AI Agent Security - Pen-Testing & Code-Review

AI agents are advanced software systems designed to operate autonomously or with some degree of human oversight. Utilizing cutting-edge technologies such as machine learning and natural language processing, these agents excel at processing data, making informed choices, and engaging users in a remarkably human-like manner.

These intelligent systems are making a significant impact across multiple sectors, including customer service, healthcare, and finance. They help streamline operations, improve efficiency, and enhance precision in various tasks. One of their standout features is the ability to learn from past interactions, allowing them to continually improve their performance over time.

You might come across AI agents in several forms, including chatbots that offer round-the-clock customer support, virtual assistants that handle scheduling and reminders, or analytics tools that provide data-driven insights. For example, in the healthcare arena, AI agents can sift through patient information to predict potential outcomes and suggest treatment options, showcasing their transformative potential.

As technology advances, the influence of AI agents in our everyday lives is poised to grow, shaping the way we interact with the digital world.

Frameworks for AI Agents

AI agent frameworks such as LangChain and CrewAI are leading the charge in creating smarter applications. LangChain stands out with its comprehensive toolkit that enables easy integration with a variety of language models, streamlining the process of connecting multiple AI functionalities. Meanwhile, CrewAI specializes in multi-agent orchestration, fostering collaborative intelligence to automate intricate tasks and workflows.

Both frameworks aim to simplify the complexities associated with large language models, making them more accessible for developers. LangChain features a modular architecture that allows for the easy combination of components to facilitate tasks like question-answering and text summarization. CrewAI enhances this versatility by seamlessly integrating with various language models and APIs, making it a valuable asset for both developers and researchers.

By addressing common challenges in AI development—such as prompt engineering and context management—these frameworks are significantly accelerating the adoption of AI across different industries. As the field of artificial intelligence continues to progress, frameworks like LangChain and CrewAI will be pivotal in shaping its future, enabling a wider range of innovative applications.

Security Checks for pen-testing/code-review for AI Agents

Ensuring the security of AI agents requires a comprehensive approach that covers various aspects of development and deployment. Here are key pointers to consider:

1.    API Key Management

• Avoid hardcoding API keys (e.g., OpenAI API key) directly in the codebase. Instead, use environment variables or dedicated secret management tools.
• Implement access control and establish rotation policies for API keys to minimize risk.

2.    Input Validation

• Validate and sanitize all user inputs to defend against injection attacks, such as code or command injections.
• Use rate limiting on inputs to mitigate abuse or flooding of the service.

3.    Error Handling

• Ensure error messages do not reveal sensitive information about the system or its structure.
• Provide generic error responses for external interactions to protect implementation details.

4.    Logging and Monitoring

• Avoid logging sensitive user data or API keys to protect privacy.
• Implement monitoring tools to detect and respond to unusual usage patterns.

5.    Data Privacy and Protection

• Confirm that any sensitive data processed by the AI agent is encrypted both in transit and at rest.
• Assess compliance with data protection regulations (e.g., GDPR, CCPA) regarding user data management.

6.    Dependency Management

• Regularly check for known vulnerabilities in dependencies using tools like npm audit, pip-audit, or Snyk.
• Keep all dependencies updated with the latest security patches.

7.    Access Control

• Use robust authentication and authorization mechanisms for accessing the AI agent.
• Clearly define and enforce user roles and permissions to control access.

8.    Configuration Security

• Review configurations against security best practices, such as disabling unnecessary features and ensuring secure defaults.
• Securely manage external configurations (e.g., database connections, third-party services).

9.    Rate Limiting and Throttling

• Implement rate limiting to prevent abuse and promote fair usage of the AI agent.
• Ensure the agent does not respond too quickly to requests, which could signal potential abuse.

10.    Secure Communication

• Use secure protocols (e.g., HTTPS) for all communications between components, such as the AI agent and APIs.
• Verify that SSL/TLS certificates are properly handled and configured.

11.    Injection Vulnerabilities

• Assess for SQL or NoSQL injection vulnerabilities, particularly if the agent interacts with a database.
• Ensure that all queries are parameterized or follow ORM best practices.

12.    Adversarial Inputs

• Consider how the agent processes adversarial inputs that could lead to harmful outputs.
• Implement safeguards to prevent exploitation of the model’s weaknesses.

13.    Session Management

• If applicable, review session management practices to ensure they are secure.
• Ensure sessions are properly expired and invalidated upon logout.

14.    Third-Party Integrations

• Evaluate the security practices of any third-party integrations or services utilized by the agent.
• Ensure these integrations adhere to security best practices to avoid introducing vulnerabilities.

Performing Security Code Review for Salesforce Commerce Cloud Application

Salesforce Commerce Cloud (SFCC), formerly known as Demandware, is a robust cloud platform tailored for building B2C e-commerce solutions. It offers a reference architecture, the Storefront Reference Architecture (SFRA), which serves as a foundational framework for website design. SFRA is carefully designed to act as a blueprint for developing custom storefronts. Given your familiarity with this platform, we will forego an extended introduction to Commerce Cloud. Instead, let's review some fundamental concepts before proceeding to the code review.

Access Levels
The platform offers -

• Developer Access: For users involved in the development of storefront applications, this access level permits the creation of new sites or applications and the deployment of associated code.
• Administrator Access: Primarily used for managing global settings across all storefront applications within the SFCC system. This level also enables "Merchant Level Access".
• Merchant Level Access: Allowing users to manage site data (import/export), content libraries, customer lists, products, and marketing campaigns.

SFRA Architecture
SFRA typically includes an "app_storefront_base" cartridge and a server module. These components can be used with overlay plugin cartridges, LINK cartridges, and custom cartridges to create a cartridge stack for layering functionalities. A typical cartridge stack might look like this:

Source: https://developer.salesforce.com/

SFRA employs a variant of the Model-View-Controller (MVC) architecture. In this setup:

1. Controllers handle user input, create ViewModels, and render pages.
2. ViewModels request data from B2C Commerce, convert B2C Commerce Script API objects into pure JSON objects, and apply business logic.

The "app_storefront_base" cartridge includes various models that utilize the B2C Commerce Script API to retrieve data necessary for application functionality. These models then construct JSON objects, which are used to render templates.

In SFRA, defining an endpoint relies on the controller's filename and the routes specified within it. The server module registers these routes, mapping URLs to the corresponding code executed when B2C Commerce detects the URL. Additionally, the server module provides objects that contain data from HTTP requests and responses, including session objects.

Cartridge
In B2C Commerce, a "cartridge" serves as a modular package for organizing and deploying code, designed to encapsulate both generic and application-specific business functionalities. A cartridge may include controllers (server-side code where business logic is implemented), templates, scripts, form definitions, static content (such as images, CSS files, and client-side JavaScript files), and WSDL files. Typical base cartridge architecture:

Source: https://developer.salesforce.com/

SFCC Security
One of the key advantages of using platform-built applications is the inherent security provided by the platform. However, it is essential to ensure that configurations enhancing the security of the code are properly applied during implementation. To broadly review the security of a Salesforce Commerce Cloud application, consider the following pointers:

Encryption/Cryptography
In Salesforce, including B2C Commerce, the "dw.crypto" package is commonly used to enable developers to securely encrypt, sign, and generate cryptographically strong tokens and secure random identifiers. It is crucial to review the usage of classes within this package to ensure they meet security standards. For instance, the following classes in "dw.crypto" are considered secure: -

1. Cipher - Provides access to encryption and decryption services using various algorithms.
2. Encoding - Manages several common character encodings.
3. SecureRandom - Offers a cryptographically strong random number generator (RNG).

However, the below classes suggest the use of deprecated ciphers and algorithms, and may introduce vulnerabilities: -

1. WeakCipher
2. WeakSignature
3. WeakMac
4. WeakMessageDiget

Declarative Security via HTTP Headers 

Certain HTTP headers serve as directives that configure security defenses in browsers. In B2C applications, these headers need to be configured appropriately using specific functions or files. HTTP headers can be set through two methods: -

1. Using the "addHttpHeader()" method on the Response object.
2. Using the "httpHeadersConf.json" file to automatically set HTTP response headers for all responses.

To ensure robust security, review the code to confirm the presence of important response headers such as Strict-Transport-Security, X-Frame-Options, and Content-Security-Policy etc.
 

Cross-Site Scripting / HTML Injection
B2C Commerce utilizes Internet Store Markup Language (ISML) templates to generate dynamic storefront pages. These templates consist of standard HTML markup, ISML tags, and script expressions. ISML templates offer two primary methods to print variable values: -

1. Using "${...}": Replace the ellipsis with the variable you want to display.
2. Using the "<isprint>" tag: This tag also outputs variable values.

When reviewing .isml files, it is crucial to examine the usage of these tags to identify potential vulnerabilities such as Cross-Site Scripting (XSS) or HTML Injection. These vulnerabilities allow attackers to inject malicious client-side scripts into webpages viewed by users. Example of vulnerable code: -

Script Injection
Server Script Injection (Remote Code Execution) occurs when attacker-injected data or code is executed on the server within a privileged context. This vulnerability typically arises when a script interprets part or all of unsafe or untrusted data input as executable code.
The "eval" method is a common vector for this type of vulnerability, as it executes a string as a script expression. To identify potential risks, review the code for the use of the global method "eval(string)", particularly where the string value is derived from user input.
 

Data Validation
In addition to the aforementioned security checks, it is crucial to validate all user input to prevent vulnerabilities. This can be achieved through functions like "Allowlisting" (whitelisting) and "Blocklisting" (blacklisting). Review these functions to ensure proper input and output validations and to verify how security measures are implemented around them.
 

Cross-Site Request Forgery
Salesforce B2C Commerce offers CSRF protection through the dw.web.CSRFProtection package, which includes the following methods: -

1. getTokenName(): Returns the expected parameter name (as a string) associated with the CSRF token.
2. generateToken(): Securely generates a unique token string for the logged-in user for each call.
3. validateRequest(): Validates the CSRF token in the user's current request, ensuring it was generated for the logged-in user within the last 60 minutes.

Review the code to ensure that these methods are used for all sensitive business functions to protect against CSRF attacks.
 

Storage of Secrets
When building a storefront application, it is crucial to manage sensitive information such as usernames, passwords, API tokens, session identifiers, and encryption keys properly. To prevent leakage of this information, Salesforce B2C Commerce provides several mechanisms for protection: -

1. Service Credentials: These can be accessed through the "dw.svc.ServiceCredential" object in the B2C Commerce API. Ensure that service credentials are never written to logs or included in any requests.
2. Private Keys: Accessible through the script API using the "CertificateRef" and "KeyRef" classes. Utilize these classes to manage private keys securely.
3. Custom Object Attributes: Customize attributes and their properties to use the type "PASSWORD" for storing secrets. This helps ensure that sensitive information is handled securely.

Review the code to verify that all secrets are stored using these methods and are not exposed or mishandled.
 

Authentication & Authorization
To ensure that business functions are carried out with appropriate privileges, developers can utilize certain pre-defined functions in Salesforce B2C Commerce: -

1. userLoggedIn: This middleware capability checks whether the request is from an authenticated user.
2. validateLoggedIn: This function verifies that the user is authenticated to invoke a particular function.
3. validateLoggedInAjax: This function ensures that the user is authenticated for AJAX requests.

Review the code to confirm that these functions are used appropriately for any CRUD operations. Additionally, ensure that the code includes proper session validation checks for user permissions related to each action.
 

Redirection Attacks
In general, redirect locations should be set from the server side to prevent attackers from exploiting user-injected data to redirect users to malicious websites designed to steal information. To validate this, review the code for any instances where user input might be directly or indirectly sent to: -

1. "<isredirect>" element: Used in ISML templates for redirecting.
2. "dw.system.Response.redirect" object: Utilized to handle redirects in the script.

 

Supply Chain Security
The platform allows the use of various software sources through uploads, external linking, and static resources. However, this introduces the risk of including unwanted or insecure libraries in the storefront code. For SFRA implementations, ensure that the "addJs" and "addCss" helper methods use the integrity hash as an optional secondary argument to verify the integrity of the resources being added.
 

Secure Logging
Salesforce B2C Commerce logs are securely stored and accessible only to users with developer and administrator access. These logs can be accessed via the web interface or over WebDAV. To ensure the security of sensitive information, review the code to confirm that sensitive data such as keys, secrets, access tokens, and passwords are not logged. This is particularly important when using the "Logger" class. Ensure that sensitive information is not passed to any logging functions ("info", "debug", "warning") within the "Logger" class.
 

Business Logic Issues
Business logic issues can arise from various factors, such as excessive information revealed in responses or decisions based on client-side input. When reviewing SFCC code for logical vulnerabilities, focus on the following areas: -

1. Reward Points Manipulation: In applications that add reward points based on purchases, ensure that the system validates the order number against the user and enforces that rewards are added only once per order. Rewards should also be deducted if an order is canceled or an item is returned. Failure to do so can allow users to manipulate reward points by passing arbitrary values as the order number.
2. Price Manipulation: When submitting or confirming an order, verify that the final price of the product is calculated on the server side and not based solely on client-supplied values. This prevents users from purchasing products at lower prices by manipulating request data.
3. Payment Processing: Since applications often leverage third-party payment gateways, ensure that calls to these gateways are made from the server side. If the client side handles payment processing, users might change order values. Review the logic to confirm that payment validation and processing occur server-side to prevent manipulation.
4. Account Takeover: For password reset functionality, ensure that reset tokens are not sent in responses, that tokens cannot be reused, and that complex passwords are enforced. Avoid sending usernames from the client side for password resets to reduce the risk of account takeover.

Review the code for validation logic in each business function to uncover any exploitable scenarios resulting from missing or improper validations.
 

In a Nutshell
The above points highlight that, despite the robust security controls provided by the B2C platform, poor coding practices can undermine these protections and introduce security vulnerabilities into the application. It is essential not to rely solely on platform security features but also to conduct a thorough secure code review to identify and address potential issues in the implementation.
 

Useful Links

• https://developer.salesforce.com/docs/commerce/sfra/guide/b2c-sfra-features-and-comps.html
• https://developer.salesforce.com/docs/commerce/b2c-commerce/guide/b2c-cartridges.html
• https://osapishchuk.medium.com/how-to-understand-salesforce-commerce-cloud-78d71f1016de
• https://help.salesforce.com/s/articleView?id=cc.b2c_security_best_practices_for_developers.htm&type=5

Article by Maunik Shah & Krishna Choksi

Performing Secure Code Review of R Code – A Beginner’s Guide

Background
R is a programming language primarily used for statistical computing and graphical presentation to analyze and visualize data. R is an interpreted language, meaning R programs are not pre-compiled but executed by the R interpreter at runtime. An R file is a script written in the R programming language and saved with the .R file extension.

R language - Ecosystem
Comprehensive R Archive Network (CRAN)
CRAN is R's central software repository, supported by the R Foundation. It is an archive of the latest and previous versions of the R distribution, documentation, and contributed R packages.

Posit – Shiny
Shiny is an R package used to build interactive web applications that execute R language code on the back-end. It enables users to host standalone applications on a webpage, embed interactive charts in R Markdown documents, and build dashboards.

OSS Index
OSS Index is a free catalogue of open source components and scanning tools developed by Sonatype. It helps developers identify open source dependencies, known publicly disclosed vulnerabilities, understand risk, and keep their software secure. The vulnerability data is derived from public sources and does not include human-curated intelligence or expert remediation guidance.

Shiny Applications
A typical web application built using the Shiny package runs the `shinyApp(ui, server)` object. The `ui.R` and `server.R` files contain the code for the client-side and server-side, respectively, which makes up the major logic and code for the application.

 

 

 

R Markdown Files
Another important file type used in applications developed using R is the `.Rmd` file, which is an R Markdown file. It is a specific type of file format designed to produce documents that include both code and text. These files are typically used to generate report files for the results in formats like DOCX, HTML, and PDF.

Secure code review guidelines 

Get background information

• Obtain a brief overview of the application's purpose
• Understand the feature list
• Identify the targeted audience and deployment environment

Assess Potential Vulnerabilities
R is a statistical programming language primarily used for domain-specific application development. Based on the application details, try to gauge what security vulnerabilities the code may be susceptible to.

Understand Code Structure
Examine how the code handles user input, imports and exports data file, manages configurations, processes data, makes external/third-party calls, utilizes libraries/packages, and generates the user interface.

Check for Vulnerable Packages

• \Packages are typically listed at the beginning of .R files

        

• Package versions can be found in the package_list.csv file
• If the package list file is not available, installed packages and versions can be found using the following command:
  

• Vulnerabilities for R language-based packages can be found on the OSS Index
• The `oysteR` package is an R interface to the OSS Index that allows users to scan their installed R packages

HTTP Requests
Look for HTTP requests from the code files. The `httr` package is commonly used to make HTTP requests from R language code. Check the sensitivity of the data sent in the HTTP request, if applicable.

User Input Sanitization
Trace the input data received from the user interface
Ensure that input data is validated, escaped, and sanitized using blacklisting or whitelisting approaches
For file imports, check that the file data is properly sanitized before consuming it in the program logic
Various functions can be used to search for specific characters and/or patterns in R, such as `gsub`, `grepl`, `str_replace`, and `str_replace_all` from the `stringr` package

Hardcoded Secrets
Check for hardcoded secrets like passwords, keys, or tokens in the code.

Built-in Security Features
R comes with a variety of built-in security features that can help protect your software. Here are a few key features:

• Secure Password Storage: R provides the `bcrypt` package for secure password hashing
• Secure Communication: The `openssl` package in R can be used to encrypt communication, ensuring data confidentiality and integrity
• Data Anonymization: R's `sdcMicro` package provides methods for anonymizing data, a key aspect of privacy preservation

Common security vulnerabilities in R code
The most common security vulnerabilities in R code primarily revolve around the handling of data serialization and deserialization, particularly with RDS (R Data Serialization) files. Here are some of the common vulnerabilities observed:

Arbitrary Code Execution
Recent findings have highlighted a critical vulnerability, which allows for arbitrary code execution through the deserialization of untrusted RDS files. This vulnerability exploits R's lazy evaluation and promise objects, enabling attackers to craft malicious RDS files that execute arbitrary code when loaded. This poses a significant risk, especially in environments where R packages are shared among developers and data scientists.

Supply Chain Attacks
The nature of R's package management system, particularly with repositories like CRAN, makes it susceptible to supply chain attacks. An attacker can overwrite legitimate R packages with malicious versions containing harmful code. When users load these compromised packages, the malicious code is executed, potentially leading to system compromise.

Input Validation Issues
Like many programming languages, R is vulnerable to injection attacks if user inputs are not properly validated. This includes risks associated with SQL injection and command injection, especially when R is used to interact with databases or execute system commands.

Lack of Access Controls
R applications often lack robust access control mechanisms, which can lead to unauthorized access to sensitive data or functionalities. Ensuring that proper authentication and authorization checks are in place is essential to mitigate this vulnerability.

Insecure Data Handling
Improper handling of sensitive data, such as failing to encrypt data at rest or in transit, can expose applications to data breaches. It is crucial to implement strong encryption practices when dealing with sensitive information in R.

Article by Maunik Shah & Krishna Choksi