2 Apr 2019

Dynamic Application Security Testing using RPA/UiPath

This project was made during DefCamp9, where one of the competitions from UiPath was to build a robot that can find security vulnearabilities in applications. The project it’s already on my GitHub, below are briefly described the processes used, how to use the repo, results and a speed-up gif of the robot in action.
Processes

  1. Testing for command injection
    For command injection I used payloads from Seclists Github repo. In this process, the robot identify all the elements of the form in the page and for each payload will do the following stepts:
    • in case it finds an UI element with type text it will type into it the payload, else if it finds one with type submit it will click it;
    • after the page loads, after clicking submit, the robot will check if the payload is succesful, most payloads has the same pattern, either echoing a value or adding to numbers, if any are output in the page then the payload is successful;


      Fig. 1: Logic diagram of Command Injection process

  2. Testing for SSRF
    For SSRF process I used payloads from PayloadsAllTheThings GitHub repository. The robot gets the page URI and parse it, removing the value of the parameter and store in a variable the number of words from the page for comparison purposes. For each payload will do the following:
    • request a new URI where the value for the parameter is the payload;
    • compare the number of words for the newly requested page with the number of words stored in the variable;
    • if the number of words from the new page is significantly higher means the payload is successful and we could access other content.


      Fig. 2: Logic diagram of SSRF process

  3. Testing for CSRF
    The robot identify all the elements of the form in the page and check if any of the item has the type equal to hidden. If no element has this type, the robot will do the following:
    • it will generate a new HTML file as a self submitting form with the same elements as the form in the original page as a CSRF proof-of-concept.
    • it will start a nginx server that can serve the HTML file generated before;
    • it will start a new browser and access the HTML file;
    • check if the form action has been performed successfully;


      Fig. 3: Logic diagram of CSRF process

  4. Testing for File Inclusion
    This process is very similar with the one used for SSRF testing, big part of the process was reused, the difference are the payloads used, in this tests were used payloads from PayloadAllTheThings Github repository.


    Fig. 4: Logic diagram of file inclusion process

  5. Testing for PHP Object Injection
    This process was tested only against XVWA, DVWA doesn’t have this type of vulnerability. The payloads used were from PayloadsAllTheThings GitHub repository. The robot gets all the elements in the page with a “href” attribute. For each elemenet will do the following:
    • parse the value of the href and get the value of the parameter;
    • test for the following regex:
      "^o:\d+:""[a-z0-9_]+"":\d+:{.*?}$"
      
    • if the value pass the regex, robot makes a request using our payloads and check if we can find the text corresponding to the payload.


      Fig. 5: Logic diagram of Object Injection process
  6. Testing for SQLi
    For error-based and blind SQLi, I used payloads from SecLists GitHub repository. The robot identify all the elements of the form in the page and for each payload will dothe following steps:
    • in case it finds a dropdown element will inject the JS script from below, that adds another entry in the list equals with the payload and it will selected the newly added value;
      function (element, input) {
         var option = document.createElement("option");
         option.text = input;
      element.add(option, element[0]);
         element.value = input;
      }
      
    • in case it finds an UI element with type text it will type into it the payload, else if it finds one with type submit it will click it;
    • after the new page loads the robot will check if the exploit was successful:
      • for error-based SQL injection will compare the word count from the initial request with the one after the test and if the new value is significantly higher it marks the vulnerability;
      • for blind SQL injection will compare the time needed to load the new page, in case the page loads in more than 1000ms it mark the vulnerability;


        Fig. 6: Logic diagram of SQLi process
  7. Testing for XSS
    For XSS are three processes, one for reflected, for stored and for DOM, the structure for all three processes is similar with small changes. The XSS payloads are from SecLists GitHub repository.
    For reflected and stored XSS the robot gets the UI elements from the page and in case it finds an UI element with type text it will type into it the payload, else if it finds one with type submit it will click it. For DOM XSS the robot gets the page URL, parse it and replace the value of the parameter with the payload.
    To check if the payload was successful, the robot check if a new alert textbox exists. For stored XSS it will request again the page where the payload is stored. If a new alert box is present, the robot closes it and will log the result.


    Fig. 7: Logic diagram of XSS process

How to use the repo

  1. Install UiPath
  2. Install DVWA and optionally XVWA
  3. Clone github repo
    git clone https://github.com/serbanb11/UiPath-DVWA.git
    
  4. Config DVWA and XVWA URIs in ./Data/Config.csv and Security Level
  5. Open Main.xaml with UiPath
  6. Start the robot.

For CSRF the robot uses nginx.exe from ./Data/ and Windows will ask either to allow open the port or not.

Results
In this lab setup, the robot found the vulnerabilities for the following cases:

Vulnerability             DVWA - low       DVWA - medium       DVWA - high       XVWA
Command Injection yes yes yes yes
SSRF yes no no yes
CSRF yes yes no yes
File Inclusion yes yes no yes
PHP Object Inclusion N/A N/A N/A yes
SQL injection yes yes no yes
Blind sql injection yes yes no yes
Reflected XSS yes yes yes yes
Stored XSS yes yes yes yes
DOM XSS yes yes no yes


Demo GIF UiPath robot in action on DVWA low


Tags: