Codelivly  

Home » Ethical hacking » ChatGPT Python Script to Automate Multiple Reports for Every Program Using a Critical Open Sour…

ETHICAL HACKING

ChatGPT Python Script to Automate

Multiple Reports for Every Program Using
a Critical Open Source Component
By Rocky ◆ March 5, 2023  No Comments  9 Mins Read

 Share     

I can’t even fit this into one title. It’s that complex. In sum, I used ChatGPT to automate finding
companies with bug bounty programs on HackerOne that have an account on GitHub and
that use one of those critical open source projects, which then automates the setup of a fuzz
test of that project and generates a vulnerability report for GitHub and HackerOne.
Once you see this, you will be modifying the script from ChatGPT, so you can complete this
task. The added bonus is, if you setup the open source project in OSS-Fuzz, you are eligible
for a reward from Google, as well as from the program at HackerOne.
I haven’t tested these scripts, but I am sure if a security engineer builds this out properly, they
will have a nearly automated full time income for themselves.
Let me explain.
There are numerous open source projects, many of which are in use by companies of all sizes.
With funding from Google, the Open Source Security Foundation wants to secure these
projects. Those projects are scored for criticality in a systematic way. You can download that
list as a CSV.
Furthermore, many companies rely on those critical open source projects (linux, php, node,
they’re all critical projects, they’re all open source!). Many companies have bug bounty
programs on HackerOne. You can access those programs as a list with H1’s API.

You’ve all seen this before, I’m sure. I

used ChatGPT to automate finding
companies with bug bounty programs on
HackerOne that have an account on
GitHub and that use one of those critical
open source projects, which then
 automates the setup of a fuzz test of
that project and generates a
vulnerability report for GitHub and
HackerOne.
Now you can cross check the list of programs by automating the check on GitHub, if that
company with a program has a public GitHub repo. If they have a public GitHub repo, you can
check if they are using any projects from the list of critical open source projects.
Now, if you fuzz those projects, you will likely find a vulnerability. I used ChatGPT to try to
automate the setup of the fuzzer, as well to write a GitHub issue ticket and a vulnerability
report for each program using that component.
The added bonus is, if are the first to setup the open source project in OSS-Fuzz, and it
works and finds valid security vulnerabilities, you are eligible for a reward from Google, up to
$30,000.
So, here’s the output from ChatGPT and my prompt. Good luck!

ChatGPT prompt in one piece.

You will need to feed the prompt to ChatGPT in pieces:

Hi! I have a task for you. This task is very important for open source securit
y. First, the background:
1. There is a list of the top most critical open source projects. The list is
here: https://commondatastorage.googleapis.com/ossf-criticality-score/index.ht
ml
In that list there is a CSV with all the open source projects rated in terms o
f their criticality. So you understand how the criticality score was derived,
I am linking it here for you: https://github.com/ossf/criticality_score#critic
ality-score

2. Concurrently, I want you to use the GitHub API to find companies from the R
ussell 3000 index that are using a critical open source project, as listed abo
ve.
2A. Do not worry that your training data ended at a certain point in time. Wha
tever you have for the Russell 3000 index will be acceptable for this exercis
e.
3. I want you to write a script in python that pulls every company from the Ru
ssell 3000 list, determines if each company has a GitHub account, and then lis
ts which critical open source projects the company is using.

4. The output of this python script should be a CSV with the following column
headers:

Russell 3000 Index rank (number on list)

Company name
GitHub page link
Total number of critical open source projects in use
Critical open source project 1
Critical open source project 2
Critical open source project 3
Critical open source project <N>

(Continue creating new columns for every critical open source project in use,
where <N> is the number growing in sequence. The projects should be listed in
order of most critical first. Remember that according to algorithm, the critic
ality score is 0 to 1, with 0 being least critical, and 1 being most critica
l.)

# # # 2nd prompt # # #

OK. This is great. Please modify your output in the following way. Instead of
the Russell 3000 index, get the S&P 500 list from here: https://www.slickchart
s.com/sp500
Your script will have to scrape the names and details of the companies from th
e link. Feel free to create another way to validate that you have the correct
company name, so that you find that company in GitHub.

Additionally, I want you modify your output, so that I can read the output in
my browser (locally). Use whatever language or output is easiest to use (imagi
ne that I am an 8 year old).

# # # 3rd prompt for bug bounty # # #

OK. I am very pleased. Here is how I want you to modify this script. You may n
eed to re-write the entire script, because the prompt is different. Now I am a
bug bounty researcher, and I want to help other bug bounty researchers with th
eir work, which inevitably helps the security community, because they can be m
ore efficient. So here are the instructions:

1. Modify your python script in following ways:

A1. Instead of finding companies in the Russell 3000 index or S&P 500, incorpo
rate the public API from HackerOne, their API for hackers. (If you don't have
it in your training data, that is fine. The link to the API is here: https://a
pi.hackerone.com/hacker-resources/#programs-get-programs
A2. Use the output of programs from the HackerOne API to search for those comp
anies on GitHub. Use the GitHub API.
A3. Then the script should determine which critical open source projects are i
n use by the company which has a program on HackerOne and that you could find
an account for on GitHub.
A4. If necessary, add instructions for the security researcher on how to set u
p a place for the script to access the list of critical open source projects f
ound in "all.csv" at this link: https://commondatastorage.googleapis.com/ossf
-criticality-score/index.html
A5. Include instructions in the python script that automates the setup of the
hackerOne API for the security researcher as much as possible.

B. Excellent Can you include in this script or a bit of script to add, that li
sts open source fuzzers which the researcher could use to automate finding vul
nerabilities on that critical open source project? Examples of fuzzers are
B1. cifuzz (located here: https://github.com/CodeIntelligenceTesting/cifuzz )
B2. Jazzer (located here: https://github.com/CodeIntelligenceTesting/jazzer )
B3. OSS-Fuzz (located here: https://github.com/google/oss-fuzz)
B4. AFL++ (located here: https://github.com/AFLplusplus/AFLplusplus )
B4. (Any other fuzzers that you think would be relevant for popular languages)

C. Please modify your script above. It should automate the setup of fuzzing fo
r that critical open source project on GitHub.
C1. The output should then go to a script that generates a vulnerability repor
t for

C1a. For all programs listed in the HackerOne API using that critical open sou
rce project
C1b. For the open source project on GitHub, so other maintainers of that proje
ct can fix it.
 D. Extra bonus points for you, if your script can do this for B3. OSS-Fuzz and
meet their reward criteria.

Output 2
(We’ll start here because it’s where it becomes relevant for everyone)
ChatGPT: “Here’s an updated Python script that incorporates the HackerOne API and GitHub
API to search for companies and critical open source projects:”
(go here to get the script. Unfortunately putting the script into medium seems to have some
kind of block in it. I apologize for this).
 Sorry, but only part of the script. Copying and pasting all this code wasn’t working.

Here’s how to use this script:

Replace <API Key> with your actual HackerOne API key.
 Run the script.
The script will output the list of companies found on GitHub and the critical
open source projects in use by those companies. If the critical projects list is
not available locally, the script will print a reminder to download it.
Note that this script is just a starting point and you may need to modify it to
suit your specific use case. For example, you may want to add error handling
or modify the search parameters for the GitHub API.

Output 3: Add Fuzzing

In part “B” of the prompt above, I get ChatGPT to add fuzzing setup, because it’s the best
way to find vulnerabilities at scale. And it’s how you can make OSS-Fuzz reward monies.
ChatGPT adds:

You can modify the fuzzer_repos dictionary to add or remove fuzzer

repositories as needed. The get_repos() function uses the GitHub API to
search for repositories by language and topic, and returns a list of
 repositories sorted by the number of stars they have. The example usage
shows how to get a list of repositories using the topic “fuzzer” and the
language “C”, but you can modify these values to search for repositories in
other languages and topics.

Output 4: Automate Fuzzing

This is part “C” of the prompt above. I want to automate fuzzing setup, reporting for H1 and
GitHub. ChatGPT gave results for OSS-Fuzz.
ChatGPT concludes:

After running this script, the OSS-Fuzz tool will automatically start fuzzing
your GitHub repository and generate a report on any vulnerabilities it finds.
You can also check the OSS-Fuzz dashboard to get more information
about the fuzzing process.
 For C1a and C1b, you can use the HackerOne API to generate a
vulnerability report for all programs listed that use the critical open source
project, and for the open source project on GitHub, respectively. You can
use a combination of API calls and data processing to generate this report.

If you are successful with the last part, find vulns, you could be eligible for up to $30K from
Google OSS-Fuzz. I sincerely hope someone tries this and succeeds!

chatgpt

     

 PREVIOUS ARTICLE NEXT ARTICLE 

The Ultimate Guide to Detecting Brute Powershell-Backdoor-Generator : To

Force Attacks: Blue Team Bootcamp Create A Flipper Zero/ Hak5 USB Rubber
Series (Part 1) Ducky Payload

Rocky     

Rocky is a versatile author sharing in-depth tutorials on web development, AI, and ethical
hacking. Unlock new possibilities and expand your knowledge with Rocky's empowering
content.

Related Posts
CYBER SECURITY ETHICAL HACKING

So You Want to Be a Hacker: 2024 Edition Multiple Ways To Exploiting HTTP

May 8, 2024 Authentication
March 30, 2024

ETHICAL HACKING

Bypassing Two-Factor Authentication

March 30, 2024

ADD A COMMENT

Search … SEARCH

Support Us
ABOUT US

This is the Codelivly blog. Here, you will find articles discussing various topics related to coding
and programming. Our goal is to provide helpful resources and advice for beginners and
experienced coders alike.

RECENT POSTS

So You Want to Be a Hacker: 2024 Edition

What is Active Directory? A Beginner’s Guide
Mastering Networking Fundamentals: A Comprehensive Guide for Hackers
Multiple Ways To Exploiting HTTP Authentication
Bypassing Two-Factor Authentication

IMPORTANT PAGE

About Us
Advertise With Us
Contact US
Privacy Policy
Refund Policy
Write For Us

     

© 2024 Codelivly. All Right Reserved