SlideShare a Scribd company logo

Automating web application security testing using Hubot AI / NLP chat bot - BSides Delhi

A
Abhijith B R

I've presented this paper at Bsides Delhi 2017, cyber security conference This is the age of Automation, Artificial Intelligence and Machine learning. Even the most sophisticated tasks are being automated. Then why can’t we do the same for security testing as well? Pen-testing as a profession, we will have to repeat a lot of boring tasks on a daily basis. I have tried a lot of ways to automate some tasks using various methods. Finally ended up with Hubot from GitHub, which is an automation/AI Chat framework developed by GitHub using node.js Hubot is popular in the technology world; mostly used for DevOps, ChatOps, DFIR etc This presentation is all about customizing this bot and making it a virtual assistant only for web application testing; we can treat this bot as a person with huge amount of knowledge about information security; it can do so many things it was trained to do via a natural human language interface. Refer the slides for more detailed information!

Presentations & Public Speaking
1 of 31
https://abhijith.live 1 Automating Web Application Security Testing Using Hubot Artificial Intelligence Chat Bot Abhijith B R / @abhijithbr Thoufeeque N S / @thoufeequens #BsidesDelhi2017
:~$ whoami • Abhijith B R • Sr. Security analyst at EY • Traveller and Blogger https://abhijith.live 2 I do blog : https://abhijith.live Twitter : @abhijithbr
:~$ whoami • Thoufeeque N S • Security analyst at EY • Breaking applications for a living • Love to play with radio devices • Licensed ham radio operator https://abhijith.live 3 Twitter : @thoufeequens
https://abhijith.live 4 groot@hubot:~$ Significance of Automation and AI • This is the age of Automation, Artificial Intelligence and Machine learning. • Even the most sophisticated tasks are being automated. • Robotic process automation and NLP / AI based technologies are emerging in the technology world • Corporates finds it as a solution to cost cutting and as a smart way of working • AI is an area of interest all the time! We can say that Cognitive Artificial Intelligence is very far from reality • Big corporations are all behind AI technologies, to make the world a better place • Lets hope so!
• ELIZA bot • Created on 1966 at MIT AI laboratory • Used pattern matching and substitution methodology • A.L.I.C.E bot • Artificial Linguistic Internet Computer Entity • Uses AIML (Artificial Intelligence Markup Language) • New generation chat bots • Quite powerful, uses machine learning and powerful AI algorithms https://abhijith.live 5 groot@hubot:~$ Chat Bots? The history!
https://abhijith.live 6 groot@hubot:~$ ChatOps, DevOps and SecOps Essentially it can be defined as, Including tools and services within the conversation itself!
https://abhijith.live 7 groot@hubot:~$ ChatOps, DevOps and SecOps Some popular names in the ChatOps industry
https://abhijith.live 8 Why can’t we use ChatOps for Security testing?
• Command vs Natural language • Project team/Dev team does not need to know the complex testing scenarios • More productivity • Use Multiple API services (Scanners, other security services) from different vendors • A virtual assistant only for security or penetration testing; • We can treat this bot as a person with huge amount of knowledge about information security; https://abhijith.live 9 groot@hubot:~$ Benefits
• The same infosec chat bot can be helpful for both security testers and project/development teams • Helps the security testers to save time and concentrate more on other important stuff • It helps the Project/developer teams with the security policies, remediation plans etc https://abhijith.live 10 groot@hubot:~$ Benefits
https://abhijith.live 11 Automation of web application security testing: Mostly the boring tasks! What to automate? How to automate? Why do we have to automate?
• Pen-testing as a profession, we will have to repeat a lot of boring tasks in daily basis. • Automation of complex corporate security policies and rules • So just automate the most boring and repetitive tasks • Sometimes it takes a lot of time to answer the queries of Project teams and developers • Most of the queries will be about the secure development policies or how to fix previously found vulnerabilities • Why can’t be automate this? • Automation of pen-testing and other manual tasks https://abhijith.live 12 groot@hubot:~$ What to automate?
• Automation scripts or methodologies in various languages • API for cyber security services • Write custom automation scripts for manual testing • Finally link all of these to the NLP/AI chat bot https://abhijith.live 13 groot@hubot:~$ How to automate?
• It saves time and improves productivity. • If we can automate something, why should we waste time to do it manually every time? https://abhijith.live 14 groot@hubot:~$ Why do we have to automate?
• We’ve looked for a few bots which can actually do “stuff” • Some of them are as follows https://abhijith.live 15 groot@hubot:~$ Finding the best bot for our purpose COG bot
• After the comparison we decided to go with Hubot • An open source Chat bot made by GitHub • It was used in GitHub company chat room to automate things • Hubot comes with a small set of core scripts • Written using CoffeeScript on Nodejs • Easily deployable to wide set of platforms such as Slack, Heroku etc https://abhijith.live 16 groot@hubot:~$ What exactly is Hubot? H U B O T Commissioned by GitHub
• Open source and ultimately free • User permissions and roles can be set for both Hubot and Rocket chat • Sensitive command execution privileges can be limited based on users and roles • Rocket chat web interface is lean and responsive • Rocket chat supports AD authentication • Which makes it perfect for internal use • Highly Extensible • We can access internal chat servers using VPN https://abhijith.live 17 groot@hubot:~$ Advantages of using Hubot with Rocket chat +
groot@hubot:~$ Recipe for the perfect bot https://abhijith.live 18
https://abhijith.live 19 groot@hubot:~$ Let’s start building our bot Image rights belongs to Hubot/GitHub
• Where to look : • Github.com/hubot-scripts • NPM – hubot-scripts • Digg deep enough – Because, we are damn lazy to write all required scripts from the scratch • A great collection of hubot-scripts are already out there for information security • We can just use it or modify it as per our requirements https://abhijith.live 20 groot@hubot:~$ Scraping the existing Hubot scripts Keep digging till you find it
• CoffeeScript can be used to create new scripts to increase the functionality of our bot • We wrote a few; rented a few • Created a bunch of scripts to automate manual testing scenarios https://abhijith.live 21 groot@hubot:~$ Creating new scripts for security testing
• Yes, we can integrate Python and Bash scripts into our chat bot • Which means a wide variety of web security testing or automation scripts can be invoked using simple human like interaction • Just imagine the possibilities https://abhijith.live 22 groot@hubot:~$ Using Python and Bash scripts
https://abhijith.live 23 We named our chat bot, Sheru! Sheru is a dumb tiger in Malayalam comics, who obeys the commands of his friend – a tricky fox! Let’s hope our bot – ‘Sheru’ is much intelligent than the tiger!
https://abhijith.live 24 It’s Demo time!!
• We tried to make our bot, talk Human! • But, Integrating with Artificial Intelligence API services will make it much powerful • Hubot will send every query to these API services before executing them • Its not something which we need in a security testing bot • Solution is to create an exception and send the unsolved queries by Hubot to online AI libraries • It will not send sensitive queries to API services and helps the bot to obtain more Human like behaviour https://abhijith.live 25 groot@hubot:~$ What’s next?
• AI / NLP API services https://abhijith.live 26 groot@hubot:~$ What’s next?
https://abhijith.live 27 groot@hubot:~$ Security concerns • The chat bot server (Kali Linux) must use less privileged user accounts • Please make sure, only a limited number of users have access to execute shell and other external scripts • For internal use its better to use AD/LDAP authentication for chat room users • If we are targeting developer teams as well, make sure they have only execute commands regarding policies; and cannot invoke any pentesting automation scripts • Authentication, Authorization, Accounting
https://abhijith.live 28
https://abhijith.live 29 Shoot your queries!
https://abhijith.live 30 Thank you all! Thank you #BsidesDelhi
https://abhijith.live 31 References: https://hubot.github.com/ https://abhijith.live https://nodejs.org https://npmjs.com https://rocket.chat https://abhijith.live/infosec-bot-using-hubot/ Thanks to our friend @boney for giving a hand with internal automation scripts All image rights goes to respective owners

Recommended

AtlasCamp 2014: Hipchat Add-ons for the Atlassian Marketplace
AtlasCamp 2014: Hipchat Add-ons for the Atlassian MarketplaceAtlasCamp 2014: Hipchat Add-ons for the Atlassian Marketplace
AtlasCamp 2014: Hipchat Add-ons for the Atlassian Marketplace
Atlassian
 
First steps with Bitcoin
First steps with BitcoinFirst steps with Bitcoin
First steps with Bitcoin
Horea Porutiu
 
Hacking into gas stations : Cocon security conference
Hacking into gas stations : Cocon security conference Hacking into gas stations : Cocon security conference
Hacking into gas stations : Cocon security conference
Suraj Pratap
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detail
Pawel Rzepa
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
Amazon Web Services
 
Bot. You said bot? Let build bot then! - Laurent Ellerbach
Bot. You said bot? Let build bot then! - Laurent EllerbachBot. You said bot? Let build bot then! - Laurent Ellerbach
Bot. You said bot? Let build bot then! - Laurent Ellerbach
ITCamp
 
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp
 

Recommended

AtlasCamp 2014: Hipchat Add-ons for the Atlassian Marketplace
AtlasCamp 2014: Hipchat Add-ons for the Atlassian MarketplaceAtlasCamp 2014: Hipchat Add-ons for the Atlassian Marketplace
AtlasCamp 2014: Hipchat Add-ons for the Atlassian Marketplace
Atlassian
 
First steps with Bitcoin
First steps with BitcoinFirst steps with Bitcoin
First steps with Bitcoin
Horea Porutiu
 
Hacking into gas stations : Cocon security conference
Hacking into gas stations : Cocon security conference Hacking into gas stations : Cocon security conference
Hacking into gas stations : Cocon security conference
Suraj Pratap
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detail
Pawel Rzepa
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
Amazon Web Services
 
Bot. You said bot? Let build bot then! - Laurent Ellerbach
Bot. You said bot? Let build bot then! - Laurent EllerbachBot. You said bot? Let build bot then! - Laurent Ellerbach
Bot. You said bot? Let build bot then! - Laurent Ellerbach
ITCamp
 
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp
 
Global Azure2021 Verona.pptx
Global Azure2021 Verona.pptxGlobal Azure2021 Verona.pptx
Global Azure2021 Verona.pptx
Luis Beltran
 
Accemy Chatbots expertise
Accemy Chatbots expertiseAccemy Chatbots expertise
Accemy Chatbots expertise
Accemy Software Solutions Pvt Ltd.
 
Getting Started with ChatGPT.pdf
Getting Started with ChatGPT.pdfGetting Started with ChatGPT.pdf
Getting Started with ChatGPT.pdf
Manish Chopra
 
Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...
Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...
Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...
Antti Koskela
 
Automation in iOS development
Automation in iOS developmentAutomation in iOS development
Automation in iOS development
Cong Nguyen
 
GitHub Copilot.pptx
GitHub Copilot.pptxGitHub Copilot.pptx
GitHub Copilot.pptx
Luis Beltran
 
Pure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsPure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrations
José Haro Peralta
 
Citizen Developer Tools @ Valo Solutions / Blue Meteorite Monday session
Citizen Developer Tools @ Valo Solutions / Blue Meteorite Monday sessionCitizen Developer Tools @ Valo Solutions / Blue Meteorite Monday session
Citizen Developer Tools @ Valo Solutions / Blue Meteorite Monday session
Antti Koskela
 
Revolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOpsRevolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOps
Tessa Mero
 
Documentation-driven development for Python web APIs v2
Documentation-driven development for Python web APIs v2Documentation-driven development for Python web APIs v2
Documentation-driven development for Python web APIs v2
José Haro Peralta
 
Modern Web 2016: Using Golang to build a smart IM Bot
Modern Web 2016: Using Golang to build a smart IM Bot Modern Web 2016: Using Golang to build a smart IM Bot
Modern Web 2016: Using Golang to build a smart IM Bot
Evan Lin
 
Github for Serious Business Professional
Github for Serious Business ProfessionalGithub for Serious Business Professional
Github for Serious Business Professional
zwheller
 
SendGrid documentation & open source projects
SendGrid documentation & open source projectsSendGrid documentation & open source projects
SendGrid documentation & open source projects
SendGrid JP
 
Filipe Barroso - Google Developers Group - OSL19
Filipe Barroso - Google Developers Group - OSL19Filipe Barroso - Google Developers Group - OSL19
Filipe Barroso - Google Developers Group - OSL19
marketingsyone
 
Using Chatbots in Extension Programming
Using Chatbots in Extension ProgrammingUsing Chatbots in Extension Programming
Using Chatbots in Extension Programming
Amy Cole
 
Create Your Own Chatbot with Hubot and CoffeeScript
Create Your Own Chatbot with Hubot and CoffeeScriptCreate Your Own Chatbot with Hubot and CoffeeScript
Create Your Own Chatbot with Hubot and CoffeeScript
Rob Scaduto
 
Design meets presentation November 2013
Design meets presentation November 2013Design meets presentation November 2013
Design meets presentation November 2013
laurawesley
 
如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot
如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot
如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot
Evan Lin
 
Introduction to Github Actions
Introduction to Github ActionsIntroduction to Github Actions
Introduction to Github Actions
Knoldus Inc.
 
Introduction to Github Actions
Introduction to Github ActionsIntroduction to Github Actions
Introduction to Github Actions
Knoldus Inc.
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
ToshihiroIto4
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Rosie Wells
 

More Related Content

Similar to Automating web application security testing using Hubot AI / NLP chat bot - BSides Delhi

Global Azure2021 Verona.pptx
Global Azure2021 Verona.pptxGlobal Azure2021 Verona.pptx
Global Azure2021 Verona.pptx
Luis Beltran
 
Accemy Chatbots expertise
Accemy Chatbots expertiseAccemy Chatbots expertise
Accemy Chatbots expertise
Accemy Software Solutions Pvt Ltd.
 
Getting Started with ChatGPT.pdf
Getting Started with ChatGPT.pdfGetting Started with ChatGPT.pdf
Getting Started with ChatGPT.pdf
Manish Chopra
 
Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...
Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...
Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...
Antti Koskela
 
Automation in iOS development
Automation in iOS developmentAutomation in iOS development
Automation in iOS development
Cong Nguyen
 
GitHub Copilot.pptx
GitHub Copilot.pptxGitHub Copilot.pptx
GitHub Copilot.pptx
Luis Beltran
 
Pure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsPure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrations
José Haro Peralta
 
Citizen Developer Tools @ Valo Solutions / Blue Meteorite Monday session
Citizen Developer Tools @ Valo Solutions / Blue Meteorite Monday sessionCitizen Developer Tools @ Valo Solutions / Blue Meteorite Monday session
Citizen Developer Tools @ Valo Solutions / Blue Meteorite Monday session
Antti Koskela
 
Revolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOpsRevolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOps
Tessa Mero
 
Documentation-driven development for Python web APIs v2
Documentation-driven development for Python web APIs v2Documentation-driven development for Python web APIs v2
Documentation-driven development for Python web APIs v2
José Haro Peralta
 
Modern Web 2016: Using Golang to build a smart IM Bot
Modern Web 2016: Using Golang to build a smart IM Bot Modern Web 2016: Using Golang to build a smart IM Bot
Modern Web 2016: Using Golang to build a smart IM Bot
Evan Lin
 
Github for Serious Business Professional
Github for Serious Business ProfessionalGithub for Serious Business Professional
Github for Serious Business Professional
zwheller
 
SendGrid documentation & open source projects
SendGrid documentation & open source projectsSendGrid documentation & open source projects
SendGrid documentation & open source projects
SendGrid JP
 
Filipe Barroso - Google Developers Group - OSL19
Filipe Barroso - Google Developers Group - OSL19Filipe Barroso - Google Developers Group - OSL19
Filipe Barroso - Google Developers Group - OSL19
marketingsyone
 
Using Chatbots in Extension Programming
Using Chatbots in Extension ProgrammingUsing Chatbots in Extension Programming
Using Chatbots in Extension Programming
Amy Cole
 
Create Your Own Chatbot with Hubot and CoffeeScript
Create Your Own Chatbot with Hubot and CoffeeScriptCreate Your Own Chatbot with Hubot and CoffeeScript
Create Your Own Chatbot with Hubot and CoffeeScript
Rob Scaduto
 
Design meets presentation November 2013
Design meets presentation November 2013Design meets presentation November 2013
Design meets presentation November 2013
laurawesley
 
如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot
如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot
如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot
Evan Lin
 
Introduction to Github Actions
Introduction to Github ActionsIntroduction to Github Actions
Introduction to Github Actions
Knoldus Inc.
 
Introduction to Github Actions
Introduction to Github ActionsIntroduction to Github Actions
Introduction to Github Actions
Knoldus Inc.
 

Similar to Automating web application security testing using Hubot AI / NLP chat bot - BSides Delhi (20)

Global Azure2021 Verona.pptx
Global Azure2021 Verona.pptxGlobal Azure2021 Verona.pptx
Global Azure2021 Verona.pptx
 
Accemy Chatbots expertise
Accemy Chatbots expertiseAccemy Chatbots expertise
Accemy Chatbots expertise
 
Getting Started with ChatGPT.pdf
Getting Started with ChatGPT.pdfGetting Started with ChatGPT.pdf
Getting Started with ChatGPT.pdf
 
Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...
Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...
Citizen Developer Tools (session at SharePoint Saturday Twin Cities 4/14/2018...
 
Automation in iOS development
Automation in iOS developmentAutomation in iOS development
Automation in iOS development
 
GitHub Copilot.pptx
GitHub Copilot.pptxGitHub Copilot.pptx
GitHub Copilot.pptx
 
Pure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsPure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrations
 
Citizen Developer Tools @ Valo Solutions / Blue Meteorite Monday session
Citizen Developer Tools @ Valo Solutions / Blue Meteorite Monday sessionCitizen Developer Tools @ Valo Solutions / Blue Meteorite Monday session
Citizen Developer Tools @ Valo Solutions / Blue Meteorite Monday session
 
Revolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOpsRevolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOps
 
Documentation-driven development for Python web APIs v2
Documentation-driven development for Python web APIs v2Documentation-driven development for Python web APIs v2
Documentation-driven development for Python web APIs v2
 
Modern Web 2016: Using Golang to build a smart IM Bot
Modern Web 2016: Using Golang to build a smart IM Bot Modern Web 2016: Using Golang to build a smart IM Bot
Modern Web 2016: Using Golang to build a smart IM Bot
 
Github for Serious Business Professional
Github for Serious Business ProfessionalGithub for Serious Business Professional
Github for Serious Business Professional
 
SendGrid documentation & open source projects
SendGrid documentation & open source projectsSendGrid documentation & open source projects
SendGrid documentation & open source projects
 
Filipe Barroso - Google Developers Group - OSL19
Filipe Barroso - Google Developers Group - OSL19Filipe Barroso - Google Developers Group - OSL19
Filipe Barroso - Google Developers Group - OSL19
 
Using Chatbots in Extension Programming
Using Chatbots in Extension ProgrammingUsing Chatbots in Extension Programming
Using Chatbots in Extension Programming
 
Create Your Own Chatbot with Hubot and CoffeeScript
Create Your Own Chatbot with Hubot and CoffeeScriptCreate Your Own Chatbot with Hubot and CoffeeScript
Create Your Own Chatbot with Hubot and CoffeeScript
 
Design meets presentation November 2013
Design meets presentation November 2013Design meets presentation November 2013
Design meets presentation November 2013
 
如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot
如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot
如何透過 Golang 與 Heroku 來一鍵部署 臉書機器人與 Line Bot
 
Introduction to Github Actions
Introduction to Github ActionsIntroduction to Github Actions
Introduction to Github Actions
 
Introduction to Github Actions
Introduction to Github ActionsIntroduction to Github Actions
Introduction to Github Actions
 

Recently uploaded

ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
ToshihiroIto4
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Rosie Wells
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
samililja
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
gharris9
 
Using-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptxUsing-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptx
kainatfatyma9
 
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfWhy Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Ben Linders
 
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptxThe remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
JiteshKumarChoudhary2
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
OECD Directorate for Financial and Enterprise Affairs
 
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdfBRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
Robin Haunschild
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij
 
2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf
Frederic Leger
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Disaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other usesDisaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other uses
RIDHIMAGARG21
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
OECD Directorate for Financial and Enterprise Affairs
 

Recently uploaded (20)

ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
 
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
 
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
The Intersection between Competition and Data Privacy – CAPEL – June 2024 OEC...
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
 
Using-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptxUsing-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptx
 
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfWhy Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
 
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptxThe remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
 
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdfBRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
 
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
 
2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
 
Disaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other usesDisaster Management project for holidays homework and other uses
Disaster Management project for holidays homework and other uses
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
 

Automating web application security testing using Hubot AI / NLP chat bot - BSides Delhi

  • 1. https://abhijith.live 1 Automating Web Application Security Testing Using Hubot Artificial Intelligence Chat Bot Abhijith B R / @abhijithbr Thoufeeque N S / @thoufeequens #BsidesDelhi2017
  • 2. :~$ whoami • Abhijith B R • Sr. Security analyst at EY • Traveller and Blogger https://abhijith.live 2 I do blog : https://abhijith.live Twitter : @abhijithbr
  • 3. :~$ whoami • Thoufeeque N S • Security analyst at EY • Breaking applications for a living • Love to play with radio devices • Licensed ham radio operator https://abhijith.live 3 Twitter : @thoufeequens
  • 4. https://abhijith.live 4 groot@hubot:~$ Significance of Automation and AI • This is the age of Automation, Artificial Intelligence and Machine learning. • Even the most sophisticated tasks are being automated. • Robotic process automation and NLP / AI based technologies are emerging in the technology world • Corporates finds it as a solution to cost cutting and as a smart way of working • AI is an area of interest all the time! We can say that Cognitive Artificial Intelligence is very far from reality • Big corporations are all behind AI technologies, to make the world a better place • Lets hope so!
  • 5. • ELIZA bot • Created on 1966 at MIT AI laboratory • Used pattern matching and substitution methodology • A.L.I.C.E bot • Artificial Linguistic Internet Computer Entity • Uses AIML (Artificial Intelligence Markup Language) • New generation chat bots • Quite powerful, uses machine learning and powerful AI algorithms https://abhijith.live 5 groot@hubot:~$ Chat Bots? The history!
  • 6. https://abhijith.live 6 groot@hubot:~$ ChatOps, DevOps and SecOps Essentially it can be defined as, Including tools and services within the conversation itself!
  • 7. https://abhijith.live 7 groot@hubot:~$ ChatOps, DevOps and SecOps Some popular names in the ChatOps industry
  • 8. https://abhijith.live 8 Why can’t we use ChatOps for Security testing?
  • 9. • Command vs Natural language • Project team/Dev team does not need to know the complex testing scenarios • More productivity • Use Multiple API services (Scanners, other security services) from different vendors • A virtual assistant only for security or penetration testing; • We can treat this bot as a person with huge amount of knowledge about information security; https://abhijith.live 9 groot@hubot:~$ Benefits
  • 10. • The same infosec chat bot can be helpful for both security testers and project/development teams • Helps the security testers to save time and concentrate more on other important stuff • It helps the Project/developer teams with the security policies, remediation plans etc https://abhijith.live 10 groot@hubot:~$ Benefits
  • 11. https://abhijith.live 11 Automation of web application security testing: Mostly the boring tasks! What to automate? How to automate? Why do we have to automate?
  • 12. • Pen-testing as a profession, we will have to repeat a lot of boring tasks in daily basis. • Automation of complex corporate security policies and rules • So just automate the most boring and repetitive tasks • Sometimes it takes a lot of time to answer the queries of Project teams and developers • Most of the queries will be about the secure development policies or how to fix previously found vulnerabilities • Why can’t be automate this? • Automation of pen-testing and other manual tasks https://abhijith.live 12 groot@hubot:~$ What to automate?
  • 13. • Automation scripts or methodologies in various languages • API for cyber security services • Write custom automation scripts for manual testing • Finally link all of these to the NLP/AI chat bot https://abhijith.live 13 groot@hubot:~$ How to automate?
  • 14. • It saves time and improves productivity. • If we can automate something, why should we waste time to do it manually every time? https://abhijith.live 14 groot@hubot:~$ Why do we have to automate?
  • 15. • We’ve looked for a few bots which can actually do “stuff” • Some of them are as follows https://abhijith.live 15 groot@hubot:~$ Finding the best bot for our purpose COG bot
  • 16. • After the comparison we decided to go with Hubot • An open source Chat bot made by GitHub • It was used in GitHub company chat room to automate things • Hubot comes with a small set of core scripts • Written using CoffeeScript on Nodejs • Easily deployable to wide set of platforms such as Slack, Heroku etc https://abhijith.live 16 groot@hubot:~$ What exactly is Hubot? H U B O T Commissioned by GitHub
  • 17. • Open source and ultimately free • User permissions and roles can be set for both Hubot and Rocket chat • Sensitive command execution privileges can be limited based on users and roles • Rocket chat web interface is lean and responsive • Rocket chat supports AD authentication • Which makes it perfect for internal use • Highly Extensible • We can access internal chat servers using VPN https://abhijith.live 17 groot@hubot:~$ Advantages of using Hubot with Rocket chat +
  • 18. groot@hubot:~$ Recipe for the perfect bot https://abhijith.live 18
  • 19. https://abhijith.live 19 groot@hubot:~$ Let’s start building our bot Image rights belongs to Hubot/GitHub
  • 20. • Where to look : • Github.com/hubot-scripts • NPM – hubot-scripts • Digg deep enough – Because, we are damn lazy to write all required scripts from the scratch • A great collection of hubot-scripts are already out there for information security • We can just use it or modify it as per our requirements https://abhijith.live 20 groot@hubot:~$ Scraping the existing Hubot scripts Keep digging till you find it
  • 21. • CoffeeScript can be used to create new scripts to increase the functionality of our bot • We wrote a few; rented a few • Created a bunch of scripts to automate manual testing scenarios https://abhijith.live 21 groot@hubot:~$ Creating new scripts for security testing
  • 22. • Yes, we can integrate Python and Bash scripts into our chat bot • Which means a wide variety of web security testing or automation scripts can be invoked using simple human like interaction • Just imagine the possibilities https://abhijith.live 22 groot@hubot:~$ Using Python and Bash scripts
  • 23. https://abhijith.live 23 We named our chat bot, Sheru! Sheru is a dumb tiger in Malayalam comics, who obeys the commands of his friend – a tricky fox! Let’s hope our bot – ‘Sheru’ is much intelligent than the tiger!
  • 25. • We tried to make our bot, talk Human! • But, Integrating with Artificial Intelligence API services will make it much powerful • Hubot will send every query to these API services before executing them • Its not something which we need in a security testing bot • Solution is to create an exception and send the unsolved queries by Hubot to online AI libraries • It will not send sensitive queries to API services and helps the bot to obtain more Human like behaviour https://abhijith.live 25 groot@hubot:~$ What’s next?
  • 26. • AI / NLP API services https://abhijith.live 26 groot@hubot:~$ What’s next?
  • 27. https://abhijith.live 27 groot@hubot:~$ Security concerns • The chat bot server (Kali Linux) must use less privileged user accounts • Please make sure, only a limited number of users have access to execute shell and other external scripts • For internal use its better to use AD/LDAP authentication for chat room users • If we are targeting developer teams as well, make sure they have only execute commands regarding policies; and cannot invoke any pentesting automation scripts • Authentication, Authorization, Accounting