Bob is a simple Robot that knows how to navigate on different website. He is also able to test websites against known vulnerabilities, such as Brute Force attacks. However, he is still noob in this field and he would need your help in order to get better at this. Your goal is to make a better Bob (trained on Damn Vulnerable Web Application(DVWA)) that, during DefCamp will be tested on another website (similar to DVWA) to see how much he learned.
Learn how to run “UiDefCamp Framework” on several web applications.
This video has the purpose of showing DefCamp contenders a run of the automation Framework, on which they will work on. The Framework will receive the address to a website, after which it will navigate to that website, will recognize the navigation menu on the website and will navigate on each item of the menu, getting the Form Controls for each page.
For demonstration we run the Framework on Damn Vulmerable Web Application(DVWA). For a better visualisation of the Frameworks actions a recording mode was created that will highlight different UiElements on screen and also poops up different Status or Log messages.
The first run of the Framework does not contain any implementation for the menu items.
Further, a second and third runs are made but this time we have two automation implementations for item menu ‘Brute Force’. The second run will use BurtSuite software to receive the http request through proxy and performs a ‘Cluster Bomb’ attack. In the third run we don’t use any third party application but do the attack by typing into ‘Username’ and ‘Password’ fields different combinations of credentials and check if we get a match.
00:35 First we start the Framework in the recording mode. This will allow us to have a better visualization of the Framework’s actions by highlighting elements on the screen and pop up messages.
00:37 The robot will open the preferred browser at the starting page of our choosing(the browser and starting page are both defined in the configuration file)
00:38 At this point the robot is doing the login sequence. This section might differ depending on the starting page that you define in the configuration file.
00:40 The robot is trying to find in the starting page, UiElements that might contain navigation menu items. It basically finds all UiElements in starting page and filter the ones that are containing some given keywords in ID or TAG. Furthermore, each descendant of the filtered UiElement is checked for links to pages and stored if identified as a navigation menu.
As we can see on the video, the container of the navigation menu is highlighted and a pop up appears with the message ‘UiElement container with ID main_menu might have menu items’. The menu at this point is being saved. A second highlight is made on another container with the pop up message ‘UiElement container with ID main_menu_padded might have menu items’, but this time the menu is not saved because we can see that UiElement ‘main_menu’ is containing UiElement ‘main_menu_padded’ and a check is made in the framework to be sure that we don’t get duplicated menu items.
00:47 At this point the processing part begins and every menu item is accessed and verified for Form Controls. As you can see in the video, first the menu item is highlighted and accessed after wich Form Controls are highlighted if they exist on the page.
02:12 The second part of the video shows the run of the Framework, but this time we have implemented actions for menu item ‘Brute Force’.
02:25 When hitting menu item ‘Brute Force’, a pop up is shown asking for the type of implementation we choose. In this case, we will do a Brute Force Attack by using BurpSuite Software to receive the HTTP request through proxy and perform a ‘Cluster Bomb’ attack.
03:35 The third part of the video shows the second implementation for ‘Brute Force’. This time we don’t use any third party software like BurpSuite, instead we do the attack by typing into ‘Username’ and ‘Password’ fields different combinations of credentials and check if we get a match.
This competition is powered by UiPath.
Develop a better “Bob” that can perform a security audit on a website he never seen before. The target will be similar with Damn Vulnerable Web Application(DVWA). See Contest Details for more information.
Each vulnerability discovered by your Bob will be credited with a number of points, according to the following list:
- Brute Force: 50 points
- Command Injection: 100 points
- XSS (Stored): 150 points
- XSS (Reflected): 100 points
- XSS (Dom): 50 points
- SQL Injection (Blind): 150 points
- SQL Injection: 100 points
- Captcha Breaker: 200 points
- File Inclusion: 100 points
- CSRF: 100 points
- Object Injection: 300 points
- Server Side Request Forgery: 200 points
- Unvalidated Redirects and Forwards: 50 points
The total score will be also the subject for some bonuses, according to the following plan:
- If no scanner (such as Burp)/ or any external APIs is used: +50% points
- If the scanner tests the website visually from the UI, and not from some hidden services: +20%
- Best individuals will be rewarded based on their score, if two individuals have the same score, the order of submission will be considered.
- The solution can be sent before DefCamp
- An individual can submit more versions of their “Bob”
- Cheating, of any kind, is not allowed
- White listing vulnerabilities based on the site you visit won’t be considered as “testing”, a vulnerability is considered discovered by your Bob if he perform a certain test to verify if a particular page or input react in an unexpected/malicious way
- Please read here full rules of the competition.
- Drone Hubsan X4 H501M Camera HD, FPV, GPS, Waypoin
- SG-1000 microFirewall Security Appliance
- ChameleonMini RevG color
- Bogdan Vasile
- Emilian Budeanu
- Liviu Stancu