On 14th March 2023, Open AI – the company behind the popular ChatGPT released GPT-4 for public use. GPT-4 is now accessible through ChatGPT Plus and will be available via API for developers. It’s also been integrated into products by Duolingo, Stripe, Khan Academy, and Microsoft’s Bing.
The revolution of AI has already begun, as evidenced by companies like Adobe and Microsoft who are integrating AI technology into their upcoming products – Firefly and Copilot respectively.
What is GPT-4?
GPT-4, the latest and most advanced version of OpenAI’s large language model, is the power behind AI chatbot ChatGPT and other applications. Unlike its predecessor GPT-3.5, GPT-4 is a multimodal system that can process different types of input, including video, audio, images, and text, potentially generating video and audio content.
It has been trained using human feedback, making it more advanced and capable of processing multiple tasks simultaneously. This feature makes it useful for applications like search engines that rely on factual information, as it is 40% more likely to provide accurate responses.
GPT-4’s ability to process multimodal input and output is a significant improvement from its predecessors, potentially enabling AI chatbots to respond with videos or images, enhancing the user experience. Moreover, GPT-4’s increased capacity for multiple tasks can streamline and speed up processes for businesses and organizations.
GPT-4 and Cybersecurity
Soon after the release of GPT-4, Security experts warned that GPT-4 is as useful for malware as its predecessor. GPT-4’s better reasoning and language comprehension abilities, as well as its longform text generation capability, can lead to an increase in sophisticated security threats. Cybercriminals can use the generative AI chatbot, ChatGPT, to generate malicious code, such as data-stealing malware.
Although OpenAI has improved safety metrics, there is still a risk that GPT-4 could be manipulated by cybercriminals to generate harmful code. An Israel-based cybersecurity firm warned that GPT-4’s capabilities, such as writing code for malware that can collect confidential PDFs and transfer them to remote servers, using the programming language C++, can pose a significant risk.
Also, is GPT-4 able to replace security professionals? It’s difficult to answer the question without diving into the details. Here in this article, we discuss how GPT-4 can be used for offensive security and how it facilitates the work of security professionals.
Before learning about how ChatGPT can be used for offensive security one must understand what a prompt is and its importance.
What is a Prompt?
In ChatGPT, a prompt is the text or question that a user inputs into the chatbox to initiate a conversation or request a specific response from the AI language model. The prompt serves as the starting point for the AI to generate a response based on the context and information provided in the input. The prompt can be a simple question or a more complex statement, and the quality and specificity of the prompt can influence the relevance and accuracy of the AI’s generated response.
‘Prompt engineering‘ is one of the hottest jobs in generative AI right now. Prompt engineers specialize in creating prompts that can elicit desired responses from AI chatbots, which operate using large language models.
Unlike traditional computer engineers who focus on coding, prompt engineers craft written prompts to test the performance of AI systems, identifying and addressing any anomalies or irregularities in the responses generated.
Using GPT-4 for Offensive Security
A helpful reminder: Generative AI is capable of producing hallucinations or false responses, so it’s always important to verify the accuracy of the information provided.
Writing Phishing Mails
In the past, one of the ways to identify phishing emails was by their poor English, as attackers from non-English speaking regions often made grammatical errors. However, with the availability of generative AI tools, a wider range of individuals can create convincing phishing and spam messages, even if they lack the skills to do so manually.
These tools can generate social engineering drafts that impersonate an employee or a company, making it easier for even the most inexperienced individuals to carry out these types of attacks.
Here is an example of how easy it is to create a legitimate looking phishing email:
Writing Scripts
One potential application of GPT-4 is its ability to generate automation scripts that can simplify the tasks of security professionals.
For example, here we asked ChatGPT to write a Python script that utilizes httpx to identify all live web hosts from a list of URLs contained in a text file, and subsequently run nuclei on all the resulting domains.
Source Code Review
With the addition of GPT-4, ChatGPT can now be utilized for source code review, which can greatly aid security professionals in performing such reviews more efficiently. While it is possible for the AI to produce inaccurate results at times, it can provide valuable suggestions that can help inform the security professional’s review process.
Here, we asked GPT-4 to find a security vulnerability in the code:
GPT then promptly responded within seconds:
While simple codes like these can often be accurately assessed by ChatGPT, more complex code may result in incorrect responses. However, even these incorrect responses can still assist security professionals in their work by providing a starting point for further analysis.
Security professionals can then use this information to efficiently sift through the results and filter out any incorrect or irrelevant information
Create Your Own Nuclei Template
ChatGPT can also be utilized to create Nuclei templates, which can aid in automating the task of identifying potential flaws.
Here is an example:
Writing Reports
Ah report writing; the bane of every security professional’s existence.
Report writing can be a cumbersome and frustrating task for many security professionals, particularly for those in the role of penetration testers. Security professionals are typically required to generate a significant number of reports for clients and team members, which can be a time-consuming process.
Fortunately, ChatGPT can provide valuable assistance when it comes to report writing, making the task of writing reports easier and more efficient. However, we do have to emphasize that it isn’t advisable to rely entirely on AI to create your reports.
Example 1: Here we are asking ChatGPT to help write a bug bounty report for a stored XSS that we found in example.com
Example 2 : Here we are asking ChatGPT to write a report to send to our client, on OWASP top 10 flaws along with solutions to fix those flaws.
Prepare for Interviews
ChatGPT can be a valuable tool for individuals preparing for technical interviews, as it has the ability to provide insight into common questions asked for a particular role or position.
Here is an example of us asking ChatGPT to suggest 10 questions and answers for a Penetration Tester role with 3 years’ experience:
Writing Technical Blogs and Articles
ChatGPT just got a whole lot smarter thanks to GPT-4, and it can now offer valuable suggestions and inputs to help you write even the most technical of articles.
In fact, GPT-4 has been put to the test while crafting this very article that you’re reading.
Final Thoughts
Recently, Microsoft has also released its Security Copilot which further helps organizations uncover, investigate, and respond to threats.
ChatGPT, powered by its GPT-4 engine, can be a valuable tool in offensive security, providing assistance to security professionals and streamlining various tasks. While there may be some individuals who seek to misuse this technology, there are also many beneficial applications.
It’s important to note, however, that AI is not a substitute for human expertise and experience in the field of security. While AI can certainly enhance the capabilities of a security professional, it cannot fully replace their knowledge and skills, especially when it comes to more interpersonal forms of hacking such as social engineering.
Nonetheless, security professionals who leverage AI will undoubtedly outperform those who do not.
