Graph Analysis for WebApps: From Nodes to Edges

1. Graph Analysis for WebApps: From Nodes to Edges Simon Roses Femerling Security Technologist and Researcher

2. Intro - Who I am • Natural from wonderful Mallorca Island in the Mediterranean Sea • Postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts • Former PwC, @Stake among others… • Security Technologist (ACE Team) at Microsoft

3. Talk Objectives • Success Cases using graphs in security space • Not a class on graphs • Improve web assessments by • Saving time • Focus on what matters • Surgical Testing

4. Agenda • Overview • Process • Data Analysis • Summary • Q&A

5. OVERVIEW

6. Why? • Apps are more complex daily • Tired of using poor tool set • Move away from raw text • Need identify patterns quickly • Time is precious and usually you don’t have enough

7. Security Visualization • Becoming a popular field • Needs a lot of research • Makes easier to analyze data • We perform better with visual images that raw data

8. Success Cases Visualization • Reverse Engineering • IDS Log Analysis • Network Analysis • Source Code Review http://secviz.org/

13. PROCESS

14. Process • 3 steps process SOURCE NORMALIZATION ANALYSIS

15. SOURCE • Black box or White box independency • As much data we got the better (everything is important) • Lot of tools that can help us • Proxies • Crawlers • Scanners SOURCE

16. NORMALIZATION • Raw data normalized • XML for convenience • Normalize / Analysis Engine is key NORMALIZATION

17. ANALYSIS • Start identifying issues easier and faster • Visual approach • Take decisions and focus testing • Data Mining is the key ANALYSIS

18. DATA ANALYSIS

19. Target Site

20. Target Relationship • Query: Pages that link to Home • Objectives: • Learning about target • Mapping Application

21. FORMS + HIDDEN • Query: Pages that contains a form and hidden tag • Objectives: • Data Entry Point • Tamper with hidden tag

22. COOKIES • Query: Pages that set a cookie • Objectives: • Contains session ID? • Tamper Cookie

23. SSL • Query: Pages that uses SSL • Objectives: • Check SSL Certificate • Can I call pages without SSL?

24. Attack Surface • Query: All data points • Objectives: • Have fun 

25. Analysis tips • Diff between pages • What pages contain more data entries? • What pages contain more issues? • Identify pages with script code, comments, etc… • We are constrained to: • What we know from target • Our imagination

26. Now what? • Improve our Security Testing • Fuzzing • Generate Attack Trees / Attack Graphs • Threat Modeling

27. Web Attack Graphs

28. TAM graphs visualization

29. Data Analysis Goal Build a focus attack roadmap to test target

30. SUMMARY

31. Security Visualization Coolness • Makes our lives easier • Allows for easy pattern identification • Cuts down our analysis time • Focus security testing • Add cool visuals to report 

32. Future • Adding graphs analysis into PANTERA • Some current research into web sec graphs • Build an automated process • Check out OWASP Tiger (http://www.owasp.org/index.php/OWASP_Tiger)

33. Pantera Data Mining I

34. Pantera Data Mining II

35. Nice toolset to play with… • Python • Pydot (http://code.google.com/p/pydot/) • pGRAPH (included in PAIMEI) • Java • JUNG (http://jung.sourceforge.net/) • JGraphT (http://www.jgrapht.org/) • .NET • QuickGraph (http://www.codeproject.com/KB/miscctrl/quickgraph.aspx) • MSAGL (http://research.microsoft.com/research/msagl/)

36. The End • Q&A • Important: Beer / hard liquor (Vodka Lemon, Margaritas, Mojitos, you named it…) are always welcome  • Simon Roses Femerlingwww.roseslabs.com