1 / 36

Graph Analysis for WebApps: From Nodes to Edges

Discover how graph analysis can improve web assessments by saving time, focusing on what matters, and surgical testing. Learn about success cases, security visualization, and future developments.

betsym
Télécharger la présentation

Graph Analysis for WebApps: From Nodes to Edges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Graph Analysis for WebApps: From Nodes to Edges Simon Roses Femerling Security Technologist and Researcher

  2. Intro - Who I am • Natural from wonderful Mallorca Island in the Mediterranean Sea • Postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts • Former PwC, @Stake among others… • Security Technologist (ACE Team) at Microsoft

  3. Talk Objectives • Success Cases using graphs in security space • Not a class on graphs • Improve web assessments by • Saving time • Focus on what matters • Surgical Testing

  4. Agenda • Overview • Process • Data Analysis • Summary • Q&A

  5. OVERVIEW

  6. Why? • Apps are more complex daily • Tired of using poor tool set • Move away from raw text • Need identify patterns quickly • Time is precious and usually you don’t have enough

  7. Security Visualization • Becoming a popular field • Needs a lot of research • Makes easier to analyze data • We perform better with visual images that raw data

  8. Success Cases Visualization • Reverse Engineering • IDS Log Analysis • Network Analysis • Source Code Review http://secviz.org/

  9. PROCESS

  10. Process • 3 steps process SOURCE NORMALIZATION ANALYSIS

  11. SOURCE • Black box or White box independency • As much data we got the better (everything is important) • Lot of tools that can help us • Proxies • Crawlers • Scanners SOURCE

  12. NORMALIZATION • Raw data normalized • XML for convenience • Normalize / Analysis Engine is key NORMALIZATION

  13. ANALYSIS • Start identifying issues easier and faster • Visual approach • Take decisions and focus testing • Data Mining is the key ANALYSIS

  14. DATA ANALYSIS

  15. Target Site

  16. Target Relationship • Query: Pages that link to Home • Objectives: • Learning about target • Mapping Application

  17. FORMS + HIDDEN • Query: Pages that contains a form and hidden tag • Objectives: • Data Entry Point • Tamper with hidden tag

  18. COOKIES • Query: Pages that set a cookie • Objectives: • Contains session ID? • Tamper Cookie

  19. SSL • Query: Pages that uses SSL • Objectives: • Check SSL Certificate • Can I call pages without SSL?

  20. Attack Surface • Query: All data points • Objectives: • Have fun 

  21. Analysis tips • Diff between pages • What pages contain more data entries? • What pages contain more issues? • Identify pages with script code, comments, etc… • We are constrained to: • What we know from target • Our imagination

  22. Now what? • Improve our Security Testing • Fuzzing • Generate Attack Trees / Attack Graphs • Threat Modeling

  23. Web Attack Graphs

  24. TAM graphs visualization

  25. Data Analysis Goal Build a focus attack roadmap to test target

  26. SUMMARY

  27. Security Visualization Coolness • Makes our lives easier • Allows for easy pattern identification • Cuts down our analysis time • Focus security testing • Add cool visuals to report 

  28. Future • Adding graphs analysis into PANTERA • Some current research into web sec graphs • Build an automated process • Check out OWASP Tiger (http://www.owasp.org/index.php/OWASP_Tiger)

  29. Pantera Data Mining I

  30. Pantera Data Mining II

  31. Nice toolset to play with… • Python • Pydot (http://code.google.com/p/pydot/) • pGRAPH (included in PAIMEI) • Java • JUNG (http://jung.sourceforge.net/) • JGraphT (http://www.jgrapht.org/) • .NET • QuickGraph (http://www.codeproject.com/KB/miscctrl/quickgraph.aspx) • MSAGL (http://research.microsoft.com/research/msagl/)

  32. The End • Q&A • Important: Beer / hard liquor (Vodka Lemon, Margaritas, Mojitos, you named it…) are always welcome  • Simon Roses Femerlingwww.roseslabs.com

More Related