Preface
along withAIand the continuous development of natural language processing technologies.AI & GPT (Generative Pre-Training Models) are gaining attention in the field of security testing. These tools utilize the power of AI to automatically generate test cases, identify security vulnerabilities and evaluate the security of a system. In this paper, we will introduce the concepts and applications of AI & GPT based security testing tools and their use in software development andcyber securityThe importance of the
AI & GPT based security testing tools have a wide range of applications in software development and cyber security. They can help development teams identify potential security vulnerabilities, assess the security of the system, and provide suggestions for improvement. Here are some common application scenarios:automated test, security vulnerability identification, security patch automation, anomaly detection, AI model deployment security.
BurpGPT
The Burp Suite extension integrates OpenAI's GPT to perform additional passive scans to discover highly customized vulnerabilities and supports running any type of traffic-based analysis.
Project address: https://github.com/aress31/burpgpt
"
burpgpt utilizes the power of AI to detect security vulnerabilities that traditional scanners may miss. It sends network traffic to a user-specified OpenAI model, enabling sophisticated analysis in a passive scanner. The extension provides customizable prompts that allow for tailored network traffic analysis to meet the specific needs of each user. Check out the sample use cases section for inspiration.
"
The extension generates an automated security report that summarizes potential security issues based on user prompts and real-time data from requests made by Burp. By leveraging AI and natural language processing, the extension streamlines the security assessment process and provides security professionals with a higher-level overview of the applications or endpoints being scanned. This enables them to more easily identify and prioritize potential security issues for analysis while covering a larger potential attack surface.
"
"Installation"
"
git clone https://github.com/aress31/burpgpt Clone the project locally
gradle shadowJar compiles the jar files in the directory: lib/build/libs/
Then open burpsuite and use Extensions add to add the plugin by selecting the directory address
ok
"
"Use"
"
Inside the burpsuite toolbar a new Burpgpt field will appear, click on Set API, Model, Set Field Length, Set Custom Prompts
Right-click inside the proxy history or select a request and click Do passive scan, which will automatically use Burpgpt to detect security vulnerabilities in the scanned request and generate a report automatically.
The analysis model in gpt is then automatically invoked to automate the analysis of requests and responses for vulnerabilities.
"
"Testing."
"
A local Dvwa range was set up for testing.
Use Burpgpt to call gpt for automated passive scanning of individual requests in the rangeVulnerability analysisThe report will be generated automatically.
"
"Summary"
"
There is a community version of the program, and a professional version. Like burpsuite, the professional version requires a fee, so you can test it and discuss it on your own.
refer to
https://github.com/aress31/burpgpt
https://burpgpt.app/
Original article by batsom, if reproduced, please credit: https://cncso.com/en/brupsute-linked-chatgpt-automated-vulnerability-analysis.html