux

A desktop applica>on with a nice GUI Eclipse RCP


Introducing VEGA

Currently two modes of opera>on Automated scanner

o Point and click hacking Intercep>ng proxy

o Instrumenta>on o Manual closer inspec>on

o Penetra>on tes>ng


Scanner

Automated scanner Crawls your web applica>on recursively Analyzes links Runs a configurable set of audit and aaack ac>ons on these

links Limited brute forcing Tests parameters for favorites, such as:

o Reflected, persistent XSS o SQL injec>on o Command injec>on o Local file include o Local file reading

Tries to iden>fy server misconfigura>ons


Proxy

Intercep>ng proxy Intercepts requests, responses

o Based on request method o Filters

Can be edited Requests can be replayed or created Data decoding and encoding Customized automa>c manipula>on of requests, responses

Response processing scanner modules


What’s Inside

Architecture Eclipse RCP Modularity of design enforced with OSGI Using Apache HTTPComponents JSoup Google Guava DB4O Rhino JS Interpreter


Extensibility

Extending Vega with ease Scrip>ng of custom modules

o Javascript o DOM, JQuery o Clean, sensible API

Scrip>ng of proxy o Automated manipula>on of intercepted requests, responses

Custom alerts o XML Templates


VEGA

DEMO


Current Status

We are really close Finish a few features Polish Tes>ng Fixing bugs

Documenta>on User Developer Help

Beta! Mid-‐April


Future

Fun stuff Penetra>on tes>ng

o Exploita>on of vulnerabili>es o Support for advanced aaacks

Brute Forcing o Directories o Username/password

Fuzzing o E.g. A really good web services fuzzer

Specialized support for audi>ng apps o CakePHP, Rails, J2EE

Less fun Really nice repor>ng


Thank you! Interested?

Web hap://www.subgraph.com

Twiaer Company: @subgraph (we’ve been quiet) Me: @aaractr

IRC irc.freenode.org, #subgraph

E-‐mail us [email protected]

MTLSEC If you’re in Montreal, we do a monthly,

informal 5@7 hap://www.mtlsec.com, @mtlsec

hacking your website with vega, confoo2011

Documents