DEV Community

vkili
vkili

Posted on

Bug bounty hunting with LLMs

I haven't been bug bounty hunting for a while now, but recently, I've been trying to get back into the game. I thought it'll be easy to dive right back in --- but bug bounty hunting is definitely getting harder. Compared to a few years ago, secure development practices have become more common, and WAFs are now ubiquitous. These are really exciting wins for security professionals, but they’ve definitely made life harder as a bug bounty hunter! Looking for bugs was never straightforward, but this time around, I really feel the need to up-skill.

To keep things fun (and to compensate for my rusty web hacking skills), I’ve decided to implement new workflows and hopefully learn some new things in the process. One of the approaches I’ve started using is integrating LLMs to help investigate potential security issues in web apps.

LLM-based applications have already become an integral part of my software development workflow. I use ChatGPT to write scripts, understand other people's code, and leverage Copilot for more complex development tasks.

But similar processes can also be applied to security research. For open-source bug bounty programs, LLMs make it really easy to understand large codebases. For example, you can ask: Which components process user input? Where does user input enter this application? And so on.

If the source code isn’t available for an application, you can ask questions like: How is this functionality usually implemented? How does this usually work in this framework? As more organizations use AI tools like Copilot in their development processes, you can even ask Copilot to recreate an application’s functionality and go from there. Then, you can ask GPT for investigation ideas and write scripts to automate parts of your recon.

I don’t think LLMs can help automate too much of bug bounty hunting yet. Many bugs will still need to be found and confirmed manually —--logic issues, information leaks, privacy concerns. But they are pretty useful for learning and researching new areas of security.

Helpful prompts

Learning

What are some common security issues that affect applications of this type?
How is this functionality usually implemented?
What are the consequences of X bug?
Are there any privacy or info leak concerns for an application that does this?
What are some other security issues that tend to affect this functionality?

Hunting

How does X usually work in this framework?
How does this framework process user input?
What are indicators that an app is affected by X bug?
What is the impact of X bug? How does an attacker exploit this bug?
How does X bug cause info leak / session hijacking / other unintended consequences?
Write me a script to do X.
What are some common defenses against X? What are indicators that they are in place?


Thanks for reading! Want to connect? Feel free to reach out on https://x.com/vickieli7.

Top comments (1)

Collapse
 
sawyerwolfe profile image
Sawyer Wolfe

What a unique approach! Have you found that LLMs consistently provide accurate insights when analyzing security-focused code, or are there certain areas where they still fall short?