Generator: Fully automatically generate numerous injection codes for web application assessment

by do son · November 26, 2018

PyGenerator

Fully automatically generate numerous injection codes for web application assessment.

PyGenerator can fully automatically generate numerous injection codes for detecting web app vulnerabilities.
The current version is beta. Therefore, it can only generate injection codes of reflected Cross Site Scripting (XSS).

Following injection codes were generated by PyGenerator.

<script>al¥u0065rt();</script></tr><th/

<iframe/onload=alert();>size=<command

<video><source onerror=javascript:alert();>kind=

<svg/<canvas/<select/onload=confirm(1);>

<object/src=x onload=alert();¥n<script type="text/javascript">

Overview of Genetic Algorithm

Step.1. Initialization

Generate a population composed of multiple individuals.
Each individual is composed of multiple genes.

Step.2. Fitness / Evaluation

Evaluate the fitness of each individual to the environment.
Give high scores to superior individuals based on the evaluation result.

Step.3. Selection

Select individuals with a high score from the population. Individuals with a low score are culled.

Step.4. Crossover

Swap part of the genes of the selected individuals and generate new individuals. The new individuals (offspring) comprise the next population (next generation).

Step.5. Mutation

Select some individuals stochastically from the new population and randomly swap some of the genes. Mutations may generate individuals that are more adapted to the environment.

After completing all the steps, repeat Step 2 to Step 5 for the next population. This cycle is repeated until the termination condition is met. Generally, conditions such as “when the number of generations reaches the upper limit” or “when the score average of all individuals exceeds the threshold” are set as the termination condition.

By repeating this evolutionary computing for many generations, only the “individuals with an excellent combination of genes” that are adapted to the environment will survive.

By the way, what “adapted to the environment” means would change depending on the type of the task. In the abovementioned bullet train example, the fitness to the environment is judged by evaluating “how small the air resistance becomes”. In the fuzzer example, it is by evaluating “how high the coverage becomes”. Therefore, in order to carry over the genes of excellent individuals to the next generations, it is very important to design an “evaluation function” that evaluates the adaptability to the environment.

Please refer to this blog for detail explanation of pyGenerator.

Processing flow

PyGenerator consists of two algorithms that Genetic Algorithm (GA) and Generative Adversarial Networks (GAN).
The injection codes are generated in two steps.

Gather the components of injection codes.
Create some injection codes using Genetic Algorithm.
Generate numerous injection codes using Generative Adversarial Networks.

Installation

Step.0 Git clone pyGenerator’s repository.

PS C:\> git clone https://github.com/13o-bbr-bbq/machine_learning_security.git

Step.1 Install required python packages.

PS C:\> cd machine_learning_security/Generator

PS C:\machine_learning_security\Generator> pip -V

pip 10.0.1 from c:\users\itaka\anaconda3\lib\site-packages\pip (python 3.6)

PS C:\machine_learning_security\Generator> pip install -r requirements.txt

Step.2 Get the web driver for selenium.

[!] I use the Google chrome driver in this example.

You have to download the chrome driver for selenium.
And you have to move downloaded driver file to web_drivers directory.

PS C:\machine_learning_security\Generator> mkdir web_drivers

PS C:\machine_learning_security\Generator> mv chromedriver.exe web_drivers

PS C:\machine_learning_security\Generator> ls .\web_drivers





    Directory: C:\machine_learning_security\Generator\web_drivers





Mode                LastWriteTime         Length Name

----                -------------         ------ ----

-a----       2018/07/27     12:32        6737408 chromedriver.exe

Step.3 Get html checker (tidy).

[!] I use the tidy 5.4.0 win64 in this example.

You have to download the tidy 5.4.0 win64.
And you have to move tidy directory to pyGenerator root.

PS C:\users\itaka\Downloads> mv tidy-5.4.0-win64 C:\machine_learning_security\Generator\

PS C:\users\itaka\Downloads> ls C:\machine_learning_security\Generator





    Directory: C:\machine_learning_security\Generator





Mode                LastWriteTime         Length Name

----                -------------         ------ ----

d-----       2018/09/18      6:39                .idea

d-----       2018/09/11     16:10                gene

d-----       2018/09/11     14:55                html

d-----       2018/09/10      7:05                img

d-----       2018/09/14     11:46                result

d-----       2018/09/11     14:28                tidy-5.4.0-win64

d-----       2018/09/10      8:02                web_drivers

d-----       2018/09/13      7:46                weight

d-----       2018/09/13     15:19                __pycache__

-a----       2018/09/13     11:36           1477 config.ini

-a----       2018/09/13     15:15          17510 gan_main.py

-a----       2018/09/11     15:41          14595 ga_main.py

-a----       2018/09/11     13:26           3697 generator.py

-a----       2018/09/11     11:30           4911 util.py

Usage

Step.0 Execute pyGenerator

PS C:\machine_learning_security\Generator> python generator.py

[+] Launched : chrome 68.0.3440.106

[+] 1/10 Create individuals using Genetic Algorithm.

[+] Evaluating html place : body_tag

[+] Create population.

[*] Created individual : [74, 59, 50, 24, 28].

[*] Created individual : [61, 49, 66, 18, 4].

[*] Created individual : [38, 47, 4, 9, 22].



...snip...



[*] Evaluation individual in body_tag: 97/100 in 1 generation

[*] Evaluation individual in body_tag: 98/100 in 1 generation

[*] Evaluation individual in body_tag: 99/100 in 1 generation

[*] Evaluation individual in body_tag: 100/100 in 1 generation

[+] 1 generation result: Min=-1.8, Max=0, Avg=-0.92.

[+] Evaluate individual : 2/1000 generation.

[*] Evaluation individual in body_tag: 1/100 in 2 generation

[*] Evaluation individual in body_tag: 2/100 in 2 generation

Step.1 Check generated injection codes.

PS C:\machine_learning_security\Generator> cd result

PS C:\machine_learning_security\Generator\result> ls

Generator: Fully automatically generate numerous injection codes for web application assessment

Search

Brilliantly

Content & Links