I actually neglected to mention my experience in the penetration testing space (both in CTF and testing our own internal applications) where, with permission from the owner of an application or server, it is literally attacked using many of the same tools the bad guys use to try and compromise the server or application. This allows us to find the same vulnerabilities they would find, and fix them before they're found by the bad guys. White hat hacking, if you wish to give it a hat.
Website hacking is a frequent attack type used by malicious actors to obtain confidential information, modify the integrity of web pages or make websites unavailable. The tools used by attackers are becoming more and more automated and sophisticated, and malicious machine learning agents seem to be the next development in this line. In order to provide ethical hackers with similar tools, and to understand the impact and the limitations of artificial agents, we present in this paper a model that formalizes web hacking tasks for reinforcement learning agents. Our model, named Agent Web Model, considers web hacking as a capture-the-flag style challenge, and it defines reinforcement learning problems at seven different levels of abstraction. We discuss the complexity of these problems in terms of actions and states an agent has to deal with, and we show that such a model allows to represent most of the relevant web vulnerabilities. Aware that the driver of advances in reinforcement learning is the availability of standardized challenges, we provide an implementation for the first three abstraction layers, in the hope that the community would consider these challenges in order to develop intelligent web hacking agents.
WebRoot PHP Ultimate Web Hacking Tool
The main motivation behind the current research is to understand and analyze the behavior of ML-based web hacking agents. Since it is inevitable that AI and ML will be applied in offensive security, developing a sound understanding of the main characteristics and limitations of such tools will be helpful to be prepared against such attacks. In addition, such autonomous web hacking agents will be useful for human white hat hackers in carrying out legal penetration testing tasks and replacing the labor-intensive and expensive work of human experts.
A Capture The Flag challenge (CTF) is a competition designed to offer to ethical hackers a platform to learn about penetration testing and train their skills [25]. CTFs are organized as a set of well-formalized and well-defined hacking challenges. Each challenge has one exploitable vulnerability (or, sometimes, a chain of vulnerabilities) and an unambiguous victory condition in the form of a flag, that is, a token that proves whether the challenge was solved or not. Usually, a CTF requires purely logical and technical skills, and they exclude reliance on side channels such as social engineering. Moreover, challenges are normally designed to make the use of brute-forcing or automatic tools unfeasible.
A game-theoretic formalization can then be seen as a further step in the process of formalization of web hacking problems. The main contribution in this form modeling, contrasted with a generic CTF model, is the definition of an enumerable set \(\mathcal A\) of possible actions. This provides the foundation for an agent to choose actions and learn its own action policy. Although game theory already provides tools to analyze web hacking as we have modeled it, this formalization is still not ideal as the modeling of a webserver as an active player results over-generic. In the case of interest, in which we have a single attacker targeting a static system, it would be more practical to describe the webserver as a static component of the game.
In a complex web hacking scenario, the attacker may map the file system of the server in order to collect information to be used during the attack. In level6, we extend the formalization of the webserver in order to consider not only files within the webroot, but also objects beyond it, such as local files and databases. This extension allows to simulate attacks relying on local file inclusion (LFI) vulnerabilities, or information gathering attacks on a database in order to set up a SQL injection. Figure 7 shows the structure of a webserver, and it illustrate a possible LFI attack to obtain the webserver logs or the environmental variables. Level6 abstraction provides the agent the following additional features compared to lower level of abstractions:
You want to configure anything less than root or special permissions to edit files because that could open your website up to compromise (hacking).Development tools often run in the context of root for this reason, to make sure no ordinary or passing User can make unauthorized changes to your website or application.
2ff7e9595c
Comments