Bishop Fox’s Eyeballer is the first AI-powered hacking tool of its kind.

Additional Info

CompanyBishop Fox
Websitehttp://www.bishopfox.com
Company size (employees)100 to 499
Type of solutionSoftware

Overview

Bishop Fox developed Eyeballer, an open source AI-powered tool, to assist penetration testers in identifying the web pages that need further review. Unlike traditional web scanners, Eyeballer can “look at” rendered web pages to identify the ones that are most likely to contain actionable leads. This can be very useful in cases where “fuzzy” logic needs to be applied to find sites that look old, or ones that look like a homepage. Currently, penetration testers perform this task in a laboriously manual process, looking at each screenshot one by one. But with Eyeballer’s AI, the heavy lifting of visually inspecting web pages is automated.

While Eyeballer is a hacking tool, it notably doesn’t actually “hack into” anything. Its whole job is to identify which screenshots most likely indicate vulnerabilities, and then present those results for a human hacker to review. Importantly, Eyeballer doesn’t replace traditional web scanners. Instead, it’s designed to be used in conjunction with them to help focus manual review efforts.

Eyeballer uses a convolutional neural network to sift through mountains of screenshots and tells the hacker what is likely to have vulnerabilities and what isn’t, just by looking at it. Specifically, Eyeballer tags images with one or more labels that are of specific value to pentesters: things that human beings typically are looking for during large scale external engagements. “Is the site old-looking,” “Does it have a login,” “Is it the homepage of the app,” and “Is this a custom 404 page.”

Finding websites that “look old” is extremely valuable when trying to break in. Old websites have a distinct look-and-feel that is hard to pinpoint an exact definition for, and impossible to make a traditional signature on. Yet, they’re extremely valuable targets for pentesters. Having AI that can identify “old looking” websites is extremely useful.

How we are different

• Eyeballer is the first AI-powered hacking tool of its kind, and is forging the path for new tools to leverage machine learning to optimize hacker activity. Eyeballer is a proof-of-concept to solve the real-world challenge of identifying interesting targets (e.g. "old looking" web sites and login functionality) when traditional signatures are no longer sufficient. Eyeballer can currently recognize several categories of web pages, including Custom 404 Pages, Login Pages, Homepages, and Old Looking Websites. The Bishop Fox research team is committed to expanding the capabilities, actively working on adding to the existing dataset to include many more important categories. Future enhancements include improved accuracy, more granular identification buckets, and better integration with existing web scanners.


• Eyeballer works at scale. Powerful but lightweight, Eyeballer can classify thousands of screenshots in just a couple of minutes. As web applications become more dynamic (e.g. with JavaScript and CSS), these pages become less machine-readable. Eyeballer looks at these web apps, fully rendered, like a human would to identify key features. While there isn't a lot of research centered around image recognition and screenshots, Eyeballer demonstrates how these could be used to fingerprint webpages. Eyeballer can even be expanded to identify particular types of frameworks and versions in future releases, which could then be added to tools to try and automatically exploit those.


• Eyeballer is for both managed service providers and pentesters. It was originally designed with our own continuous penetration testing service in mind, to quickly narrow down assets to a curated list of targets likely to be attractive to hackers. Eyeballer is available as open source software on the Bishop Fox GitHub (https://github.com/bishopfox/eyeballer) and is an essential addition to the pen testing toolkit, especially when used to augment existing scanning practices.