Simple AI Web Fuzzing

Published: Draft

Written By: Ng Jun Hao

Idea

Test AI capabilities to help fuzz web applications and get payload faster. This way, vulnerabilies can be reported faster and fixed before they are exploited by threat actors.

Design

• Selected vulnerable web applications from GitHub
  • aabashkin/nosql-injection-vulnapp
  • DiogoMRSilva/websitesVulnerableToSSTI
• Agent design
  • List of inital payload
    • Agent to generate search engine query to find link to list of relevant payloads
    • Agent to select relevant page until payload file is found (zip, gz, gzip, tar, txt)
    • Agent to download relevat payloads
  • Iterations
    • Agent will run through the payloads until errors are found
    • Agent will take the error and context of web application to form new payloads
    • Agent will try and determine if each iteration there is progress made, up till a limit of 30 tries
    • Agent will try the next payload in the payloads if failed
• Technology and UI
  • Python web application featuring agent processing, embeded frame of the target website and search engine used
  • LLM used is Gemini

SSTI Injection

Navigation

Back to home