At the NULLCON International Security Conference in Goa, India, a startup presented a prototype vulnerability scanner...
that could think more like humans in order to allow automated penetration testing of websites in a new way.
The CloudSek team, based in Bengaluru, India, has been focused on cloud security products and especially those products that could be improved through machine learning. In a presentation from NULLCON, the team noted the limitations of traditional vulnerability scanners, such as not being able to understand the applications being scanned or human language itself.
Rahul Sasi, CTO and co-founder of CloudSek, said penetration testing of websites can be difficult, because the language can change, even though the process is the same. For example, different sites could use various phrases, such as "sign up," "join," or "let's go," which all indicate a registration process. At the same time, the tool had to be able to differentiate between a sign-up page, a login page and a forgotten-password page.
At the conference, Sasi said he believes his team has solved this problem. Sasi demonstrated the prototype's automated penetration-testing skills by pointing the program to a website randomly chosen by the crowd, where it registered a legitimate account and scanned for weaknesses in the profile-editing pages.
Sasi acknowledged the "huge challenge" of the project, and said the software needs to be open source, because the work required is more than his team of six can handle, given the use of machine learning, natural language processing and the variety of websites on the Internet.
Konstantinos Karagiannis, CTO of security consulting at BT Americas, who talked about hacking machines and automated penetration testing at the RSA Conference earlier this month, told SearchSecurity that CloudSek had an interesting and novel approach to the problem.
"The CloudSek system is using heuristics to understand and interact with Web applications and sites," Karagiannis said. "There is no binary analysis done on any Web app interaction like that. You -- or the [artificial intelligence] -- see what happens when you provide certain types of input to the site."
As Sasi acknowledged, Karagiannis said the current prototype looks to be "very programming-intensive," but could ultimately prove very valuable for automated penetration testing.
"It looks like it will need a lot of massaging to work on multiple types of pages. I can see it having similar 'fails' as current scanners when encountering sites it's not ready for," Karagiannis said. "It would be very valuable for Web scanning; current scanners have a load of false positives and are pretty bad at doing multistep functions in apps -- e.g., understand a function, enter into it, make a logical selection, interact with returned data, move on to a subsequent step [and more]. Most automated scanners simply miss huge portions of a Web app."
Learn more about manual versus automated penetration testing.
Learn more about what works and doesn't work when automating pen testing.