Nullcon Bangalore hacker Rahul Sasi has built the beginnings of what he hopes will become a vulnerability scanner that thinks like a human.
The ambitious project (PDF) is the work of Sasi and his team of six at security startup CloudSek, and is now going open source in hopes the security masses will help build the human-like penetrating testing box.
The goals on paper read simple enough; meld the competency of web-savvy users with the intuition of a hacker and bake it into an automated tool.
This would allow it to navigate naturally around the web and identify the parts of a site that a hacker would target for the quickest returns.
In practice this requires the tool be able to follow dynamic user instructions so it understands that phrases like 'sign me up', 'let's go' and so forth all signify account registration.
Sasi reckons he's nailed the brief. He revealed his unnamed work-in-progress hacking weapon, the first of its kind, to security types at the Nullcon security event in Goa, India, and successfully demonstrated how on a site randomly chosen by the crowd that his tool can find and register for a legitimate account, and locate weak-looking profile editing pages.
“You know from past experience where to click, the things to look for to hack, but machines can't do this,”
“We are trying to build this in piece by piece … to make security automation more human.
“It needs to be open source because the work required to expand it is so large … it is a huge challenge.”
Sasi says application security scanners are blind to many vulnerabilities like insecure direct object reference bugs, where user ID numbers in URLs can be tampered to mess with accounts, which are one of the most common bugs and are time-consuming to locate manually.
The tool is built on machine learning and natural language processing, and uses vector space models to convert word strings to numbers, naive bays machine learning classifiers, and cosine similarity to improve training.
In tests it has found file upload vulnerabilities in one household but unnamed events company, and a direct object reference vulnerability in a food delivery app letting hackers score free pizza. But
More functionality including CAPCHA filling, APIs, and language identification are being developed.
Sasi has urged anyone interested in the project to contact him (@fb1h2s) and get involved in its development.
“It will have a huge amount of use cases but right now I'm just happy the demo worked.” ®