Automate All the Things! No-Code Edition (Security Nightmares Included)

to East Side San Antonio. Before we begin, I want to give a quick shout out to our sponsor USAA and St. Mary for making this possible. Uh we are also grateful for the support of if you haven't seen our sponsors, they're all at the other center most of them on check out. Uh I'm going to turn the mic over to J.R. Hernandez and Rob as they discuss automating all things. Please join me in welcome.

Hi, welcome to the presentation today. Hopefully everybody's enjoying this nice warm balmy day in San Antonio, Texas. Um, so let's face it, right? There's a lot of cool capabilities that are being um put out on the forefront for businesses to use um globally, right? um automation AI has had a you know huge impact on the industry to last uh specifically two or three years. Uh, but there's also other capabilities that are out there um to help put um the power in what we're referring to as citizen coders hands to be able to automate processes and workflows um without having to have really a deep dive, you know, four-year degree or 10 years of coding experience or or what

have you, right? and notes are uh through what we're referring to as uh low code no code uh platforms, right? Um let me ask you a quick question. So I'm going to ask some questions because I like to be interactive. So I'm not going to pick on anybody unless somebody doesn't volunteer like somebody. Um that's why we brought Mark here today. Mark's going to answer all our questions. So um who who here's used Raspberry Pi before? Okay, cool. All right. Um, anybody have a lot of experience with Raspberry Pi or use it with their kids? Any projects with their kids or what have a couple people? Okay, good. Is anybody familiar with um Scratch? Whole lot of people. Okay, that makes

that makes the world uh a little bit easier for us to discuss during this presentation today. What's the cool what's the cool thing about Scratch? Anybody want to give an answer? Why was Scratch developed or why is Scratch such a cool tool to use? >> You don't need to type anything. >> What's that? >> You don't need to type anything. >> You don't need to type anything. Right. Right. So, when I first started seeing low code, no code tools come out to the market. I started thinking crap. I used to play, you know, hack Minecraft APIs with my kid when he was 5 years old and I was teaching him how to code by using

tools called Scratch, right? Scratch is basically comes on Raspberry Pi. It's a drag and drop interface to where it's like I want to do this. If this happens, then do that. It makes it very simple for kids. Well, that's kind of metriculated if you're into the business world with low code, no code platforms, but it's given the power to what we refer to as citizen coders, right? Everyday people, you know, Bob in accounting, Sally in marketing, so on so forth to automate things uh by themselves, right? So, what could possibly go wrong when you're asking, you know, citizen coders to access enterprise data, customer data, and automate things, right? Let's wrap our heads around that a little bit. Um, so

I'm going to ask a couple questions real quick here. Okay, of course, that got cut off. Um, how many people in the room have used workflow automation tools before? Okay. What platforms? >> Okay. Any Jen? >> Okay. >> Okay. I saw some other hands. >> Yeah. >> Okay. >> What about Power Automate, >> right? Power Automate can be thought of as a low code or no code platform, right? As well, Microsoft uh and what have you. So, um without getting too deep and personal, what what kind of tasks are you guys using that for? Is it like processing data? Is it security operations? So I have mine actually create my script every week for my podcast. So I don't

have to actually do the show notes and all that sort of stuff. I'll tweak it before I go live. But yeah, research is already done for me. >> Yeah. Yeah. I can't tell you on the NN I I felt like starting my own podcast after I got done because I was like, "Holy crap, they automate the [ __ ] out of everything here." Sorry if fourletter words. I spent 10 10 years in the United States Army. So I' I've learned my uh my vocabulary not just in uh you know post-graduate education. So um another question just to get a little bit more personal here. How many folks here are everybody here from Texas? How many out oftowners do we have?

>> Couple. Where are you guys from? >> Where? >> He's from Texas. Yeah. >> No, he's he's true. Okay, I should have been more specific. How many be people from out of Texas do we have? Houston. Okay, there you go. That was a trick question. Mental note for next time. Mark, so Mark was my old boss at Digital Defense and he's like, "Yeah, we made a right decision getting rid of Rob years ago." Um, so today's presentation, we're going to talk a little bit about um overview of low code, no code. We're going to talk about the landscape. We're going to talk about uh some examples of low code, no code stuff. Um and then also security

to low code infrastructure. We do have some demos uh that we're going to um uh try to present today. Uh we've also taken screen captures if Murphy's law doesn't work out well for us here. So uh with that being said, Jay, if you want to Hernandez, uh been in security space for a long time. Mark actually hired me too, but uh yeah, so I'm very very happy to be here. Um yeah, and I'm excited because there's a lot of stuff that uh is relevant to security relates to the low code, no code stuff. Um it's very useful, but it's it's kind of like the security seesaw. The easier it is, the more insecure it is, right? Um so it's

it's something that we have to keep in mind and be aware of as security professionals. >> Cool. And my name's Rob Krauss. Obviously, I've been talking here for a couple minutes. I started out uh in information security working at AT&T. Uh I was on their initial universe roll out um for the United States. I was on the security architecture team. Got hired over at digital defense. Work with Mark Bell and the folks over there for about three and a half, four years. Uh went to a company called Solutionary, which was uh MSSP based in the United States. Got acquired by NPON Telephone Telegraph out of Japan. I was the director of their global threat intelligence center. If

you've ever read the global threat intelligence report that I think it's its 11th year publication, uh I actually wrote the first 10 uh or I'm sorry, the first nine of those uh reports uh in the threat intelligence space and then it was also a former VP of offensive cyber operations uh at a company based out of Chicago. Um so um we're super excited to be here today. Um you know, let's talk first what is low code, no code, right? um what which and we're also going to talk about what challenges it solves. So what is low code no code? Low code no code really it's uh a large part of its um appeal is that

it allows you to automate things that you don't have to have programming knowledge for. Right? Um, if you're in the security space, you probably, if you've been in the security space for a while, you probably loved Pearl for a while and then you loved Ruby and then you found out about Ruby on Rails and then Metas-ploit my you know moved their whole project from Pearl to Ruby on Rails and then you had Python start kicking indoors and taking over in the security space, right? So you have all these cool cool coding and programming languages and it's great to know all those and you'll run across those in the security space whether you're blue team red team but sometimes you just want to

empower yourself and get stuff done in a couple minutes and you don't want to sit down there and debug code and rewrite and sit there and you know even with AI with vibe coding with things like Python and and what have you it gets a little bit frustrating sometimes right >> um one of the things about this and one of the big drivers is everybody knows that every enterprise is under like they don't have enough people, right? So, the IT team's always kind of like um they're always busy, they don't have enough time. A lot of business functions require custom applications and they just don't have the time to build that for them, right? And that's the big

driver in stuff like this is that uh the business needs are kind of like they're allowing business needs to kind of do their own thing, which is good, but again, like the security implications of that is something that we have to kind of contend with. >> Yep. So, um so what does that all mean? Right. So, we talked about scratch earlier, right? And we talked about how easy it was. So easy a kid can do it. Drag and drop little programs and mess around with Minecraft APIs and all that. But with N8 and different types of um automation platforms that are out there, you kind of really have the power to say you can literally sit down over a

weekend, watch a couple demi videos and and program entire applications in a matter of hours. I mean with zero programming experience and if you get stuck chatpt claude Gemini they will all build workflows for you. You can tell chatpt give it the correct prompt to build me a workflow. I want to do X and I want to end up here and it'll create the whole workflow for you. Now I will say this it does put a lot of default code in the workflow. So it's not going to work out of the box in many cases. Um but uh you know uh super powerful. You can see where where we're kind of going here. Um, it allows uh citizen developers to

really kind of get out there and build uh tools, workflows, integrations that they may not want to wait on dev on, right? How many times who do we have like, you know, I'm sure we've got people in the room that have said, "Hey, you know what? My job would be a lot easier if I can get just a couple hours of dev time to automate this process for me." And then that gets put into a backlog in Jira and that Jira ticket keeps on moving further down the backlog. Like yes, you'll have that feature in two years, right? Finally, when you get it, but it's something that you could do in in in a couple minutes,

right? Like like the example with the podcast stuff, right? Um you really want to spend time on your audience and building your audience and your craft and your message and your your persona, right? doesn't mean you have to sit there and write every single uh thing you're going to say, right? Get some prompts, get some get some ideas from AI or automation that you might not have thought of organically, right? So, um so with that being said, some of the popular low code no providers, listen, I I could have made a slide deck with 40 slides with just logos on it. you know, when we were going through the research, there's several hundred different um uh workflow low code, no

code um providers and platforms out there. Some of them are free, some of them are open source, but um you know, so this isn't necessarily a recommendation for anyone in particular. I can tell you that a lot of our presentation today is focused on N8N and some uh Zapier uh stuff, but you can apply some of the things that we're going to talk about to almost any of these platforms, right? And we also put Salesforce and HubSpot up here because they also have workflow capabilities and for you the ability to build those workflows within their tools as well. So you could theoretically apply that information there as well. So the gap that it fills, we talked about backlog.

Um, you have faster ways to prototype, right? So let's say Mark is a super smart VP and he's like, "Hey, I really want this capability for our platform because I think it's going to enrich our data and be really cool for our customers, but I don't think Dev actually gets it." So Mark can actually go out and prototype something what he wants to do and then turn that over to dev and dev has like they're going to say okay but they're still going to be able to see all the steps and the workflow and the logic right um behind that. So really shortcutting that time and being able to prototype show developers what you're trying to

accomplish if in the future it needs to be a more robust enterprise application. Um you could use it obviously for security teams. Is anybody on in here that I asked already on blue teams using any kind of workflow for Okay. How do how do you you use it? >> Uh case management. >> Case management. >> Alertation. >> Alert enrichment. >> Alert enrichment. So like you get an alert based off an IP address and then you're going out and saying, "Oh, what is the IP abuse say? What does, you know, showdan say? What does all this say?" Perfect. Right. That's a that's an awesome blue team uh example, right? So, um, on some of the sites that we talked

about like NAN, JR is going to show you here in a little bit, but they actually have specific categories for secure, um, sec ops workflows, right, for blue team and red team stuff. So, make sure you go check out some of those workflows that are already published by people that have created them and shared them. I'm going to have some cautions about that in a little bit, but I want you guys to to use that as a a source of inspiration, right? because you could take some of those pre-done workflows and even if you don't use their workflow, you can actually say that's a that sparked an idea. I can automate the crap out of this thing that takes me 5

hours a week and and get it done, right? Why didn't I think of that? So, um, one of the challenges with putting together this presentation is we have five or six demos. It was hard to callull that list down from the hundreds of different ideas that we have when from a red team and a blue team perspective. So um so next a couple statistics right so there's a couple reports that we looked at some of these numbers I agree with some of them I don't know if I'm going to believe all the ones I see but this is a report that was um these statistics came from a forester report uh called the total economic

impact report uh and specifically for Microsoft power apps and this was published in July of 2024 From Forester's analysis and surveys that they conducted with customers, 89% of developers have used low code in the past 12 months. Um 79% use low code, no code solutions. So there's a slight difference between low code no code. It it's kind of by name. No code is literally you can build apps with no code whatsoever. But um they also a lot of them also cross into low code where it gives you the option to craft and tweak things uh as as you like. Um so based off of their uh analysis and report they had they saw 206% return on

investment over three years based off of real data. Um and in some of the high impact use cases, they were finding that they were saving workers um approximately two hours uh 250 hours per year, right? So if you're looking at an average worker works around what 2,250 if I had to do some math in the back of my head real quick, ballpark per year, that's not insignificant, right? That's that's a good 10% savings in time, right? So think about that for your personal workload, right? But also think that about for if you're a manager of a team or you're a director of a team, right? Um we're going to show some cool security stuff and some scary security

stuff today. But the message that we're trying to also give is we're not saying don't use any of these platforms, right? We're just saying use them, but be be cautious when you are using them. Um so there's a prediction in a NT data report that came out 2023 that um so there was going to be approximately a 20% uh continuous annual growth in revenue right uh year-over-year um between 2021 and 2030 right so 20% growth year-over-year is pretty significant right you multiply that by 10 years. Um that's a pretty significant increase. Um looking at it being 187 billion market by 2030 and then uh 50 to 80% of cost reduction in projects using low code tools. Right?

So think about this the business case for do we pay a developer to develop all this stuff? US developers are I'm not going to they're in many cases pretty expensive. Right? when you're looking from a a profit and loss perspective, uh we see a lot of outsourcing to overseas. We see a lot of different things where you can get development resources for for less expensive, but in general in the US, this since this is a US-based report. Um, you know, they're looking at a 50 80% cost reduction in in low code no code tool usage. So, but that being said, Jr. is going to talk to you a little bit about why a security team

should care. >> Awesome. Okay. So one of the things uh we talked a little bit already of like the security implications of this stuff. Uh but the thing is that adoption rates are going to increase in enterprises for this stuff right uh just it's it's just going to happen right because it's easy uh and in the with vibe coding you don't even it's even less you just kind of have a conversation with your uh chat and then you kind of create these tools and it does it for you. So this is going to be a reality in the future. There's no denying it right. Um it it's something that's going to happen. So this is the reason that you should care.

Again, we're going to have an influx of new developers. Again, everybody knows the difference between an experienced developer and a and a person who's just starting out in the field. Um, you know, so we're going to have a lot of new folks that are getting into this space. Um, and and again, this is going to be based not on just um it's all people from all departments are going to be doing this stuff. So, you have something that we have to contend with. Um, you know, I in when I was looking at this, it made me think of you guys are familiar with the shift left movement where you want to move uh security more closer to the

developer side. I think no code low code is is basically a shift right movement because we're moving towards the direction of there's already an application built and you kind of have to um you know secure it after the fact, right? So the security is moving away from the initial parts uh from the initial development part. Um you you basically don't you don't have a lot of the material that's been going on in the industry. no SL uh soft, no SL to LC, no CI/CD, and a lot less logging in place, right? Um and I'm going to talk a little bit more about the OAS top 10 for uh low code network. Okay, so another thing that's really

interesting here is again, you don't even have to build this stuff for yourself. You could just go download it, right? Go download a workflow, test it out, see if it works, modify it to your own content. Um, which is great except I kind of feel like it's kind of like the Android app store. You know what I mean? Like there's a lot of good stuff on there, but there's also bad ones too, like bad applications. So, you have to be really careful because it's really really easy, but you have to just be, you know, cognizant of the fact that uh, you know, you don't want to download vulnerable or untrusted components and then put them into your environment,

right? >> So, one one attack path real quick I want to talk about which we didn't we didn't do for this reason, but we talked about it was well, great. If I want to be, you know, if you think about actors a couple years ago, targeting different platforms and targeting MSSPs and all that kind of stuff, right? You go to the vendor directly, right? Um, and use their own tools to distribute their attacks launches payloads uh through patches, updates, all that kind of stuff. Well, one of the thoughts we had was, hey, well, we're writing some cool demos. What if we upload we didn't do this but um what if we upload a malicious file to an end for somebody

else to download and then that workflow in it has a call out that takes your sensitive data that you think it's doing and then shifts it to an offsite right location makes copies of your data and sends it someplace else. So that's why I'm saying it's it's it's important to look at the workflows that are there, but you still kind of need to look at what's going underneath the hood because you're able to put JavaScript into some of these workflow nodes and have it do all sorts of crazy stuff, right? So use these um use these sites to go check out and see whether other people have done. But you can actually take the JSON

workflows and upload those into chat GPT or cloud and say, "Hey, do you see anything funny going on in here?" Right? I'm not saying just use AI to check your code. Don't don't use that as a takeaway from this course or believe it. Um but but you should not just haphazardly, right? Back in digital defense when Jr. and I worked there, we had a whole crap ton of tools that we used, but when we had new tools that came out, they had to go through our VRT to validate that there wasn't any malicious backdoor content in the tools and so on so forth, right? So, I would take the same type of approach with these workflows because

they are some of them are interacting with your operating system directly, some of them are reaching out using thirdparty APIs and uh you just got to be careful with kind of some of that stuff. So, um, but back to the original point I was trying to make there is there's a whole bunch of cool stuff to download. I was telling JR we should write a malicious one to upload it, see if you can download it and delete it, but then I was like, that might be pushed in a little bit. I did go through their security documentation and the published workflows. It goes through a approval process. I was thinking about submitting one to see what happens and what they

say. Like, uh, nice tried I tried to put some shell code in there, but that didn't work. or we caught it. But um I would just be careful because they say they security net everything that they published with their 2500 templates or 2600 templates. Um but we don't know if there's a security monitoring folks that review this. They might review it just to make sure they work. Right? So all right so here's some stats right and again I'm going to go over a lot of more of the security risks on the next page but basically um you know there there has to be planning for this stuff. It has to be um we have to there currently

there's like not a lot of integration with low code no code right in the enterprise. So we have to kind of start thinking about that and again bringing back to like the biggest thing which is a lot more developers coming into our environments that are not exactly security focused right um and again there's like very uh little oversight as well right so you can have an HR department create an app that you know creates some sort of form that has a lot of internal data if that is not properly set up that data could be going outside of your organization and who's in charge of maintaining that and guarding that right um because again a lot of the

traditional solutions that we have in do not account for this yet. All right, so I'm going to this is the low code no code. Oas is very good at making top 10 uh you know list. So uh they have their own for this. I suggest you guys go look it up. Uh I'm going to hit on some of the main things that I thought were really important here. Um some of the things that kind of caught my interest, right? One of the use cases that we see that's very common is let's say uh a developer makes a low code no code application. They set it up and they share it with a bunch of people in

the organization, right? What happens if that um that that now all those people that have access to that application they have the essentially the permissions of the developer that created it because you know he set it up with his own uh credentials or permissions right and he shared it with whoever now they have developer permissions as well for that application. So again it's just privilege escalation by another name right and that's just one of the risks that we're going to see more and more uh you know happen. Um, one of the things that I thought was really interesting was that when you have a low code no code solution that connects to a third party, right? Um, there's a connection

there. There's API credentials associated with that. Even if you delete the the no low code no code application, that connection is still alive, right? People might not be around with it, but like the credentials are still connecting to the third party that all that data like all that security issue is still relevant, right? it just nobody's kind of keeping track of those applications. Um again data leakage is going to be a big issue. These applications sending data outside without being monitored or having any sort of um regulation to oversee that. Um another big thing that we saw is that again you download these workflows and if they're not properly secured there could be a lot of security

misconfigurations that you're bringing in because nobody's vetting these things. Uh you do also run into a lot of traditional attacks like injection attacks, right? uh you can have forms that are created and if they're not properly sanitized, you're also in like having a lot of traditional developer problems as well. Just because it's a new platform doesn't mean that the risks are not there. Um and then again the lack of logging and lack of security traditional security measures that we have in place. So um Rob and I did a little bit of comparing the low code no code uh platforms with some of the traditional watch top 10. This is more related to like um you know the

traditional mobile top 10 where it measures more like web application vulnerabilities and in the last two or three years we've had a lot of um vulnerabilities that are affecting these newer platforms that are kind of like tied to uh the traditional was 10 and this is kind of shows that right so we had a lot of cryptographic failures not having proper encryption insecure design and like server side request for jury as well. So again, a lot of the traditional attack vector that we had, but it just kind of being uh mirrored and rejuvenated in these newer platforms. And we also kind of mapped a lot of um the uh techniques that you could potentially use as a bad guy using these

platforms because keep in mind that AP groups are already using this because they realize that again nobody's really looking at this stuff as well as we should be. So they're using it to kind of create um you know do ransomware attacks um yeah and doing a lot of traditional attacks but they're just kind of doing them through the low code no code platform. Um and you see here that you know again a valid account that you find on these um on on these workflows will allow you to gain access to a lot of data that you shouldn't probably have access to. You can also inject, one of the demos I'm going to be doing later is injecting uh code into a

current existing workflow and having it do whatever you want because it's basically just executing code on the on the server that's running it. Um, you know, and yeah. All right. Do you want to do the first one? >> Sure. >> All right. Cool. So, thank you, Jr. Um, a couple different things um just to talk about before we jump into the lab demos. just some assumptions to keep in mind. Um, all of these demos that we're doing here are just on our controlled environment systems we own. Nothing malicious. Again, it's anybody else, right? I'm not going to sit here and for 20 minutes and tell you that this is for research and do it your, you know,

whatever. Or maybe I just did. But, um, so the demos, uh, there's a couple live demos. So, I ask for your forgiveness as we go through these. I do have screenshots for backups, but it might take us a minute just to bring up some of the screens and do some of the stuff. So, while I'm preparing that, I'll have JR try to, you know, field any questions as you have while we're swapping around here. So, um, so first, uh, anybody here who's, uh, how many red teamers we have here? How many blue teamers do we have? Red teamers, offensive cyber security, blue teamers. Wow. Okay. Pretty heavy blue audience here. So, nuclei. familiar with Nuclei?

Who's familiar with U Nest? >> There you go. So, Nuclei is one of the newer kings on the block. It's put out by Project Discovery. This isn't an advertisement for the tool, but it is free. It doesn't have quite the map covering that NASA does, but if you look at a vend diagram of the overlaps, it actually picks up a lot of stuff. It's very web app uh pent testing and bug bounting uh hunting uh friendly. Um so I just wanted to show here Nessus I I did a a search for it and it doesn't show up within the NAN discovery uh plugin specifically. It will find the web interface but first thing we need to do

when we're attacking N is we need to determine is there one out there that I can attack. Now, a lot of the providers, Xavier, Nate Ed, and what have you, have cloud hosted versions. They're fairly cheap. The starter models like 20 bucks a month um or I think even cheaper for some of the N8 models. So, they have cloud versions, but for the sake of presentations and demos, we're using um a Docker version and then also a natively installed Linux cattle Linux version um that we're running. But I wanted to talk about detection first, right? Because if you're pentesting or if you're searching your environment for like I just running workflow stuff um the editor actually runs in a web

application uh interface right um on a web interface which we'll show you here in a couple minutes. So Nuclei actually detects it as an N8 panel uh with a signin page. By default it runs on 45678. So, some scanners won't pick it up because it's not like in the top 100 list. You know, message usually by default will scan for top 100, top 1,000. Uh, they may or may not show up, but so here's one. Um, these are just me being cool. I wrote detection plugins and then realized it already had one, so I wasted a bunch of time. So, addition of posterity. Um, and it has some other issues to talk about here, but it's all likely because

it's locally hosted. So, so for detection nuclei theoretically you can detect it with any you you could write a net cat script do a banner grab and you know you don't have to go all crazy if you don't want to there's another cool uh feature called um N8N security audit. So one of the things I like about N8N um is they actually took the time to build in an auditing tool into their platform and they expose that via an API. They even have a node when we show you the workflows. You can stack together little nodes to build your application. They even have a node on the cloud hosted version that you can put in there.

That's an audit node. So the um N8 audit basically um just goes through a series of kind of standard security checks. Are there credentials that you have that you're using or not using? Are you using them safely? um what types of database interaction concerns do we have? What type of file system concerns do we have? Nodes like are the nodes I'm using of concern um and the overall instance is it secured properly so on so forth. So it's actually not a bad tool. I don't want to say it's overly comprehensive uh but pretty neat. So um one thing to keep in mind is it's a tool and tools change and break right? So don't just run any again

security audit and say voila I'm secure because who knows how often they update that tool right so you should still include these things in your pentest and just because you run the tool doesn't mean you should circumvent SDLC and all that kind of fun stuff right so um with that being taken with that being said I'm going to go ahead and switch over and we're going to do the demo I'm going to do another demo and then we're going to switch over to JR so JR or you want to see if they have questions or >> before I answer any questions, one of the things that when we're doing this stuff, right? And again, um, one of the

reasons I do presentations is to kind of learn, you know, the best way to learn something is to teach it. And, uh, one of the things that I saw that was very common is that, um, when you create web hooks, which is something that you kind of expose your server to, there's like a there's a function there to like curl the command from your third party and just put that in there. Uh, and and it makes things a lot easier. However, there's a there's a more secure way of doing that with platforms like NN, which is basically encrypting your credentials or your API keys through the platform and then using that to make these web of

calls, right? Instead of just doing a curl command that will like allow the API key to be sent in clear text or not to be stored securely. So, keep that in mind cuz even when I was doing the demos and stuff, I was like, this is so much easier just to do the just import the curl command and everything then there. But that's one of the big uh we saw a guy that did a report on a bunch of workflows and he saw that the web hook security was one of the biggest issues when setting up these workflows for platforms like N. Okay. Sorry about that. That was just a side tention. >> Yeah, you're going to see a lot of a lot

of stuff when it comes to security about web hook security API credentiing how you're accessing data going in and out when it comes to data. And so you got to think about it. JR pointed this out earlier with the SDLC. You have all these steps where you have the project manager getting your requirements. You're going to talk about where the data is going to live. You're going to talk about where it's going to be secured. The challenge with these is when you click active, it's published like you just bypassed anything SDLC. Unless your organization has some sort of process to go through that. So the first thing I want to show you is just a

simple tool uh called uh uh N8 security audit. So basically all I did is because they don't expose the API for this version that I'm using and they don't allow me to access the node, I just hacked around the system and basically said, "Well, screw it. I'm going to break one of the own security rules that it has about running uh code locally for the sake of just doing a quick security audit because it's not a constantly running process." But there's a manual trigger set up here. It's going to run. It's going to call in 8 audit which outputs a JSON file. And then we have a little bit of magic which I'll show you

on a screenshot because I made some updates. But we also map that to the L LCMC from the OASP to show categories. Um that's just an enrichment step and then generate the HTML report and output the the report to a file. So to execute this workflow, just click execute workflow. Hopefully we get all green boxes. There we go. Okay. So basically what happens here for those that haven't really had a lot of experience with end to end or what have you is you have a trigger node which is based off an event that basically says you can click it. There's a web hook that gets triggered. Somebody submits a form new user added to an Excel spreadsheet. Um and then

that's the trigger. So then it collects uh data. All I said here was an audit. Literally that's the commands. So you could replace this with netcat or whatever the hell you want to, right? It's an interactive command line shelf. It does what we what we tell it to do and it comes back with mappings and then it comes out to a report. It does some enrichment cool stuff. We click on download report and click up here. Open file. Voila. There you go. Of

course, it's not full here. All right. Anyway, you guys can see that, right? For the most part. Um so basically if we're extending auto report into finding summaries by different categories um credential risk report and actually have a screenshot of this it'll show up a lot better but uh credentials that you have configured that aren't used in any workflow or active workflows. I set up some dummy FTP credentials just to have some in there. And then uh it's going to show you uh things like risky nodes. Yep. Okay. All right. So risky nodes. Here's something quick I want to talk about. So risky nodes is basically the cool thing I like about this is that I've

downloaded some other uh workflows and basically in the workflows some of the other guys have used risky nodes. So these are nodes that even NAD is saying you might want to think twice about using this, right? So it's just a cool way for you to go in and and inventory kind of what's what's in the in the back end. So, uh, with that being said, I'm going to run into my second demo real quick because we got the 10-minute warning and we're going to go back to Canvas. We're going to go to personal here. J's going to do some tap dancing. So, here's a um here's the simplest workflow I can show to to show maybe how

a simple data Xfill might look if with a bad guy living off the land inside your environment or somebody messes with one of your your web hooks like uh JR's going to show you a little bit here with the injection, but contact web hook sanitize contact simulate save to file. So, this is just us saying, "Hey, user submitted something via a form." marketing department is like, "Cool, we got a new person who wants to buy our product." It saves it to a file or saves it to a CRM, what have you. Right? So, if we execute the workflow, it's going to wait for me to do the actual call boy. And I'm going to just submit via curl

some fake data.

And then when you look at the file, it processed the file and basically here's the output saving it to a fake file. Right? So it just went through the steps. I'm not going to walk through it just because we have a couple minutes left. Um small. So, here's the malicious version, right? So, same exact flow except for we forked off a separate adapter to and we called it CRM adapter, right? Hey, that sounds legit, right? We're just going to attach that to where CRM going to execute our workflow. We're going to make another call. Workflow started. We go back to the workflow. Everything executed. Basically, what I configured this one was to reach out to a web hook

externally just to prove that it's actually working and it's now exfiltrated data instead of putting it into your CRM offsite. Right? So, here you go. And this is just a website, web clicks site where you can test API calls and all that kind of stuff. So, pretty simple. There's a Xville um demo for you there. Any questions on that? Um what I'm going to do is I'm going to give Jay or a minute to set this up and see if I can answer any questions. [Music] Okay. So, um Okay. So, one of the things that Rob showed is that he added a malicious node to his workflow, right? Um, one of the things that I wanted to

see, this is kind of like a what a note that you would download from online. It has like notes and it has a lot of stuff. It's kind of hard to audit this stuff. So, um, what I wanted to do was to kind of show how an attacker can actually inject stuff into um, a workflow without actually adding a whole new note. Right? So um I created a tool that does that and then that uh so these are all the nodes that are in there and it kind of gives me like the notes that I can kind of tamper with the the the injectable and the little alarm I requested cuz he said that be easier for me to like uh show

you guys. But like now what this tool does also is like it can modify individual nodes that you want. It can also hide your code in any of them or in all of them or randomly as well. So basically uh what it yeah it's a cool way to like hide yourself within a workflow without having to add additional node. And uh I'm going to do it in a more simplified version so you guys can kind of see the difference. So this is a more smaller one. I'm going to inject myself into execute command. It's just a trip the typical command that you see there, right? Um and I already did this kind of work kind of a real long

time. So I'm just going to show you guys how it works. But that script that I wrote basically you pick the name of that node you run it again and you can see and you can obsiscate this a lot more but it basically gives you a a reverse shell back into whatever thing you want and and again that's going to be really hard for like whoever is running these things like to audit that right because it's just and you can obiscate it even more. I just kind of made it easy for you guys to read. Okay so that's kind of like my first demo again. Um I actually have it written out but I think this is much more

interesting. I'll just do the second one because running around all the time. So, uh, one of the things that I thought about with this, one of my old co-workers kind of brought this idea and I decided to do it just for this presentation is basically one of the things that you deal with efficient campaigns when you're targeting an individual is the amount of time that you take when you're researching when you're trying to target an executive for example, right? With uh these no code, low code solutions, I was able to basically I'll just run it for you guys. um you basically are able to do mass research on people and then carry custom pretext based on just running this very

simple workflow um and using like I mean I don't know uh who do you guys want to research we target this Elon Musk I guess uh CEO of what did you do I'm going to do SpaceX anyway so I'm gonna submit that. All right. So, what this is going to do is going to actually and with like the newer models of Google, right? You can actually have it do deep research. So, it's going to go online and like wait, actually, I don't know why I have this connected to the internet. Sorry. Um, so like um what these larger models do is they go out and do research for you and like you know identify like the

interests, the activities, the groups that this person is involved in. um and and we're using that data and then asking the another the same LLM to be like hey with all this new information about this person create customized pretext for this fishing campaign right so theoretically you could target a whole company of like users with their own individualized uh fishing email for them right based on their interests right um so let's see it worked download it all right so now we have uh social engineering option one. So this is let's see what it came up with. And this is not even using like the higherend models cuz they're expensive, but it it does a pretty good job, I guess. Uh so let's

see what it came up with. Immediate action required security protocol update. And then it has one for him right there. That's pretty good. And then you have three options to choose from. Uh confidential followup on AI collaboration opportunity. All right, that might peique his interest. Uh and and then another option would be you know automation tools improving efficiency and time management right so I don't know if these would be good for him I did a bunch of other ones so for example I did one for Gina Ortiz the mayor the new mayor right and it has like uh the subject line infrastructure project submissions uh security awareness training which is a very common one and an invitation to a

leadership forum right so again these are all pretexts that were custom for the individual and we're like you guys saw it took like a couple seconds to generate even with no internet for a little bit. Uh so yeah, so now these tools allow us to do a lot more custom attacks for it's like home missile spear fishing, right? So I don't know that that was when my demo started. >> Cool. >> Yep. >> All right. So unfortunately I had the gift to Gab this morning and I apologize for that. So we're going to rush the last two or three minutes, but um I just want to show you some of the defensive considerations. we'll wrap up. Um, and

then if you have questions after, I hate shortcutting people, time to ask questions. So, if you see me and JR walk around today or we can wait out outside um outside this forum for for a little bit and chat with you as well. So,

and so real quick, there is the output of the uh OS LMC mapping that I talked about with the security audit report and then and another copy of that report. Um, here's the eight the data X bill that I did. So, all these uh slides should be available after the presentation. So this is just all the stuff it already did. Zap creds is another cool cool tool. I don't have a lot of time to go into it, but a a really good researcher wrote a tool that reaches out to Zapier. If you have a API account to Zapier and has Zapier account, he wrote a tool that you could query other Zapier users and it'll show

all the connections they have with their workflows to outside services, which is really cool. if you find out your target for a social link engineering attack is somebody who's using Zapier or one of these platforms because you're like oh this guy has a connection to this and that and this and that. So pretty cool stuff. So Zap credits I definitely check that out. Um so securing the no code future practical application to security listen there's a lot of obligatory stuff that's on here like ensure you use proper uh practices but some of the things more specific to NA to N is really you know use the audit report make sure you're not using any dangerous

node types like I said there's also workflows available um on the internet to to download people can also write individual ual nodes. So those nodes that have these different connectors to like HubSpot and Service Now and all that stuff, make sure that when you're downloading or using some nodes that are not the official nodes that they're, you know, you do some good security uh review there. And then on um the slide, everything we talked about today will be on the resources uh slide as well with a lot of the videos. There's some really good videos by Michael Bery um Defcon 30 talk where he talks about no code low code as well. Um that's some really cool

stuff. So anyway, that's it. Sorry, uh we're right on time, but we didn't leave the five minutes for Q&A. So we'll we'll we'll take some Q&A outside. >> Uh any quick questions we can answer while we're in here? >> No. Okay. All right. Thanks, everybody.