How to perform a vulnerability analysis and penetration testing on Chatbots?
Here is the Ultimate guide to performing such a test.
Why is Chatbot security important?
Chatbots are becoming increasingly popular. ChatBots can actually help us a lot in different ways, From customer support to online shopping. Even the office of US president is running a Facebook ChatBot. As the usage of chatbots is increasing we also need to start thinking about the security side of chatbots. Here in this tutorial, we will be writing about the tests which is to be performed while conducting the penetration testing of chatbots.
Step 1 – Information Gathering
All Vulnerability Analysis and Penetration Testing must start with a good information gathering phase. In case of a chatbot, the following details must be collected first.
- Platform: Collect details about the platform that our chatbot to test is using. If it is using a Public Platform like facebook or any such social networking site, the owner is not having a complete control over the security. And if it is a private platform the owner of the chatbot will be having the full control over the security. If the chatbot owner is planning to collect and store data from its users then he must use a private platform where the owner of the bot is having the complete control over the security.
- General Information which includes technologies powering the chatbot.
- Rule-Based or AI Based: In this step, we must check if the chatbot is a rule-based one or AI Based one. Rule-based chatbots work with predetermined options and questions within their programmed parameters and are more secure when compared to AI based chatbots.
Tests to Be Performed
- Client Side Vulnerabilities
While testing chatbots we must perform tests for vulnerabilities like Cross Site Scripting. There is a chance for XSS if the given data is reflecting back from the chatbot. Eg. If the chatbot is having an automatic search option and if the given search query is reflecting back with the search result.
2. Server Side Vulnerabilities
You have to check for the following vulnerabilities !
Blind XSS: Blind XSS is a type of persistent XSS in which the server saves the user input/payload and is displayed to another part of the application. For Example, If we have a chatbot which can raise tickets to fix some issues in a company, if we raise a ticket with some Blind XSS payloads it will get stored in the Server and it will be shown to the Admin while reviewing the ticket. So while reviewing the tickets the Blind XSS payload will get executed.
Sensitive Data Disclosure: Check if chatbot is giving results which includes sensitive data or data which is not supposed to be shown to a particular user with fewer privileges.
Encrypted Channel for Communication: Check and make sure that the chatbot communication is encrypted. An encryption is required so as to prevent network sniffing and eavesdropping.
Rules for data collection and storage: Check and make sure that there is a specific set of rules for data collection and also make sure that the data collected is stored securely. As mentioned, if our chatbot is on a public platform like any social media we won’t get complete access to control the security. So if we are collecting user data for further studies make sure to use a Private Platform so that we can completely secure the stored data.