My experience with BugBase copilot
2023-9-18 11:37:46 Author: infosecwriteups.com(查看原文) 阅读量:24 收藏

Shriyans Sudhi

InfoSec Write-ups

Hi there

I’ve tried Bugbase Copilot on Portswigger lab (the pre-launch version), and here’s what it did

(Important: Not a paid promotion. All are my own opinions)

A screenshot on internet of copilot home page

(I started out with 10 gold in my account)

The main prompt was:-
I have a URL endpoint https://0a1900570385adc18986d5e200d900b9.web-security-academy.net/filter?category=Accessories and in this, I want to test for all vulnerabilities possible.

Now, two threads (sub-sessions) were started. One for nmap, and other for google search

As a general pentest, it started out with providing the nmap command:-
nmap -sV -sC 0a1900570385adc18986d5e200d900b9.web-security-academy.net -oA 02895d8d-2df3–494b-877c-d79458d5d018-nmap.txt

(At this point, I had 9 gold)

The other thing it asked for was a google search. The text to search was:-
Information about https://0a1900570385adc18986d5e200d900b9.web-security-academy.net/filter?category=Accessories

I didn’t provided the search result because it is a vulnerability lab, and is of somehow no use (though I searched it on bing & google, and they simply gave me the lab URL for which this endpoint belonged to, and the bing directly gave my description of SQL injection)

So, after I executed the first nmap command, it gave me another nmap command to scan those open ports with nmap vuln script
nmap — script vuln -p 80,443 0a1900570385adc18986d5e200d900b9.web-security-academy.net

The scan was taking too long, and I had connection interrupt, so I simply provided it the following result nmap produced:-
PORT STATE SERVICE
80/tcp open http
|_http-dombased-xss: Couldn’t find any DOM based XSS.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007–6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server’s resources causing Denial Of Service.
|
| Disclosure date: 2009–09–17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007–6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
|_http-csrf: Couldn’t find any CSRF vulnerabilities.
443/tcp open https
|_http-dombased-xss: Couldn’t find any DOM based XSS.
|_http-stored-xss: Couldn’t find any stored XSS vulnerabilities.
|_http-csrf: Couldn’t find any CSRF vulnerabilities.

Obviously, I don’t want any DoS or any other vulnerability. I want SQLi.

(1 gold deducted, and I’m left with 8 gold)

The next, it suggested me to confirm the DoS vulnerability, but I am not gonna do this.

I simply gave it the summary of what I want to do (test for XSS and SQLi rather than DoS.

I clicked “Complete the engagement and pass the summary on the main thread”.

It simply marked that thread as completed, closed it and redirected me to the main thread.

Now, I have the google one left, and as I’ve described what I got after searching that term on google, I decided to provide it things on my own. Here’s what I gave it:-
The website is an e-commerce site. It provides sells products of multiple categories. It has multiple products listed on its homepage, and takes me to a URL when the user click on those.

I decided not to tell it’s a SQL injection lab, and let it continue with the things it wanted.

Till this point, I knew that I should have provided it a bug bounty target rather than portswigger lab xD

(1 gold deducted and now I am left with 7 gold)

Now, it suggested me this as next steps:-

Next steps would involve identifying the target IP and performing a standard reconnaissance (recon) such as a port scan, identifying services running on these open ports. Following that, probing the discovered services for known vulnerabilities. Additionally exploring the website interaction further might reveal possible injection points, insecure direct object references or other OWASP top ten vulnerabilities.

Now, I passed it to the main thread

Now, no subprocesses are running, and I’ve got an option to continue with these results.

(I also kept reloading the Portswigger lab so it won’t get killed xD )

It summarised the output as the following:-

I have analyzed the subprocesses and here is the summary: {
“summary”: [
{
“target”: “0a1900570385adc18986d5e200d900b9.web-security-academy.net”,
“IP”: “34.246.129.62”,
“notes”: “The target is an active AWS EC2 instance with low latency. NMAP scan revealed two open TCP ports, 80 and 443. A detailed scan on these ports indicated potential vulnerability to Slowloris DOS attack on port 80 with no identified vulnerabilities on port 443.”
},
{
“target”: “e-commerce website”,
“IP”: “unspecified”,
“notes”: “The website’s main functional component is product listings. No specific vulnerabilities, open ports, or active services have been identified yet. Further enumeration and testing is required.”
}
]
}

Now, it gave me the following next steps:-

A more detailed verification of the potential Slowloris DOS vulnerability should be performed, using a Slowloris attack simulator. Also, further enumeration of the e-commerce site should be done by exploring known vulnerabilities of similar platforms. XSS, SQL Injection and CSRF attacks can be tested on various inputs fields on the website. Running a vulnerability scanner against the website might reveal more potential attack surfaces.

(At this point, I am left with 6 gold, means 1 was deducted)

Now, it suggest me the following:-

Now, I decided that I will continue with this next time, with the some other target.


文章来源: https://infosecwriteups.com/my-experience-with-bugbase-copilot-5b83e3b41a84?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh