Article Image

Chatbots Are Here To Stay

Chatbots have been around for a long time and based on the global chatbot market size (and the expected growth), they will stick around for a long time and gain importance. In the past, they’ve rarely met customer expectations or provided much positive experience. However, over the last few years, advances in conversational AI have transformed how they can be used. Since chatbots offer a wide range of applications, in certain cases, they become responsible for collecting and protecting personal information as well. 
Consequently, they are a great attraction for hackers and malicious attacks too. The responsibility of ensuring chatbot security has become more evident after the introduction of GDPR in Europe. As statistics show that this technology will be a determining factor in our lives, security testing must also become part of our daily tasks, so that these chatbots can be used with confidence.

Security Risks, Threats, and Vulnerabilities                 

The words risk, threat, and vulnerability are often confused or used interchangeably when reading about computer security, so let’s first clarify the terminology:

  • Vulnerability refers to a weakness in your software (or hardware, or in your processes, or anything related). In other words, it’s a way hackers could find their way into and exploit your systems.
  • A threat exploits a vulnerability and can cause loss, damage, or destruction of an asset – threats exploit vulnerabilities.                
  • Risk refers to the potential for lost, damaged, or destroyed assets – threats + vulnerability = risk! 
The well-known OWASP Top 10 is a list of top security risks for a web application. Most chatbots out there are available over a public web frontend, and as such, all the OWASP security risks apply to those chatbots as well. Out of these risks, there are two especially important to defend against, as in contrast to the other risks, those two are nearly always a serious threat — XSS (Cross-Site Scripting) and SQL Injection.
In addition, for artificial intelligence-enabled chatbots, there is an increased risk for Denial of Service attacks, due to the higher amount of computing resources involved.

Vulnerability 1: XSS – Cross-Site Scripting

A typical implementation of a chatbot user interface:           


  • There is a chat window with an input box.
  • Everything the user enters in the input box is mirrored in the chat window.
  • Chatbot response is shown in the chat window.

The XSS vulnerability is in the second step — when entering text including malicious Javascript code, the XSS attack is fulfilled when the web browser is running the injected code:


Possible Attack Vector

For exploiting an XSS vulnerability the attacker has to trick the victim to send malicious input text. It can be done through one of the following ways:

L’assistance proposée par ANKAA PMO

ANKAA PMO présent depuis plus de 20 ans sur le marché des services IT, accompagne les DSI dans leur recherche de compétences pour des besoins de renforts en mode régie ou l’externalisation de projets.
Vous souhaitez plus d’information ? Cliquez ici