 No, I hope that's better, yes. So the talk that we wanted to talk was, I come from a background of penetration testing, Kedin comes from a background of QA. We wanted to talk about how we could mix both the worlds together. So before I jump in, let me just do a quick introduction that gives you a little bit of help. I right now work for a company called ThoughtWorks, we are a software development house. And my job role is penetration testing of applications that we build. I speak in a lot of security conferences and I'm very proud of a certification called OACP, one of the best in security domain. That's about me. Let's get Kedin take over. Hello, friends. I'm Kedin. So I'm associated with ThoughtWorks. So basically the agenda of this session is like, we just wanted to see what is the real use of this engine and how do we talk about some kind of information security, what information security is, and how we can achieve automation in the field of information security, how do we achieve the complete coverage for the entire cost function that we do for the project. We'll take an example. We'll define the buffer. We'll take a look at some of the demos as well. We'll see the type of attacks that we would maybe use with CSS or for example, XSS or whatever. I'm sorry for that. We'll use CSSX also. So XSS or SQL injection, command injection, or proto buffer injection, things like that. And then we'll just come to a conclusion. So when I say functional, it's mostly, we just try to see whether things, like for example, whenever we test something, we just make sure that whether it is meeting the requirements as expected or not. So that's typically what we do as a tester. But when we actually try to do an automation, we generally use, like as Anand mentioned in one of his presentation, that we generally take care of all the layers that we have defined in the test pyramid and think about how we can form our test or organize our test in different layers. So one of the layers is UI automation. And whenever we talk about UI automation, I think Selenium is one of the most widely used tool that we generally use for that. So yes, we did a lot of automation for UI, which is like web applications. We always use it for cross browser testing. We use it for other purposes as well. But we always, we used to wonder as in like, yes, we need to give certain value addition to our client. And how can we leverage our Selenium's ability to do certain things other than what we generally do for functional testing? So my question would be for you guys, like, have you guys tried anything apart from functional testing or UI automation using Selenium? Have you tried anything else? So I think the basic thing is that we have a right for client office testing, like, if I'm not wrong, profiling or just like whether the things is performing quite fast or not. So that's something what you've tried for, which is a good thing. So you can achieve like various things using Selenium apart from your UI automation. But what we thought is in like whenever, so I used to work as a functional investor, but I came in contact with Prasanna, who is like a big fan of security. And one day we were discussing something and we said, like, how can we help each other? How can we leverage Selenium's ability to do certain things? So that's where Prasanna came in. Okay, now with the, that's my last line is my favorite job, why I do security though. One of the most interesting jobs on earth is security. It's basically to find faults into someone else's code and say, dude, this is wrong. I can take control of your system just by doing these things. And I really enjoy doing that every day of my life. But there are some extremely major problems that happen. Some of the most important problems happens is today, some of the times I work a lot for banking clients and their first rule is I need complete code coverage. Now the problem with security for me that zone is, hey, do I concentrate on quantity of finding issues or do I go behind finding some of the hidden gems? Hidden gems in for me is something that I would get total control of the system, where maybe I could discuss an example where I could take control of a system wherein I say debit an account with a certain amount of money, but credit someone with a lot of money. All these are things that you could do with a security control problem. What do I need to do to spend my time more with actual problems and cut down some of the, what I would say, known issues? So let's say was top 10. That's a guidelines that most of we as a web app testers follow. But that is just to say, scraping the security side of it. We just saying if you don't even follow was top 10, you're not really doing anything in security. Then there are some basic problems. So what we really tended to do is, hey, can we take these automation frameworks? He loves Selenium. I'm not a very big lover of Selenium. I'm still a little automatically start hacking. That magic bullet is still not there. And yeah, this code is the shittiest code on earth. So we are not even going to talk about page object pattern and things like that, as Anand mentioned in the standard, but this is just to show you the demo. Okay, moving on. So that is where I, what I do is I use things like cookie jar and stuff like that. So what I do is, so once you log in, I will use the same cookie, store the cookie, and I will keep sending the request out. So for the server, it thinks it's the same session making that request. It will not do multiple requests and stuff like that. In this case, it's not needed. In that case, I would have stored a cookie jar, made an actual log and taken that, stored into a cookie jar, and henceforth all requests will, it will look like a normal browsing session. Like you said, that's an actual problem. You need to think through how you'll do it. Because typical bank website does that, actually. They won't allow you more than three logins or whatever, three attempts or anything. So for everything, there is a beautiful library available. It's just that you have to find out which library works. Not just Selenium. Okay, XSS. This is one of the most common. If you today look the attacks that are available on the word for web application hacking, XSS tops it. People think XSS, most of the people here, XSS means it's an alert pop-up box. Is that right? That's what everyone thinks. XSS is actually more dangerous. It's my favorite attack. It's the most dangerous. Easiest to find sometimes, and the toughest to find sometimes. Because what really happens with XSS is, it's not an alert pop-up box. If I could just part one point, if I could go away with this. XSS is not alert one. XSS basically means the capability to run JavaScript on a client machine. Basically meaning any security control that you have implemented is gone. As a developer that you've put. Then basically it, XSS can then start doing what an individual user did. So that's the reason. So let me just show, just giving you a small, like what I did for SQL injection. Let me show you how. So there is a scenario here. There is an yellow box there showing it's like a text box. Wherein you can enter details and you can hit submit. And this is something that you all have seen. You've seen that you've searched for something and it is telling that you've searched for this. Cross-site scripting, the fundamental issue that you really need to take care is, data when it travels from the client, goes to the server, comes back as is. You will have a cross-site scripting. Only caveat to this is DOM accesses. I'm not going to discuss DOM accesses. DOM access is a little different subject though. But effectively it basically means that you can change anything in the response. Did that make sense? Just to give you an example. What if I enter something like that? This everyone knows, right? See there is something that I wanted to show here. Hello script. And there is something called the there friends. You see that the there friends did not come. The reason being is JavaScript, you have to click OK, then only that there will come there. That's the depth we wanted to show it to you. It is basically saying that you can run JavaScript on the client end user machine. What is the risks of having this? Most prominent, I can steal their cookie. Imagine this on a banking application. As an application, they should have turned on HTTP only in their cookie. That's first things that they should have done if they didn't. So someone would ask what is HTTP only then? Basically it's a feature which tells that client JavaScript cannot access the cookie. A browser control which does that. But let's say they did not put HTTP only. The script can basically used to steal an individual user's cookie. Or you have a CSRF and you put a CSRF protection. You can bypass it. Today, if you find a cross-site scripting on Facebook, you can be richer by at least 6000 US dollars. That's the money Facebook pays. Do you know that some of these sites allow bug bounties and you can make money if you find security issues, right? A lot of money to make. A lot of Indian security guys only work on XSS. Write scripts, run it across applications, see if it gives responses. You can use some of these scripts to do the job. So any specific queries on XSS? Am I clear before I get into a demo? Now for XSS, I did something a little different. So now with the XSS, there are some very unique things that you need to consider. The general idea is data going from a client to a server and returning back is the only consideration that you needed to keep in mind probably three years back. Today you need to even consider things like where is this information coming back to? So today when we talk about cross-site scripting, we say context could be five different contexts. I have used only two here. Is the data coming back in a script context? Is the data coming back in HTML context? CSS? Attributes? These are things that are, because how you hack into each one of this is different the way the data comes in. So it's more important to know where it is going. So you need to write scripts even to get that information back to you. So I'll just take a quick second to discuss this one. So for this, I used another very interesting library. This library is called Mechanize. It's a beautiful library. It allows me to find the forms in a page. So what I did was I wrote a generic one. This is a very simple one. It's a beautiful, try making it a little bigger. So what this automate has a function called getter. Basically it gets all the information of, you give it any page. It tells you what all forms are there in that page. And sends it back to that information back to you. So now you can see, start tying it up. So I start from his, I get the links. I use this application, get the forms, then send it to XSS, get the information back. So when I am writing an application, I'm not going to put it in all small small pieces like this. When I'm in my actual code, it's all combined together. But you may want to choose to keep it separate also. The choice is yours. So the only thing that is a little different here is, so here SD represents the information that is coming back from that library. Now this is going to be generic. I don't know the total number of forms that are going to come. So I put it in a loop and then did the job there. So let's try running this one. So if you notice here, I have not used any payload here. I am only looking for information sent. Is it coming back to me to me? Because with cross-site scripting, I don't want to do automatic hacking. If information comes back, I have a list of things that I want to manually check every component because XSS could be really, really complex. You might want to close some of the places where I have done the XSS. We have closed five to six different tags in the front, then did a script attack, then closed the tags in the rest. So you cannot think that can I automate this process. It becomes a little difficult. But what I can automate is every piece of information that came back to me, I want to see. That's the reason that script works. So now what it is basically saying here is, this is vulnerable. It could be vulnerable to XSS. Now if you look at it, I have started with a script array. I have created an HTML array. I also want to know which context this information is coming back to. See if you really look at it, it says H2. H2 is a HTML context. So I basically could close it with normal H2 and then do a script. If it was going into an attribute, I could just say on load or on body mouseover or something like that. So we need to know which context this information is going to come into. So basically once the response comes in, it is actually checking for every context. Here it started off with... So here is where it is actually making the request. Information is sent back to beautiful soup. And I'm using beautiful soup to iterate through it. I'm not using XPath. I'm more stronger with a beautiful soup. If you see here, I have used one more thing here called regular expressions. So you have to import RE.compile and search term is something that I entered there. So it will use regular expression to search into what you have entered there. And the next of the response is, it is actually searching within the script object if the response has come. If you see, the response did not come for script. It came only for HTML. Basically saying it's a HTML context attack. So let's try to do this manual hack. It didn't work. But my system says it's vulnerable. It could be. Do you think the cross-excripting is there or not there? Then why did it not work? Any clues? Because Chrome has an anti-excesses filter. When an external excesses is loaded, it will block it. So one reason why you need to browse using Chrome. It's a much safer browser. I personally use Chrome a lot. But it's your choice. You can typically, like, execute the same scenario using Firefox and you will be able to get to see whether the excess, sorry, this type of attack is there or not. So when you're writing your Selenium script, you launch it with a Chrome, you will think you're safe when you're not. Probably you may want to keep those in mind. Typically use Firefox browser when you try to do certain things like this. That's something that I, my personal browsing is on Chrome, but all my security testing is Firefox. One of the reasons is it allows me to do this. And some of the extensions, I don't know if you see this, I'm loaded an extension here. It's called the hack bar. It allows me to play around with a lot of, unfortunately it's not that well clear at all. But it allows me to play around with URLs much easier. For a web application hacker, URL is the most important one. So that's the beauty of it. One of the reasons is the plugins. That's the reason. Command injection. I'll quickly run through this, I'll not spend too much of a time on this one. Command injection is basically when, let's say there is a, can I have the water? So you can, let's say there is a ping. You can ping some URLs and it'll give you the response to how this information is displayed back. So in this case if you look at it, there is 127.001 and it is telling that this is the ping response. This is obvious there. How do you hack this? Ah, sorry. Bug there. See the QA guy doesn't stop. Sorry. Interesting. You're still thinking from a SQL point of view because SQL is your stacked queries there. But think about it, where this output is actually going. This is not going to a SQL database. I like what you thought though. But even for that matter, only certain databases allow stacked queries like SQL server and MySQL in certain scenarios. Postgres not allowed. Oracle not allowed. It depends on where you are running that. Those help you. So basically here the output is being sent to an operating system command. The operate, so what is happening here is it said ping is a Unix command, right? Or a Windows also it uses an executable to run it. This information that you filled here is going to become an argument to a executable there. If I give you that information, can you still think what hack can you perform? Any Linux guys should be able to quickly get this. But why do you want to separate? What if you want to join it together? You would use Pyke, right? Pyke is a Linux one that allows you to join commands together. That's what you would do when you see a scenario like this. Can you pipe information and hack and get information out? I hope most of you guys know what pipe is. Pipe is a command in Unix. Not able to click it. But let me show you the code alone. So I'm using the same first DB to do the job here. Oh, sorry. Unfortunately my local web server is still not running up and running. I'm doing the simple thing. I'm using the same first DB here. But the first DB did not have a pipe symbol. So I have to manually, when I write a program, say, put a pipe symbol. Another quick trivia question. If it was Windows environment, how would you do it? Same problem. Ampersons. Ampersons and double ampersons do the same job within Windows environments. These are things that help you to pick up a good security testing. So in this case, it will actually help you in order to do this kind of attacks, actually. So these, you run it and maybe what you could write is small. You abstract this whole thing separately. Give it a URL. It will test every one of them and give you a report back to you. Some of the most costly solutions for this do the exact same things. Okay. Why is it not clicking? I don't know. I'm not able to click this. Otherwise, I would have loved showing you a demo on this one. Yeah. So two weeks back, I don't know if Anamika or all these guys are there. So till now, we talked about hacking. We also need to use programming or automating sometimes to even teach. So like for a carpenter, a saw is very important. For a penetration testers, the most important tool is a proxy. A proxy allows me to play around with the HTTP requests and responses that are going and coming because that's all that is like a gateway to a server and you basically play around with it. Right? So, but these tools that exist talk only some very important protocols like HTTP protocol. It understands only that. Now there is a new binary protocol which Google has pushed out. They love to use this internally a lot. It's called the protobuf. And one of the applications that I was testing had a protobuf payloads. What if, so now problem is when you send data in a protobuf, the tool does not understand. It does not know how to work with it. Because it supports HTTP. Exactly. So when the data is going in a protobuf format, so we use Python and we use all these automation things to even teach some of these tools. So I wrote a plug-in which I demoed it in a conference in Kerala called Cocoon, which basically said that you could use this to execute any protobuf. So once it gets it, it will make it change it into an XML, allow you to do whatever attacks that you want to do and resell it back, make it into a protobuf stream and send it out. I need to start my Windows machine. So as this is loading, I'll just jump a little bit ahead. Some of the most, for you, which I told, this is where I was going to come for cookie jar. Some of the other modules that I use a lot, SUDs. SUDs allows me to work with web services. So everything that you do in a normal web application, you could do on a web services hacking also. Web services actually has something more. You could basically do some more attacks like XML entity injections. So SUDs allows you to automate that process. LXML, another beautiful tool. What if you don't know your output is HTML or JSON or XML or whatever format that is? You use LXML. You make a request and then you tell XML, you tell me what that response is and then you can go ahead and do these jobs. That's a beautiful one. JSON, just a library to work with your JSON. PyAMF, I just put it there because we just came out of a testing of that. AMF is your flex protocol. PyAMF is something you can use for that. My personal favorite is simple HTTP server. This is the best. But when you're doing, let's say, a CSRF attack, I need to set up a web server. Do you think I have time to set up Apache, put it up, bring it up? Apache didn't come up even now. It's just creating issues for me. Put that one line, Python-m, simple HTTP server and port whatever you want. And a web server will up and running in one second. That's a beautiful thing. And I love it. Because then I can quickly send this link, use it to do whatever I want. One line web server. That's the most thing that I use. The easiest thing to install and work with. You just need to have Python installed. This is a base library. And Twisted. This is something that we use a lot. Twisted allows us to do a lot of automation. Just where you can create web servers, you can do whatever you want to do using this one platform that you have. Okay? If my Windows server has come up. Well, if you have any questions, we can take those questions. Yes. Till the time it goes up. You can't do it. If he has written a badly made prepared statement, you can do it. But prepared is a genuine statement that gets a lot of trouble. So what? If he's kind of fixed, he can't find the... See, as a hacker, you don't know what is there behind it. When I'm working, I'm also working at the total black ops. I only can assume. So security happens is, I would say, a very informed essay sometimes. So you have to try to understand. So sometimes I'm always looking for how the behavior changes. So when I'm doing a SQL injection session, which is a huge one day session itself, you're looking at so many parameters. I'm looking at things like how much is the response change happening? The true condition, what is the response? What is the negative condition? What is the response? And there are so many parameters that you really look at. So if you use that, the prepared statements, you should assume it's secure. But no guarantees. You could really make a bad one even there. It's one of the preventive mechanisms. It's a good preventive mechanism. There is no other alternatives. Just to make a bad difference. Have you tried to bypass CAPTCHA? Now, when you say bypass, what are you saying? Are you talking about technologies like CAPTCHA or use application itself to go read the data? So what I can talk about is, there is a Python library called EZ. EZ? Yes. This basically allows you to do optical character representation. But nothing. If you use a recap chart, it's vocal pips. None of these libraries will be able to read it out. So if you're really thinking, can I take that value, put it in there, you might try. If you have a very bad character, let's say, some one-to-lines and just set up numbers, Python libraries can pick it up. You can use that to automate this. How do you do it? Then you say, use beautiful soup. Find out which element will come in there. Take the image, make a request. Use your Python to get that. Make a value of it. That's how I would do it. There are many libraries. UMS or something like that. But as I said, it's not sure that you would get it. If you use a recap chart, it's not... Yes. I use vocal pips. I use vocal pips. LXM is definitely faster. I use LXM the first time to make a choice. At least to tell you what it is and all that. It's a personal choice. I would definitely alternate with you. Good question. So, he's talking about the NoSQL database. For example, what should we do? So, the SQL attacks don't work. But it is again a key-value pair-based system. So you can still do attacks on it, but not SQL. You can really do a SQL injection at the end. But you can still manipulate it and to get data out of the system. Let's say... So with a SQL infection, a badly programmed system, you can take full control of the whole database. That way, you can actually control the machine on the client's server side there. Something with the MongoDB is not definitely going to happen. So, for this, I would definitely suggest to you a tool called SQL Map. SQL Map is a beautiful tool for SQL injections. It's one of the best tools available, totally written in Python, and that's the best. I forget the name, but I think there is a derivative for it for using even for your non-relational database systems also. There's no single silver bullet that is there. So you want to... There's no single... I think I would advise you to rate a web hacker's application security book. It's a web application hacker's handbook. Yeah, so it's like a Bible, but I think you will get to know certain information as in how can you derive which database this particular application is using. And based on that, you can actually continue with your security, like, hacking stuff. So, web application security handbook. Web application hacker's handbook. Two minutes. Yes. I was built on PyQT. So, what this basically... I wanted to quickly show you a demo is... Two minutes. There's a string here. I'm just going to hit this. If you see, there is a request that was made because of the raw body. This basically sends data in Protobuf Conmat. I'm not going to go into the Protobuf. You can look at my Cookon exploits, how we built it. This allows me... Oh, so if you click this, it actually breaks your whole binary. So in this format, data goes in zeros and ones. It does not go as your typical HTTP request. It goes in all zeros and ones. It's basically hex data. This allows me to break the data. So, I'll just show you how we did it. Download this tool and you can get this plugin already. I'll send you the links. I'll put it in my references. So, this basically allows me... This is a binary manipulation. So, till now, what I was talking about all was HTTP. Protobuf decoder. What we did was we took data and we played with binary data. And we could break things and... So, what I did was from Protobuf, I made it into an XML, wherein I did all my modifications and then sent it back. Someone is interested in not Protobuf works. You can find me and we can talk. Maybe I can show it to you better screen than this. Thank you so much, guys.