Download presentation
Presentation is loading. Please wait.
1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Europe Conference 2008 Graph Analysis for WebApps: From Nodes to Edges Simon Roses Femerling Security Technologist and Researcher
2
OWASP Natural from wonderful Mallorca Island in the Mediterranean Sea Postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts Former PwC, @Stake among others… Security Technologist (ACE Team) at Microsoft Intro - Who I am
3
OWASP Talk Objectives Success Cases using graphs in security space Not a class on graphs Improve web assessments by Saving time Focus on what matters Surgical Testing
4
OWASP Agenda Overview Process Data Analysis Summary Q&A
5
OWASP OVERVIEW
6
OWASP Why? Apps are more complex daily Tired of using poor tool set Move away from raw text Need identify patterns quickly Time is precious and usually you don’t have enough
7
OWASP Security Visualization Becoming a popular field Needs a lot of research Makes easier to analyze data We perform better with visual images that raw data
8
OWASP Success Cases Visualization Reverse Engineering IDS Log Analysis Network Analysis Source Code Review http://secviz.org/
9
OWASP
13
PROCESS
14
OWASP Process 3 steps process
15
OWASP SOURCE Black box or White box independency As much data we got the better (everything is important) Lot of tools that can help us Proxies Crawlers Scanners SOURCE
16
OWASP NORMALIZATION Raw data normalized XML for convenience Normalize / Analysis Engine is key NORMALIZATION
17
OWASP ANALYSIS Start identifying issues easier and faster Visual approach Take decisions and focus testing Data Mining is the key ANALYSIS
18
OWASP DATA ANALYSIS
19
OWASP Target Site
20
OWASP Target Relationship Query: Pages that link to Home Objectives : Learning about target Mapping Application
21
OWASP FORMS + HIDDEN Query: Pages that contains a form and hidden tag Objectives: Data Entry Point Tamper with hidden tag
22
OWASP COOKIES Query: Pages that set a cookie Objectives: Contains session ID? Tamper Cookie
23
OWASP SSL Query: Pages that uses SSL Objectives: Check SSL Certificate Can I call pages without SSL?
24
OWASP Attack Surface Query: All data points Objectives: Have fun
25
OWASP Analysis tips Diff between pages What pages contain more data entries? What pages contain more issues? Identify pages with script code, comments, etc… We are constrained to: What we know from target Our imagination
26
OWASP Now what? Improve our Security Testing Fuzzing Generate Attack Trees / Attack Graphs Threat Modeling
27
OWASP Web Attack Graphs
28
OWASP TAM graphs visualization
29
OWASP Data Analysis Goal Build a focus attack roadmap to test target
30
OWASP SUMMARY
31
OWASP Security Visualization Coolness Makes our lives easier Allows for easy pattern identification Cuts down our analysis time Focus security testing Add cool visuals to report
32
OWASP Future Adding graphs analysis into PANTERA Some current research into web sec graphs Build an automated process Check out OWASP Tiger (http://www.owasp.org/index.php/OWASP_Tiger)http://www.owasp.org/index.php/OWASP_Tiger
33
OWASP Pantera Data Mining I
34
OWASP Pantera Data Mining II
35
OWASP Nice toolset to play with… Python Pydot (http://code.google.com/p/pydot/)http://code.google.com/p/pydot/ pGRAPH (included in PAIMEI) Java JUNG (http://jung.sourceforge.net/)http://jung.sourceforge.net/ JGraphT (http://www.jgrapht.org/)http://www.jgrapht.org/ .NET QuickGraph (http://www.codeproject.com/KB/miscctrl/quickgraph.aspx)http://www.codeproject.com/KB/miscctrl/quickgraph.aspx MSAGL (http://research.microsoft.com/research/msagl/)http://research.microsoft.com/research/msagl/
36
OWASP The End Q&A Important: Beer / hard liquor (Vodka Lemon, Margaritas, Mojitos, you named it…) are always welcome Simon Roses Femerling www.roseslabs.com www.roseslabs.com
Similar presentations
