AksharTank

foreign

[Music]

this stock would be around not that much of technical standpoint that how we can do this and that it will be more focused around that why and how should we do this okay uh so without getting into jargons a little bit about myself uh I am a security engineer currently working at Bobby body soft Tech I have more than three years of experience uh to be honest I would be more into love into Bob marleys but as we all know that uh with the time we like to switch or as well as try to see other fields just to get a bit of case so currently I'm doing devops automations and the code reviews is what I'm lacking more these days uh

apart from that I'm really active in people boundaries uh firstly I hunted on mostly hacker one and background but now I mostly party on select currently have England code and apart from all these tech jobs I like to play games of course and I play F exclusion so if you want to say hi there this is why I do okay so uh let's uh start with the actual Talk itself so uh whenever you are doing a black box and testing uh you don't know what might be the code behind or what is lying behind and uh how you want to test it right but uh let's try to shift left and try to think as a

developer right that uh while uh coding we know that most of the developer share the same mindset if not say 100 of the developers but at least the team of that uh specific company of that specific project have a same mindset right so you can uh think that the code written at one place would be similar to the other functionality right let's say uh access control on one API will be same as access control code right and uh more more to add on to this uh the company I mean many companies have guidelines that how the other developers should prove so this also favorites to the first factor that most of the coding patterns will be

seen through our application right so and moreover we know that stack over here is that to copy uh the code I mean one can copy the code of another person and that goes on right uh and uh also just to add on that whenever someone copies the code that code is not actually verified that whether it is secure or not which adds two more longer so I guess that this leads to same mistake over and over and over again at multitude of places if someone is here pen tested then they might be knowing that they are able to find same type of balls with same throughout many of the projects or throughout many of the

applications right so so why why this is so I mean uh there should be a reason right so the uh biggest reason is that they lack the mentality of shift lab uh basically shift map is a mentality where you continuously push your code and pass it through the security uh controls so that such low hanging fruits such as let's say a SQL I or easy to find xss or even let's say some vandalities that are present in the project uh many of you might be knowing that software composition analysis and tools such as fast can find a low uh hinging Foods thank you so uh most I can say that uh not most of the companies but more around 50 percent

of the companies uh lacks the sdsd hdlc controller in their uh environment and uh basically uh there are no SAS tools Dash tools uh assessment static analyzer or dynamic analysis to eliminate such low hanging unlims so what happened is that whenever a project is uh

there is no budget for uh security itself and let's say once uh there is a security incident then 90 or even the 70 percent is given to uh of the security is given to the security of that project right everyone might be doing the Uber hack right even though they are extremely uh I would say well defined in their security we have that bug Bounty platform and everything uh they got hacked and just after some days there were many security openings into work so even let's see if it's Uber then you might be uh able to think that how would be the scenario for the uh company that are not that much security advanced uh okay so let's uh this was all the

reason right but uh the talk is about automation into pen testing so okay let's start from here and feel free to ask any question into the comment box uh so just I can see that uh if you have any questions we can address it in between and okay so the automation part right that uh but let's take a step before and try to think that whenever we do append test uh we do some tasks such as recognizance on scope or let's say some fingerprinting and that all stuff let's just listing some domains or code scanning or checking the service that they offer the legendary Dash as we flag of lenses to find the version then to

try to find the bundle rupees around that so that that are the test I guess most of the people might be doing right and uh let's say the second step is after fingerprint D that if you see a Cisco Esa product you would see part traversal right let's say if it is a Firebase uh database that is uh you have that URL extracted from the Android app then it would be the you'll be checking that dot Json endpoint is accessible or not uh just to give you an idea that in Firebase database if let's say you have set ABC entity to public then just by adding slash dot Json you can access the whole database but mostly it's a kind of

a rare mentality these days and the final is that let's say if there is a a service such as an FTP Service you can check with anonymous anonymous works or not or let's say for SSH you will be checking Route 2 admin 123 test such passwords so uh I guess uh as far as I understand the Black Box Black Box fantastic I think that this could be easily uh automated uh but and as there are so much time consuming and we have deadlines right to meet the targets that at this particular time we need to deliver the project so instead of wasting the stand we can automate it easily right so how can we do this well

let's see okay so uh before we dive into that specific part I just wanted to uh give you some reality checks into this that many of people might be thinking that automation is so much boring or even coding is so much boring and from the starting we have been feed this agenda that coding is not necessary in pen testing but everyone knows that after some years uh there would be this uh reality check that coding is actually necessary even if you don't a lot of as hardcore as a developer uh just by knowing a little bit of coding here and then it can make your life much much better right so back on the topic that many people might be

thinking that no we don't want to do that let's grab some automation framework and we'll be good to go with it right but just to be uh clear more on that that this type of Frameworks are not the contextual about I mean uh what type of testing you might be doing or whatever uh type of let's say test cases you might be following they might be doing not doing that because they are contextually aware with that okay second thing is that that automation or might be using let's say a word list that is quite huge let's say the size is in MBS right and uh you might not want to flood your target with some irrelevant data so rather than

using uh that I I say that automation is transported right the last point is that this leads to much much noise right that uh I mean uh your client might not be liking it that you are sending 500 or 600 uh requests per second which is not wise right so and that is quite less efficient so yeah so uh the light bulb moment I would say that that let's say what if some basic checks as I mentioned the service then finding one and it is related to that or even uh let's say making a word list out of the application itself how how you can automate it right so uh it might be that a five minute task can take hours to

automate but collectively if you add up the time in the I would say our future then it would be quite quite efficient I have followed this approach by myself when I was starting as a pen tester and to be honest some uh automation uh scripts that I have built in my initial days are still relevant today even though I just had to change some earn it bits here and there but they still are working right uh let me give you a specific example that how can you approach to make a this type of automation so I have divided into two parts let's say that many times it happened that let's say if you are in a

product based company you might be uh stick to a particular stand right a text tag let's say it could be mean stack month stack right so you might be knowing that you are you are going to work only on this deck so you can build all your automation around it like let's see if it is a node application uh you can write test cases according to it and then you can write your uh automation into that let's say if your application is.net you can write your test cases around that right so the biggest uh so let's get on with an example so I guess the biggest uh proof for this is that other move myself everyone might have

been used mode or using mode myself right that uh in Android pendant state so it just disassembles the file and they give you all the content in a nice way so that it could be processed by you for manual analysis right uh but let's say or you are working in a service based computer uh so they are in many companies follows a checklist or even they let it on the uh pen tested itself that what they want to test right uh so let's see if the pen tester is cocktail framework then he can write a little little scripts in dash or in python or any language of your choice that these are some of the tests that I

want to do let's say I want to uh check SQL injection in each and every parameter each and every header let's see if it is a rest APA then each and every uh item that is present into that so you can do that with uh I can uh I can share some ideas in the end of that in this presentation that how you can do that okay uh just uh one thing please feel free to drop any of the I would say questions if you have I I would be fair I mean but it won't uh interrupt the presentation okay so back on to the presentation uh a simple dash line one liner that I had

written uh in my initial days that it would let's say I want to collect as much some domains as I want to uh I guess in uh when I was starting there were no sub tools such as all formal or SubFinder that are great for I mean they are in it's a framework to do that single job but they were not available at that time so what I did was this ugly uh sorry uh ugly bash online that what you do is that basically it gets uh your domains from search quarter cert.sh as well as the DNS overall right uh and what it would do that it would process it and let's say I have given my uh a

list of domains that let's say a.comb.com c.com so the final file that would be uh I would be getting uh would be uh like second level sub domains third level or even fourth level if they are present in this data set so uh in future let's say whenever I uh got that uh pen test which uh bites or spoke I used to use this bachelor to dump as much as uh data as I've got uh this is the second example that uh I uh I was using I'm not currently using it but it was in again starting this that let's say if I'm getting a domain I would be feeding this uh domain into this so I would say uh script what it

would do is list out some domains for me from sublister as well as Linus Oren as well as a mass right and let's say once uh everything is done I would be getting a clean output in a I would say a dxt file which I can later feed on to the next part so it was a part of the whole framework that I built and uh it was again same as this patch planner but it was a bit a little bit of meat and clean format which I later involved so uh I would say that the aim of to show this to example is that how I went from this to this is all because I had that

mentality that I want I don't want to do some some boring tasks I easily could have I want to go into the debit hold of finding a deserialization Mobility rather than finding as much room as I want so uh this was a little bit of dirtier version and the second example was a much cleaner and let's say if I want to share my code with someone to I would say uh edit it or let's say elongate the script then I could easily have done it right so this was uh for the Recon part now let's say for the extrude expedition all right uh okay so uh that was this now when I was working in IBM I mean before this uh

I was working in IBM with one of our big client which was on in Telecom industry and uh they had their uh one of the feature that let's see if you have a discount people you can uh like get the discount by applying the same code right uh and uh what I was able to found that that same coupon can be used for multiple times I just wanted to uh just want to change the two digits and uh I could keep circling it over and try to catch as much as uh discount on a subscription plan as I want so uh what happened was that I reported this that first of all there is this rate limiting and seconded

there is this uh discount people that is uh that has this business logic so instead of rate limiting the end point as well as to uh fix the logic of a discount coupon generation what developer do is Implement just a csrf protocol so let's say if I uh click once and submit the discount coupon at the second time it won't be giving me the csrf token and uh I will be able to submit it the next time uh so I guess that this uh fix was a bit bizarre and uh not secure so what I did was that I took the request uh put it into the uh call command I mean I was using bash at that time now I have

mostly shifted towards go I use a bit of python but I think that go is much better nowadays and yes what I did was I uh put that request to the call one and fetch the csrf token and again uh fetch this I mean another uh put this CSF Demand with that call command and you look that over so this this uh seven lines of code uh gave me the ability to uh let's say gram hmos as discount as I want so actually uh this was the thing and and later even the developer didn't realize everything to fix it but after some escalations he did think so right okay so this was a bit about my journey

I mean how I was able to do such things and everything uh the thing is that how you can uh start building your automation I mean uh let's see even the little scripts I would select their automation they are just the scripts that make your life easy okay so I would suggest that first of all start learning a language such as bash or python even if you are good to go with Ruby or any of the language that can Leverage The your computing power as much as you can then I guess learn that okay the second thing is that uh start Maker list the of I would say a checklist that or the list of checks

that you do every time let's say you check for SQL injection in each and every parameter okay let's say you find uh you want to find reflection let's say you pass a canary into a parameter let's say ABCD and the same is reflected into a response so everyone might be doing that it's for accesses right and uh once this uh list is built so I guess then you need to give a thought that how you can uh automate it with your the language that is one as I told that in initial uh 10 the code will be quite quite dirty I mean if a developer sees that they would be like you don't know how to do it but I guess I would say

that keep it unless uh as we all know that if it works don't touch it okay so try to use it in your daily life and with the time just try to develop it okay and let's say when those checks are up and running combine the relevance gifts together so that you can have a whole set of room uh I would say that just in days or weeks you won't be able to uh build hold your framework but little by little within some months or let's even a year or so you would have a chunk of little internships that work together and make your life easy so let me share some ideas that have you

uh can I would say make a Implement some things in your own uh automation framework so first thing is that you can make some fuzzing scripts or fuzzy scripts uh basically officer is a program that throws random input at a particular place and uh let's say processes or I would say hold that data or the response into a particular place I would say process because uh if you might be knowing what to expect in return you can process it and just uh you can save the relevant output data or uh let's say you can uh storage as the responses and could later I would say that you can process that okay so let's say such

programs can be made that make whole requests as an argument with the word list of your choice okay as well as let's say uh you want to um check it on the time that what the data is going you can simply proceed your data through an exam in the response let's say if you don't want to save it somewhere else uh you can do it inbox I have done it many times that I made some SQL for this fuzzy scripts and passing my all of the data through book so that I can have all the record that I have needed on the client and I it could be passed on to someone else so that I

can also show that that I have tested this okay now let's say uh you have made this scripts and with the time you can change I as I mentioned again that changes can be made according to that probability that they found okay uh if it is access you can let's say instead of passing our kennel you can have a word list that is of access payload and this script would throw all the periods to that versatility particularly I would say not to go harsh on the application because it might crash and again we can be not workers uh second thing is that you can find one abilities from the historical data itself I guess everyone might be knowing

that way back URLs in end world and there are many other services that holds historical internet data for example what GMail looks now in the present day and if you compare it with what it might be looking in three or four uh years ago before it might be completely different so this data Institute somewhere right so you can fetch it let's say you can use this vbank URLs as well as alien what to get it there is a tool called Gau which get all the URLs from both of the data source so that you don't have to go online okay now let's see you can parse it and uh once it is passed let's say for parameters or even for URLs or

even for GIS files let's say you want to mine secrets from it uh just to uh give a context that this idea could be used to wellverse in the in let's say if you're hunting for vitalities in a bounty platform or let's all know about Bounty program uh it could be useful for you and let's say you can cross and back to the idea and you can process such a top uh such and it's a patterns and data to find One Direction then uh I would say that let's say you are getting all these URLs but uh you don't you want to find SQL injection in each and every panel uh just one thing that everything of here would be just in

form of URL so in case you want to find post parameters then you need to First it then which parameters are working right but let's recall to the URLs only you can pass it to the SQL method for just the detection phase I won't suggest to go over this expectation phase because it would create hundreds or thousands of requests and even the F can block you that line can block you or anything can happen so I would say that and then uh once the detection is confirmed you can uh go for the exploitation part part by yourself memory okay same ideology as I told that could be used for exercise uh get all the URLs or get your script to process

every parameter uh get your word list for the payloads and enter uh it into its parameters and run it and just try to save the response for later examination okay uh we are approaching at the end of the top uh again questions are welcoming between as well and uh again this this was just uh my talk till now was just focused on what steps can you make but also it might happen that uh we don't want to reinvent them right so there are some really really good tools available in the whole service Community such as ferox Western ffu F Gau nuclei SubFinder dnsx you name it I mean the tool that you can imagine is already

might be or might have been built out uh with much efficiency now that you can imagine right what you can then do is that you can take out those tools uh make uh assembly line out of it and we in the end you can get something very valuable for your test uh for example you can get list of sub domains for let's say from Sub sub finder then from how you can get a historical data for all that subdomains then you can graph for JS files okay let's say once you get all the GS URLs you can fetch those and could uh Fade Into truffle actually truffle hog is a tool that find high entropy data entropy means complex

strings basically just to just to be simple that high entropy strings from the code and then you can check that whether that particular key is working or not let's say for Google gmaps to your Google project it's right from AI right and then a string goes on you can even grab this JS files if we have downloaded it for a particular uh set of trees there is a project called GF which which is made by terminal and you can I guess take it what it would do is that it have already made regex for some particular case you can run it on this uh all the gis files so truffle home as well as GF

uh okay so last but not least I would say this might be the most important part let's say if you have built your automation keep these things in your mind that automation is here to help you right uh it's like uh your assistant that can do just one or two person or even 10 percent of your work but not whole itself uh you can rely on the exploitation of the tools itself but I would say that it could create a whole load a whole lot more of a uh this false positives that you need to again uh tackle I mean you can you of course want to observe the or process the output of your organization

second thing is that over aligns could generate a lot of false positives and could as well as Miss critical organizations as we all know that business logical abilities or Idols or even let's say uh RC low hanging fruits such like upload or upload file vulnerabilities or anything could be easily missed by this automations because every application have different logic of how such vulnerabilities could be exploited right so I guess it uh of course needs some manual intervention and last but not the least is manual uh testing could never be could I would say if even if it's a EI or ml model uh that wants to pen test application it can't do it because of course it won't be

contextually aware and the application might be 10 20 30 100 pages but the aim won't be be having that First Data to process so I guess manual testing is the best and it can't be replaced but again automation can help you to just lay off some of the lower levels uh okay I guess I have finished my talk this is my Twitter URL if you want to have some questions or do you want to have something here uh I'm open for questions uh I guess we have a bit of time and I can address those foreign

thank you

oh yes yes of course uh you you are a gitlab as you might be knowing that uh if you have uh supports the web hooks right uh or let's say uh just to uh bit clear that any integration possible so uh you want uh the well again I'm just a bit of confused that yeah any Integrations possible with pipelines like uh yes I guess uh gitlab I have some web uh webhook functionality uh which can pull data or even can take data from apis which can then be referred to uh gitlab issues uh I guess this is what you are asking for here right that you want to take issues from your framework or any of the framework and want to post

it as a git line issues without doing it one by one oh yes yes uh that uh there is a as I mentioned uh uh that if you have uh that let's say once a devops engineer has made the old devops fight Link then you can integrate some SAS tools uh such as check marks or even some open source or let's say if you are using uh some I guess I guess it's in GitHub uh let's say your pipeline is made in the uh gitlab itself right so what you can do is that you can use same grip or even some code analysis tools such as check marks sonar and some dashed tools to verify that if you have any 100 rupees

or not so that concept whole uh false and then there are devsecops Pipeline and uh I guess uh what you can do is that to secure your pipeline uh let's say for example your application is written in node or even a specific language you can Google it out that are there any static called Dynamic analyzers for that code or not and then you can plug it in in your gitlab cicd pipeline which can find some issues and with the help of gitlab webhooks you can create issues out of that uh I I hope that I answered that question yeah exactly uh so actually code ql came into my mind but I guess uh the question

is foreign

GitHub I guess yes it's GitHub uh for only GitHub so making it uh he might need to switch everything from gitlab to GitHub to new score ql as well as GitHub actions which is uh which I guess is also uh a quite uh big step in terms of for Dev seconds

okay uh anyone having any other question or can we wrap up okay guys so thank you so much thank you so much for uh uh letting me give this talk and I really appreciate everyone present here as well as besides team uh if you have any questions you can uh just uh drop me a I mean just message me or do anything on the Twitter and I would be happy to help bye everyone