AppSecEU08-SRF_Simon_Roses

Download Report

Transcript AppSecEU08-SRF_Simon_Roses 

OWASP Europe Conference 2008
Graph Analysis for WebApps:
From Nodes to Edges
OWASP
Simon Roses Femerling
Security Technologist and Researcher
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Intro - Who I am
 Natural from wonderful Mallorca Island in the
Mediterranean Sea
 Postgraduate in E-Commerce from Harvard University
and a B.S. from Suffolk University at Boston,
Massachusetts
 Former PwC, @Stake among others…
 Security Technologist (ACE Team) at Microsoft
OWASP
Talk Objectives
Success Cases using graphs in security space
Not a class on graphs
Improve web assessments by
Saving time
Focus on what matters
Surgical Testing
OWASP
Agenda
Overview
Process
Data Analysis
Summary
Q&A
OWASP
OVERVIEW
OWASP
Why?
Apps are more complex daily
Tired of using poor tool set
Move away from raw text
Need identify patterns quickly
Time is precious and usually you don’t have
enough
OWASP
Security Visualization
Becoming a popular field
Needs a lot of research
Makes easier to analyze data
We perform better with visual images that raw
data
OWASP
Success Cases Visualization
Reverse Engineering
IDS Log Analysis
Network Analysis
Source Code Review
http://secviz.org/
OWASP
OWASP
OWASP
OWASP
OWASP
PROCESS
OWASP
Process
3 steps process
SOURCE
NORMALIZATION
ANALYSIS
OWASP
SOURCE
Black box or White box independency
As much data we got the better (everything is
important)
Lot of tools that can help us
Proxies
Crawlers
Scanners
SOURCE
OWASP
NORMALIZATION
Raw data normalized
XML for convenience
Normalize / Analysis Engine is key
NORMALIZATION
OWASP
ANALYSIS
Start identifying issues easier and faster
Visual approach
Take decisions and focus testing
Data Mining is the key
ANALYSIS
OWASP
DATA ANALYSIS
OWASP
Target Site
OWASP
Target Relationship
Query:
Pages that link to Home
Objectives:
 Learning about target
 Mapping Application
OWASP
FORMS + HIDDEN
Query:
Pages that contains a form
and hidden tag
Objectives:
 Data Entry Point
 Tamper with hidden tag
OWASP
COOKIES
Query:
Pages that set a cookie
Objectives:
 Contains session ID?
 Tamper Cookie
OWASP
SSL
Query:
Pages that uses SSL
Objectives:
 Check SSL Certificate
 Can I call pages without
SSL?
OWASP
Attack Surface
Query:
All data points
Objectives:
 Have fun 
OWASP
Analysis tips
 Diff between pages
 What pages contain more data entries?
 What pages contain more issues?
 Identify pages with script code, comments, etc…
 We are constrained to:
What we know from target
Our imagination
OWASP
Now what?
Improve our Security Testing
Fuzzing
Generate Attack Trees / Attack Graphs
Threat Modeling
OWASP
Web Attack Graphs
OWASP
TAM graphs visualization
OWASP
Data Analysis Goal
Build a focus attack roadmap to test target
OWASP
SUMMARY
OWASP
Security Visualization Coolness
Makes our lives easier
Allows for easy pattern identification
Cuts down our analysis time
Focus security testing
Add cool visuals to report 
OWASP
Future
Adding graphs analysis into PANTERA
Some current research into web sec graphs
Build an automated process
Check out OWASP Tiger
(http://www.owasp.org/index.php/OWASP_Tiger)
OWASP
Pantera Data Mining I
OWASP
Pantera Data Mining II
OWASP
Nice toolset to play with…
 Python
 Pydot (http://code.google.com/p/pydot/)
 pGRAPH (included in PAIMEI)
 Java
 JUNG (http://jung.sourceforge.net/)
 JGraphT (http://www.jgrapht.org/)
 .NET
 QuickGraph
(http://www.codeproject.com/KB/miscctrl/quickgraph.aspx)
 MSAGL (http://research.microsoft.com/research/msagl/)
OWASP
The End
Q&A
 Important: Beer / hard liquor (Vodka Lemon, Margaritas,
Mojitos, you named it…) are always welcome 
 Simon Roses Femerling
www.roseslabs.com
OWASP