This Cheat Sheet is focused on UiPath provider and Windows Server system OS
Robotic Process Automation or Robot Process Automation (RPA) is a type of technology that aims to replace the human being, using multiple and different programming languages, frameworks, RPA defined resources by each provider (Orchestrator, etc.), and interaction or integration with other technologies.
RPA Bots usually are complex development products, so, you need knowledge and experience about:
- API Interfaces
- Web Apps
- Debugging or inspection of binary files
- Different system OS
- Cloud Platforms
- Manual Source Code Review (XML, Go, SQL, Python, Java and many other languages)
- Please, take the security course of UiPath: https://academy.uipath.com/learningpath/uipath-security
- I recommend experience in security research... Pay attention to 0-day bugs and registered CVEs!
- Experience in other pentesting categories. An RPA Bot can replace a lot of human activities.
- Develop and deployment of RPA Bots, of course, is a plus!
Nowadays, there are no public references about RPA Pentesting in general. This Cheat Sheet is based in my professional experience as pentester.
However, you can read more about some type of specific attacks based on UiPath:
- Research process: https://www.youtube.com/watch?v=OiryDE4aH9A
- Package modification: https://www.youtube.com/watch?v=US93fOciNDA
Some tools to capture traffic and interactions of a basic RPA Bot:
- Burp Suite proxy: https://portswigger.net/burp
- Fiddler proxy: https://www.telerik.com/fiddler
- ProcMon: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- Wireshark https://www.wireshark.org/ and TShark https://www.wireshark.org/docs/man-pages/tshark.html
- Other tools defined by your experience and type of the target RPA Bot
- 0-day vulnerabilities
- Identification of registered CVEs
- API security issues
- Web based bugs
- DLL Injection attacks
- Tampering or package modification
- Critical security misconfigurations
- Of course, all categories of OWASP Top 10
The context of your pentesting is very important; please, don't test resources out of your technical and executive scope!
Only if you have a pre-defined wide scope or whitebox testing, you should test:
- UiPath Orchestrator and their configs
- Databases of the RPA Bot architecture and flowchart
- File .nupkg corresponding to the latest version of the development RPA Bot
- I recommend access to the RPA Bot development repository
- I recomment user or admin access to the Windows Server system OS based architecture
- All integrations and interactions of the RPA Bot with other technologies (API interfaces, web apps, binary files, etc.)
Please, be patient and read all this steps before to make an RPA Bot pentesting process:
- Take a general review of the RPA Bot architecture and their deployment using the guidelines of the security course of UiPath
- If you want a more visual security review, make an assessment or some type of threat model
- Make pentesting of UiPath Orchestrator in an independent way, using Burp Suite to save a project file
- Please, consider the following UiPath flow deployment to make tampering or package modification testing: UiPath Studio => UiPath Orchestrator and UiPath Orchestrator => triggering RPA Bot
- Register the hash integrity of your .nupkg file and unzip it. Make a deep manual source code review
- Config and setup all the basic tools to capture the traffic and interactions of your RPA Bot on Windows Server based OS
- Trigger the RPA Bot from UiPath Orchestrator or UiPath Studio until it's done their pre-defined flow end, capture all traffic and interactions, and save a backup or project file by each tool
- Inspect all your backups or project files; identify and exploit all possible vulnerabilities in an independent way
- Trigger again your RPA Bot and now dynamically, try to exploit all your registered bugs (UiPath Orchestrator, package attacks, manual source code review, etc.)
- Test at the same way, all components of the RPA Bot architecture
- Repeat and try to pwn your RPA Bot!