This project's aim was to develop an intentionally vulnerable npm module that can be used to quickly set up chatbots, and then using it to implement a responsive, NLP-based chatbot for OWASP juice-shop, along with two accompanying challenges.
It is unique in the sense that this is the first juice-shop challenge that requires the users to track down a third party dependency, go through the library's code and find a vulnerability, which can then be exploited from within the application.
Student: Mohit Sharma
Mentors: Björn Kimminich, Jannik Hollenbach, Timo Pagel
-
Wrote and published
juicy-chat-bot
, an intentionally vulnerable npm module for easy set up of highly customizable NLP based chatbots.- The code can be found here
-
Created a support chat page for
juice-shop
powered byjuicy-chat-bot
-
Created one of the two proposed challenges. The second one had to be skipped because it was based on a CSP bypass on the chatbot page, but angular, the frontend framework that juice-shop uses, uses client side routing and therefore doesn't allow custom CSP headers for specific pages. A modification to the challenge's exploitation flow would have made it too similar to the existing challenges and it was therefore decided, after a thorough discussion with the project mentors, that it would be better to skip it until we can think of something else, that manages to be innovative while remaining feasible.
- Created
Kill the Chatbot
challenge (#1438)
- Created
-
Challenge hints and solutions
The chatbot is able to answer basic customer queries like "What is the price of X product", and can be expanded easily by adding to the training Data
- Documentation for
juicy-chat-bot
, to help users customize their own instances with custom training sets and easter eggs - Add a chatbot widget to juice-shop, that can be used to spontaneously pass out hints and suggestions to the user without having to navigate to the chat page.
I acquired a number of skills, both technical and non technical during GSoC, including
-
How to write good asynchronous code, especially when I had to manage communiction between juice-shop and chatbot's response engine, which runs inside a VM instance on a separate thread. It also came in handy in #1453 where I had to ensure that all chatbot files were loaded up before the bot was initialized, and any communication attempts before that were handled accordingly.
-
Got familiar with Angular.
-
Writing quality unit tests.
I’ve had a wonderful time during these 3 months and have learned plenty of things. Special thanks to my mentors, for always being incredibly responsive. It helped a lot to have quick feedbacks and code reviews, as well as thorough discussions during our bi-weekly sync-ups.