subgraph

Northsec, ConFoo, and the Vega 1.0 release

Posted by David on February 22, 2013
Posted in: subgraph, vega. Leave a Comment

Subgraph sponsoring Northsec

Subgraph is pleased to announce we are a sponsor of Northsec, a CTF to be held in Montreal April 5-7.

Image

Vega 1.0 Release: March 1, 2013

We will be presenting at ConFoo next week to announce the release of of Vega 1.0. Be sure to catch our presentation on Friday, March 1, at 2:30pm.

vegaLogo_small

Some of the features in the 1.0 release include:

  • Active proxy scanner
  • Greatly improved detections
  • Greatly improved support for authenticated scanning
  • API enhancements
  • HTTP message viewer enhancements

Some of the features in the 1.0 release are summarized (with screenshots) in our Countermeasure 2012 presentation.

The Countermeasure 2012 presentation can be downloaded here.

A more in-depth walk-through can be found in issue #9 of HITB Magazine:


http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-009.pdf

More soon.

Vega Module Development: Highlighting in Requests and Responses

Posted by David on July 10, 2012
Posted in: subgraph, vega. Leave a Comment

We’ve just added a feature that helps users better understand scan results. For each alert, Vega can now more precisely pinpoint to the user where and what exactly it found.

Some background

Vega vulnerability checks are written in Javascript. Anyone can write one. These modules are run both passively and actively as Vega finds content it wants to scan.

Vega modules report findings by generating alerts. In doing so, they save the relevant HTTP request and response objects for review by the user. Within the alert is a link to view these saved HTTP messages in the message viewer (see below).

Request link in a alert

 

For the user

The module developer can now specify an interesting string within the HTTP message. When opened through the link in the alert shown above, the Vega message viewer will scroll to the matching location and highlight the substring, making it immediately apparent to the user what the module found. Screen below:

Module development: response highlighting

 

For the module developer

The API support for this is pretty simple, there are two methods that can be called from the context object:

ctx.addStringHighlight()

ctx.addRegexHighlight()

If you grab the code from our repository, we’ve added this functionality to two modules (vinfo-paths.js and vinfo-feeds.js). These examples show how simple it is:

API support

We’ll be updating all existing and new modules so that they use this feature. We’ll also be adding UI support for viewing multiple matches.

Let us know what you think.

Happy Birthday Vega

Posted by David on July 1, 2012
Posted in: subgraph, vega. 4 comments

Vega Launch at FISL12 – Photo by Christian Guerreiro

One year ago today we launched the Vega beta at FISL 12. A lot has happened in the past year.

  • Vega was included in BackTrack 5R1, the security testing Linux distribution downloaded millions of times.
  • We have received lots of great feedback from our beta users.
  • We fared well (for a beta!) in a rigorous comparison of many commercial and free/open source security tools.
  • We were at OSCON, AppSecUSA, Confoo, and threw the best REcon to date.
  • Vega was the topic of a lengthy article in issue #33 of Insecure Magazine. Some of the new features coming are described there in detail.

We’ve also been busy doing a lot of services: penetration tests, code reviews, reverse engineering. We do this to help fund the development of Vega.

So we’re now excited to announce that we’ve been working on a new release. The release will fix many bugs, and some of the new features include:

Automating Web Application Login

Vega now allows you to store authentication credentials as an ‘identity’ so that Vega can log in automatically during a scan. This includes basic, digest, and NTLM credentials.

For authenticating using forms, it is possible to associate stored login requests seen by the proxy with an identity. Vega can then replay those to log in when starting a scan.

Vega supports creation of ‘identities’ for scanning with authentication.

 

Adding a Login Request to a Macro

In the screenshot below, the user simply logs into the application through the Vega proxy, and then selects the stored login request during the creation of the macro. Binding this to an identity and then using the identity during a scan will let the scanner log itself in automatically prior to starting a scan.

Selecting requests for the macro identity.

 

Message Viewer Improvements

We’ve also cleaned up the message viewer, making the rendering nicer and adding small touches like searching (Ctrl-F) and menu-based copy and paste (right mouse click menu). For the module developer, it will be possible to tell the message viewer what to highlight and where to scroll to when a request is accessed through an alert.

Cleaner rendering in message viewer. Search, copy/paste, module-specified highlighting.

 

Module Refresh

Finally, we are doing a complete module refresh. This means existing modules will be made more reliable and efficient. And we have several new modules under development.

What’s next?

We don’t have a fixed date for the release – but it will be soon. You can always build from source if you want access to some of these features sooner. They’re in the develop branch of our github repository. Contact us if you’d like to help us test new features and we’ll make a special build if you are using Windows or OS X. Talk to us on IRC (freenode) in #subgraph.

Finally

We’ll be presenting Vega at Black Hat Arsenal 2012 in Las Vegas. Be sure to stop by and say hello if you’re going to be there.

Subgraph at OSCON 2011: Kerckhoffs’ Legacy

Posted by David on August 9, 2011
Posted in: opensource, subgraph, vega. 3 comments

Subgraph was at OSCON 2011. The organizers of OSCON did an excellent job, and Portland is a beautiful city with very friendly people and great public transportation.

The conference was an opportunity to meet some amazing people. We had discussions with over 100 developers of web applications and all of them clearly expressed a need for a tool like Vega.

I spoke on open source and security during the IT Leader’s Summit.

It was almost an anthropological talk, making a case that open source and security have always fit naturally together. This is an idea that some people find counter-intuitive, so I began the story with Auguste Kerckhoffs and his important realization: security through obscurity is a bad assumption. The story continued with the modern-day necessity of sustained public scrutiny in the world of cryptography, and how this idea could, and should, be extended to software, especially security software.

The talk also covered the lesser-known history of the security research community, including anecdotes from my time running Bugtraq, the largest forum of security researchers on the Internet (50,000 members during its peak). This community, which has always been very open and collaborative, has produced much innovation that we rely on every day. Innovation that has made its way into commercial solutions. With Kerckhoffs’ principle as a unifying theme, this is a story that is interesting for anyone, and I look forward to further sharing it.

The slides are available here:


http://www.subgraph.com/downloads/Subgraph-Kerckhoffs_Legacy-OSCON2011.pdf

We’ll definitely be back next year.

Vega Beta Release

Posted by David on July 1, 2011
Posted in: subgraph, vega, webappsec. 6 comments

Ola from Porto Alegre, Brazil. I’m here speaking at FISL 12 on open source and security. We’re also launching our beta.

So we’re pleased to officially announce the public release of the Vega platform 1.0. Vega is a GUI-based, open source platform for testing the security of web applications. It runs on Linux, Mac OS X, and Windows. The core of Vega functionality is in its automated scanner and intercepting proxy.

Vega is written in Java and based on the Eclipse RCP framework. We’ve built-in the Mozilla Rhino Javascript interpreter. It is open source software (licensed under the EPL version 1.0).

Automated Scanner

The automated scanner crawls a web application, analyzing pages, looking for interesting content and injection points. Vega runs modules on the web application that test for vulnerabilities or analyze content. These modules are written in Javascript and are entirely customizable. Vega modules can generate alerts to make users aware of the findings.

Intercepting Proxy

Vega also includes an intercepting proxy. The proxy is situated between a browser and the target application, intercepting all requests and responses between them. Users can view the interaction of the client with the website, intercepting and modifying requests and responses to probe and verify possible vulnerabilities. The proxy is also capable of intercepting HTTPS communications with dynamically generated man-in-the-middle certificates.

Extensibility

Vega is much more than a simple web scanner and proxy. Vega is a platform on which many future web security testing methods can be implemented. In 1.0 beta it is possible for users to write their own modules for the scanner in a language they already know, Javascript, using an intuitive and powerful API. Alerts are XML-based and easy to customize. We’ll be writing blog posts with tutorials on developing custom Vega modules.

Get Vega

Download the Vega Platform 1.0 beta and let us know what you think. Documentation is available online here.

Finally, join us on Freenode, channel #subgraph.

Vega goes beta May 1, more information coming soon

Posted by David on April 12, 2011
Posted in: subgraph. Leave a Comment

Vega is about to be released publicly. Beta is May 1. We will be demonstrating Vega at OWASP Ottawa on May 12.

Additional details and screenshots coming soon, prior to the beta. Follow us on Twitter to be informed right away.

We are holding a training class on penetration testing web apps this summer (July 6-7) in Montreal, and attendees get a free copy of the commercial version of Vega, Vega pro. Click here for more details.

A First Look

Posted by David on November 25, 2010
Posted in: subgraph. Tagged: , , , , . 1 comment

Subgraph is building a software application called Vega.  It crawls websites and analyzes the pages, looking for vulnerabilities and sensitive information.  Concerned about the security of your website or some application you’re deploying?  The automated scanning mode can be used by a variety of users, including the web developers themselves, as a phase in web application QA or deployment.  Vega will also have features for more tactical penetration testing, intended for use by skilled security testers.  Below are some screenshots of the work we’ve done so far. There are three: the scan information interface, an alert and the proxy.

The scan information interface displays a summary of an active or completed scan, and any alerts that were generated.  The user can select a specific alert for more information.

Each alert explains the identified issue in summary and in detail, ranks it by severity, and offers remediation instructions, if possible.

Vega is fully extensible: the modules that run and generate the alerts can be created by users. Existing modules that ship with Vega are easily modifiable.  The modules are written in Javascript and can be added or removed from Vega by simply moving them in or out of the right directory.

The alerts generated by the modules are rendered using XML template files that are also created by users.  Vega will ship with a vanilla suite of as many modules and pre-made alert templates as make sense.  The API is very easy to learn, intentionally designed to facilitate community participation.  Would-be contributors can expect at least one pleasant surprise.

The proxy is meant for instrumentation of the web application during focused penetration testing.  Skilled users will be able to isolate and intercept requests and responses.  They’ll be able to modify them by hand before releasing them, replay them, etc.

Vega itself is written in Java and runs on Windows, Mac OS X and Linux platforms.

More later, thanks.

Welcome to keystream, the Subgraph Blog

Posted by David on October 25, 2010
Posted in: subgraph. Leave a Comment

Welcome to keystream, the Subgraph blog.

Subgraph is an information security startup based in Montreal founded by veterans of the security industry.  Subgraph was incorporated in February 2010.  We’ve been flying low.

So what have we been up to?  We have spent the last couple of months designing and building our first product.  Vega is an open source vulnerability scanner for web applications.  You point it at your website and it tries to find vulnerabilities, including well-known classes of bugs such as cross-site scripting and SQL injection.  Vega also includes a proxy mode that can be used during penetration tests.  The first version of Vega is coming soon: we’ll be releasing it to the public at the beginning of 2011.  It will be free for anyone to use.

On keystream we’ll talk about the things we find interesting in security, including new research and interesting web vulnerabilities.  We’ll also make company and product announcements.

Thanks, and stay tuned.