Reportinator

Tools/Skills: Burp Suite - proxy, intercept, logger, intruder, cluster bomb, payloads, HTTP traffic

SYNOPSIS

A vulnerability report of 9 vulnerabilities was created with the help of AI. Some of the vulnerabilities are hallucinations. My job was to figure out which ones.

Initially, I approached the task by trying to understand the vulnerabilities and identify which were the false positives/hallucinations. After two days of off-and-on working on this, I realized that even with the help of AI, identifying the signs of a hallucination would take a lot more time.

With the help of some clues I read on discord, I switched tactics. I used Burp Suite to intercept the HTTP traffic that was created when I gave a possible answer to the question. I, then, analyzed the logs, figured out what part of code referenced my answers, and created a cluster bomb attack to try all possible answers. In less than a half hour, the 200 code popped up, showing that I had found the hallucinations.

SOLUTION

1. Download Burp Suite

2. Proxy -> Intercept On (use Chromium)

3. Analyze Logger → Identify the inputs as the values/answers that I wanted to experiment with

1. Intruder → Cluster Bomb → Added Payloads → Adjusted Payloads to Integer between 0 and 1 → Start Attack

1. Waited until a 200 Code showed up → Success

1. Based on the input values of 1, I identified Questions 3, 6 and 9 as the hallucinations.

PROCESS

1. Can I figure it out on my own? → No

   • I attempted going through the first five or six potential vulnerabilities with a fine tooth comb. → I was no closer to finding the answers.

2. Can ChatGPT or Bard decide on the correct answers? → Nope.

   • I tried both of these to see if they could spot something I couldn’t, but they couldn’t. They even disagreed with each other.

     ChatGPT Attempts:

     • 1st Attempt

     • 2nd Attempt

     • 3rd Attempt

     • 4th Attempt

     • 5th Attempt

     • 6th Attempt

     • 7th Attempt

     • 8th Attempt

     • 9th Attempt

     Bard Attempt:

     • Attempt

3. Can Discord help?

   • Burp Suite? I’d heard of it, but hadn’t yet used it.

   • Downloaded Burp Suite.

   • Cluster Bomb?

   • Bard Prompts/Answers

     Prompt:

     how to use cluster bomb in burp suite

4. Watched a video on how to use the “cluster bomb” method for a username/password list.

5. Analyzed how my answers were showing up in the code (as 0s and 1s) and adjusted the cluster bomb method for numbers instead of a list.

6. What’s a way I can test out every possible solution without doing the work myself? → Yes

7. Burp Suite Learning & Success