Hackers of India

Human vs Artificial intelligence – Battle of Trust

By  Hemil Shah  on 11 Nov 2016 @ Deepsec

Abstract

In this era of complex evolution, application technologies have adapted HTML5, WebSockets, APIs, Frameworks, Dynamic code generation, mobile and many other stacks. Application architecture also adds complexity concerning integration with other applications, mobile integrations, JavaScript usage, and many other communication channels. Automated approaches with artificial intelligence of security reviews are having their own limitations in capturing some unique and critical issues across applications. Automation can attack and discover vulnerabilities, which are more signature-based or with predicted behavior. Automation’s failure and limitations generate false negatives and applications get pushed into production with these vulnerabilities. These vulnerabilities get exploited by attackers to breach systems from the application layer. This talk will present some unique issues, which are possible to discover by human intelligence but may get missed by automation. For example,

• Application with workflows • Asynchronous injections across critical functions • Role based violations and escalations • Access to un-authenticated resources via hidden logic • Third party posting, injection and streaming • Customize protocol handling and exploitation • Sensitive information going out via Analytics calls • Logical abuse in forgot/reset passwords • HTML5 Local storage weaknesses • Exploiting XSS to write in to application local storage in mobile