Automating web app security testing using Hubot AI/NLP chat bot – BSides Delhi

First of all, It was a privilege to present in BSides Delhi chapter this year. It was really an awesome event, where we could share our knowledge, learn a vast amount of new stuff and meet great people.
This is the age of Automation, Artificial Intelligence and Machine learning. Even the most sophisticated tasks are being automated. Then why can’t we do the same for security testing as well? Pen-testing as a profession, we will have to repeat a lot of boring tasks on a daily basis.
We have tried a lot of ways to automate some tasks using various methods. But, a lot of people are already working for automating stuff.  All we have to do is, make it easily accessible. We are familiar with the terms ChatOps, DevOps, SecOps etc. Then it leads to a question,

Why can’t we use ChatOps for penetration testing?

We are all damn lazy! Don’t know about you! Anyway,  I’m a lazy person!
But again, it’s the lazy people who always come with the most innovative ideas; to do our work in the easiest way possible!

Did research for a while, finally ended up with Hubot from GitHub, which is an automation/AI Chat framework developed by GitHub using node.js
This presentation is all about customizing this bot, making it a virtual assistant only for web application testing or penetration testing; and interacting with it using natural language (NLP) instead of commands.
we can treat this bot as a person with huge amount of knowledge about information security; it can do so many things it was trained to do, in a human like behaviour.
I managed to create and add a bunch of customized security testing interaction scripts to make our job much easier.
A lot of hackers/information security professionals are working on automating methodologies for security testing. We can include their awesome work with our chat bot, and all those tasks can be invoked using natural language. Imagine the possibilities!
Other than automating manual testing scenarios, this bot can help us with messy corporate policies and rules. We tends to forget those corporate infosec policies all the time. We could just ask this guy; Hey bot, what is our password policy? Or what’s the list of secure SSL ciphers? Hubot will respond with all possible responses with less error rate.

This can be very helpful for;
not only penetration testers, but also project teams and developers who needs help with secure development or infosec policies.

We named the bot, #Sheru!  Remember the stupid tiger from Malayalam comics? Even though he is dumb, we all love him right?
Our BSides presentation slide is given belowIt contains the ideas and proof of concept!

The demo/PoC video which was presented in BSides Delhi, is linked below! We created a chat room with four of us, including #sheru; Just to demonstrate a few tasks using the bot.

What am i doing with #Sheru bot now?

I’m working for the goals which is mentioned in the What’s Next slide (Slide number 25) in the above presentation. Integrating with AI/NLP libraries for better human like bahaviour;
And the idea is to perform a basic pen-testing using the chat bot including report generation.
Just imagine, you are (Let it be a pentester or project team member) asking our bot to perform an initial penetration test or security assessment against a web application or host.  It’ll perform a basic assessment and comes back to you with a report!
How cool that would be ?? Sky is the limit eh??

Don’t worry guys, #sheru-bot is not gonna take over our jobs! 🙂 Just consider him as an awesome team mate, who is willing to help you on anything, and has extreme knowledge about cyber security/penetration testing.
Manual security testing cannot be automated in an utmost level till now! (May be we have to re-think about that! Some greatest minds on the planet earth, still working to push Cognitive AI to reality. Let’s see what happens next!)

Follow this blog post for more updates regarding this project!
Feel free to share your thoughts and comments!

When i shared this idea and my previous prototypes with Thoufeeque, he was more than happy to be a part of this! Thanks for that! 🙂
And many thanks for our friend Boney for helping us with his Python-Fu!