Skip to content

Instantly share code, notes, and snippets.

@Scar26

Scar26/GSoC2020Summary.md

Created August 31, 2020 09:36
Show Gist options
  • Save Scar26/fabf5d9192c49d16fb19adb3cc9f457b to your computer and use it in GitHub Desktop.
Save Scar26/fabf5d9192c49d16fb19adb3cc9f457b to your computer and use it in GitHub Desktop.
Download ZIP
Final report for my GSoC 2020 project, completed under OWASP foundation
Raw
GSoC2020Summary.md

Google Summer of Code 2020 with OWASP foundation

JuiceShop chatbot and general fixes

This project's aim was to develop an intentionally vulnerable npm module that can be used to quickly set up chatbots, and then using it to implement a responsive, NLP-based chatbot for OWASP juice-shop, along with two accompanying challenges.

It is unique in the sense that this is the first juice-shop challenge that requires the users to track down a third party dependency, go through the library's code and find a vulnerability, which can then be exploited from within the application.

Student: Mohit Sharma
Mentors: Björn Kimminich, Jannik Hollenbach, Timo Pagel

Work done

  1. Wrote and published juicy-chat-bot, an intentionally vulnerable npm module for easy set up of highly customizable NLP based chatbots.

    • The code can be found here

  2. Created a support chat page for juice-shop powered by juicy-chat-bot

    • Created Chatbot API (#1420)
    • Created the UI (#1435)
    • Added support for Easter eggs and custom response functions (#1450)
    • Improved customizability (#1453)

  3. Created one of the two proposed challenges. The second one had to be skipped because it was based on a CSP bypass on the chatbot page, but angular, the frontend framework that juice-shop uses, uses client side routing and therefore doesn't allow custom CSP headers for specific pages. A modification to the challenge's exploitation flow would have made it too similar to the existing challenges and it was therefore decided, after a thorough discussion with the project mentors, that it would be better to skip it until we can think of something else, that manages to be innovative while remaining feasible.

    • Created Kill the Chatbot challenge (#1438)

  4. Challenge hints and solutions

The chatbot is able to answer basic customer queries like "What is the price of X product", and can be expanded easily by adding to the training Data

TODO

  1. Documentation for juicy-chat-bot, to help users customize their own instances with custom training sets and easter eggs
  2. Add a chatbot widget to juice-shop, that can be used to spontaneously pass out hints and suggestions to the user without having to navigate to the chat page.

Learnings

I acquired a number of skills, both technical and non technical during GSoC, including

  1. How to write good asynchronous code, especially when I had to manage communiction between juice-shop and chatbot's response engine, which runs inside a VM instance on a separate thread. It also came in handy in #1453 where I had to ensure that all chatbot files were loaded up before the bot was initialized, and any communication attempts before that were handled accordingly.

  2. Got familiar with Angular.

  3. Writing quality unit tests.

Conclusion

I’ve had a wonderful time during these 3 months and have learned plenty of things. Special thanks to my mentors, for always being incredibly responsive. It helped a lot to have quick feedbacks and code reviews, as well as thorough discussions during our bi-weekly sync-ups.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment