Here is the code for copying and pasting (because it seemed to be blocked by medium). Make sure to combine this post with medium to get the full info, but full text below (sorry I am lazy).
Output 2
(We’ll start here because it’s where it becomes relevant for everyone)
ChatGPT: “Here’s an updated Python script that incorporates the HackerOne API and GitHub API to search for companies and critical open source projects:”
import requests
import json
# Step 1: Set up the HackerOne API
url = 'https://api.hackerone.com/v1/hackers/programs'
headers = {'Authorization': 'Bearer <API Key>'} # replace <API Key> with your HackerOne API key
response = requests.get(url, headers=headers)
if response.status_code != 200:
print('Failed to retrieve programs from HackerOne API')
exit()
programs = response.json().get('data')
if not programs:
print('No programs found on HackerOne')
exit()
# Step 2: Search for companies on GitHub
company_names = [program.get('name') for program in programs]
github_base_url = 'https://api.github.com/search/users?q='
github_headers = {'Accept': 'application/vnd.github.v3+json'}
company_github = {}
for name in company_names:
url = github_base_url + name
response = requests.get(url, headers=github_headers)
if response.status_code == 200:
items = response.json().get('items')
if items:
company_github[name] = items[0].get('login')
# Step 3: Determine critical open source projects
# If the critical projects list is not available, you can download it with:
# `wget https://raw.githubusercontent.com/ossf/criticality_score/master/data/all.csv`
with open('all.csv') as f:
projects = f.read().splitlines()
critical_projects = set()
for name, github_account in company_github.items():
url = f'https://api.github.com/users/{github_account}/repos'
response = requests.get(url, headers=github_headers)
if response.status_code == 200:
repos = response.json()
for repo in repos:
if repo.get('name') in projects:
critical_projects.add(repo.get('name'))
# Output results
print(f'Found {len(company_github)} companies on GitHub:')
for name, github_account in company_github.items():
print(f'{name}: {github_account}')
print(f'Found {len(critical_projects)} critical open source projects in use:')
for project in critical_projects:
print(project)
Output 3: Add Fuzzing
In part “B” of the prompt above, I get ChatGPT to add fuzzing setup, because it’s the best way to find vulnerabilities at scale. And it’s how you can make OSS-Fuzz reward monies.
import requests
# Example fuzzer repositories
fuzzer_repos = {
"cifuzz": "https://github.com/CodeIntelligenceTesting/cifuzz",
"jazzer": "https://github.com/CodeIntelligenceTesting/jazzer",
"oss-fuzz": "https://github.com/google/oss-fuzz",
"aflplusplus": "https://github.com/AFLplusplus/AFLplusplus"
}
# Get a list of repositories for a given language and topic
def get_repos(language, topic):
url = f"https://api.github.com/search/repositories?q=language:{language}+topic:{topic}&sort=stars&order=desc"
headers = {'Accept': 'application/vnd.github.mercy-preview+json'}
response = requests.get(url, headers=headers)
repos = response.json()['items']
return repos
# Example usage to get a list of repositories using the topic "fuzzer" and the language "C"
repos = get_repos("C", "fuzzer")
# Print the name and URL of each repository
for repo in repos:
print(repo['name'], repo['html_url'])
Make sure to cross reference this with my post on Medium.
Output 4: Automate Fuzzing
This is part “C” of the prompt above. I want to automate fuzzing setup, reporting for H1 and GitHub. ChatGPT gave results for OSS-Fuzz.
import os
# Replace these variables with your own GitHub repository details
GITHUB_OWNER = "your-github-owner"
GITHUB_REPO = "your-github-repo"
PROJECT_NAME = "your-project-name"
# Clone the OSS-Fuzz Git repository
os.system("git clone https://github.com/google/oss-fuzz.git")
# Build the base OSS-Fuzz image
os.system("cd oss-fuzz && ./infra/helper.py build_image " + PROJECT_NAME)
# Create a new fuzzing project for your repository
os.system("cd oss-fuzz && python3 infra/helper.py create_fuzzing_engine " + GITHUB_OWNER + "/" + GITHUB_REPO)
# Build the fuzzers for your repository
os.system("cd oss-fuzz && python3 infra/helper.py build_fuzzers --sanitizer=address " + PROJECT_NAME)
# Push the fuzzers to your GitHub repository
os.system("cd oss-fuzz && python3 infra/helper.py upload_fuzzers " + PROJECT_NAME)
# Start fuzzing the project
os.system("cd oss-fuzz && python3 infra/helper.py start_fuzzing " + PROJECT_NAME)
Full text of article for easy reference (unformatted sorry)
2023-02-22 medium blog post text
ChatGPT Python Script to Automate Multiple Reports for Every Program Using a Critical Open Source Component
I can’t even fit this into one title. It’s that complex. In sum, I used ChatGPT to automate finding companies with bug bounty programs on HackerOne that have an account on GitHub and that use one of those critical open source projects, which then automates the setup of a fuzz test of that project and generates a vulnerability report for GitHub and HackerOne.
Once you see this, you will be modifying the script from ChatGPT, so you can complete this task. The added bonus is, if you setup the open source project in OSS-Fuzz, you are eligible for a reward from Google, as well as from the program at HackerOne.
Let me explain.
There are numerous open source projects, many of which are in use by companies of all sizes. With funding from Google, the Open Source Security Foundation wants to secure these projects. Those projects are scored for criticality in a systematic way. You can download that list as a CSV.
Furthermore, many companies rely on those critical open source projects (linux, php, node, they’re all critical projects, they’re all open source!). Many companies have bug bounty programs on HackerOne. You can access those programs as a list with H1’s API.
You’ve all seen this before, I’m sure. I used ChatGPT to automate finding companies with bug bounty programs on HackerOne that have an account on GitHub and that use one of those critical open source projects, which then automates the setup of a fuzz test of that project and generates a vulnerability report for GitHub and HackerOne. Now you can cross check the list of programs by automating the check on GitHub, if that company with a program has a public GitHub repo. If they have a public GitHub repo, you can check if they are using any projects from the list of critical open source projects.
Now, if you fuzz those projects, you will likely find a vulnerability. I used ChatGPT to try to automate the setup of the fuzzer, as well to write a GitHub issue ticket and a vulnerability report for each program using that component.
The added bonus is, if are the first to setup the open source project in OSS-Fuzz, and it works and finds valid security vulnerabilities, you are eligible for a reward from Google, up to $30,000.
So, here’s the output from ChatGPT and my prompt. Good luck!
ChatGPT prompt in one piece.
You will need to feed the prompt to ChatGPT in pieces:
Hi! I have a task for you. This task is very important for open source security. First, the background:
- There is a list of the top most critical open source projects. The list is here: https://commondatastorage.googleapis.com/ossf-criticality-score/index.html
In that list there is a CSV with all the open source projects rated in terms of their criticality. So you understand how the criticality score was derived, I am linking it here for you: https://github.com/ossf/criticality_score#criticality-score - Concurrently, I want you to use the GitHub API to find companies from the Russell 3000 index that are using a critical open source project, as listed above.
2A. Do not worry that your training data ended at a certain point in time. Whatever you have for the Russell 3000 index will be acceptable for this exercise. - I want you to write a script in python that pulls every company from the Russell 3000 list, determines if each company has a GitHub account, and then lists which critical open source projects the company is using.
- The output of this python script should be a CSV with the following column headers:
Russell 3000 Index rank (number on list)
Company name
GitHub page link
Total number of critical open source projects in use
Critical open source project 1
Critical open source project 2
Critical open source project 3
Critical open source project
(Continue creating new columns for every critical open source project in use, where is the number growing in sequence. The projects should be listed in order of most critical first. Remember that according to algorithm, the criticality score is 0 to 1, with 0 being least critical, and 1 being most critical.)
# # 2nd prompt # # #
OK. This is great. Please modify your output in the following way. Instead of the Russell 3000 index, get the S&P 500 list from here: https://www.slickcharts.com/sp500
Your script will have to scrape the names and details of the companies from the link. Feel free to create another way to validate that you have the correct company name, so that you find that company in GitHub.
Additionally, I want you modify your output, so that I can read the output in my browser (locally). Use whatever language or output is easiest to use (imagine that I am an 8 year old).
# # 3rd prompt for bug bounty # # #
OK. I am very pleased. Here is how I want you to modify this script. You may need to re-write the entire script, because the prompt is different. Now I am a bug bounty researcher, and I want to help other bug bounty researchers with their work, which inevitably helps the security community, because they can be more efficient. So here are the instructions:
- Modify your python script in following ways:
A1. Instead of finding companies in the Russell 3000 index or S&P 500, incorporate the public API from HackerOne, their API for hackers. (If you don’t have it in your training data, that is fine. The link to the API is here: https://api.hackerone.com/hacker-resources/#programs-get-programs
A2. Use the output of programs from the HackerOne API to search for those companies on GitHub. Use the GitHub API.
A3. Then the script should determine which critical open source projects are in use by the company which has a program on HackerOne and that you could find an account for on GitHub.
A4. If necessary, add instructions for the security researcher on how to set up a place for the script to access the list of critical open source projects found in “all.csv” at this link: https://commondatastorage.googleapis.com/ossf-criticality-score/index.html
A5. Include instructions in the python script that automates the setup of the hackerOne API for the security researcher as much as possible.
B. Excellent Can you include in this script or a bit of script to add, that lists open source fuzzers which the researcher could use to automate finding vulnerabilities on that critical open source project? Examples of fuzzers are
B1. cifuzz (located here: https://github.com/CodeIntelligenceTesting/cifuzz )
B2. Jazzer (located here: https://github.com/CodeIntelligenceTesting/jazzer )
B3. OSS-Fuzz (located here: https://github.com/google/oss-fuzz)
B4. AFL++ (located here: https://github.com/AFLplusplus/AFLplusplus )
B4. (Any other fuzzers that you think would be relevant for popular languages)
C. Please modify your script above. It should automate the setup of fuzzing for that critical open source project on GitHub.
C1. The output should then go to a script that generates a vulnerability report for
C1a. For all programs listed in the HackerOne API using that critical open source project
C1b. For the open source project on GitHub, so other maintainers of that project can fix it.
D. Extra bonus points for you, if your script can do this for B3. OSS-Fuzz and meet their reward criteria.
Output 2
(We’ll start here because it’s where it becomes relevant for everyone)
ChatGPT: “Here’s an updated Python script that incorporates the HackerOne API and GitHub API to search for companies and critical open source projects:”
import requests
import json
Step 1: Set up the HackerOne API
url = ‘https://api.hackerone.com/v1/hackers/programs’
headers = {‘Authorization’: ‘Bearer ‘} # replace with your HackerOne API key
response = requests.get(url, headers=headers)
if response.status_code != 200:
print(‘Failed to retrieve programs from HackerOne API’)
exit()
programs = response.json().get(‘data’)
if not programs:
print(‘No programs found on HackerOne’)
exit()
Step 2: Search for companies on GitHub
company_names = [program.get(‘name’) for program in programs]
github_base_url = ‘https://api.github.com/search/users?q=’
github_headers = {‘Accept’: ‘application/vnd.github.v3+json’}
company_github = {}
for name in company_names:
url = github_base_url + name
response = requests.get(url, headers=github_headers)
if response.status_code == 200:
items = response.json().get('items')
if items:
company_github[name] = items[0].get('login')
Step 3: Determine critical open source projects
If the critical projects list is not available, you can download it with:
wget https://raw.githubusercontent.com/ossf/criticality_score/master/data/all.csv
with open(‘all.csv’) as f:
projects = f.read().splitlines()
critical_projects = set()
for name, github_account in company_github.items():
url = f’https://api.github.com/users/{github_account}/repos’
response = requests.get(url, headers=github_headers)
if response.status_code == 200:
repos = response.json()
for repo in repos:
if repo.get(‘name’) in projects:
critical_projects.add(repo.get(‘name’))
Output results
print(f’Found {len(company_github)} companies on GitHub:’)
for name, github_account in company_github.items():
print(f'{name}: {github_account}’)
print(f’Found {len(critical_projects)} critical open source projects in use:’)
for project in critical_projects:
print(project)
Here’s how to use this script:
Replace with your actual HackerOne API key.
Run the script.
The script will output the list of companies found on GitHub and the critical open source projects in use by those companies. If the critical projects list is not available locally, the script will print a reminder to download it.
Note that this script is just a starting point and you may need to modify it to suit your specific use case. For example, you may want to add error handling or modify the search parameters for the GitHub API.
Output 3: Add Fuzzing
In part “B” of the prompt above, I get ChatGPT to add fuzzing setup, because it’s the best way to find vulnerabilities at scale. And it’s how you can make OSS-Fuzz reward monies.
import requests
Example fuzzer repositories
fuzzer_repos = {
“cifuzz”: “https://github.com/CodeIntelligenceTesting/cifuzz”,
“jazzer”: “https://github.com/CodeIntelligenceTesting/jazzer”,
“oss-fuzz”: “https://github.com/google/oss-fuzz”,
“aflplusplus”: “https://github.com/AFLplusplus/AFLplusplus”
}
Get a list of repositories for a given language and topic
def get_repos(language, topic):
url = f”https://api.github.com/search/repositories?q=language:{language}+topic:{topic}&sort=stars&order=desc”
headers = {‘Accept’: ‘application/vnd.github.mercy-preview+json’}
response = requests.get(url, headers=headers)
repos = response.json()[‘items’]
return repos
Example usage to get a list of repositories using the topic “fuzzer” and the language “C”
repos = get_repos(“C”, “fuzzer”)
Print the name and URL of each repository
for repo in repos:
print(repo[‘name’], repo[‘html_url’])
ChatGPT adds:
You can modify the fuzzer_repos dictionary to add or remove fuzzer repositories as needed. The get_repos() function uses the GitHub API to search for repositories by language and topic, and returns a list of repositories sorted by the number of stars they have. The example usage shows how to get a list of repositories using the topic “fuzzer” and the language “C”, but you can modify these values to search for repositories in other languages and topics.
Output 4: Automate Fuzzing
This is part “C” of the prompt above. I want to automate fuzzing setup, reporting for H1 and GitHub. ChatGPT gave results for OSS-Fuzz.
import os
Replace these variables with your own GitHub repository details
GITHUB_OWNER = “your-github-owner”
GITHUB_REPO = “your-github-repo”
PROJECT_NAME = “your-project-name”
Clone the OSS-Fuzz Git repository
os.system(“git clone https://github.com/google/oss-fuzz.git”)
Build the base OSS-Fuzz image
os.system(“cd oss-fuzz && ./infra/helper.py build_image ” + PROJECT_NAME)
Create a new fuzzing project for your repository
os.system(“cd oss-fuzz && python3 infra/helper.py create_fuzzing_engine ” + GITHUB_OWNER + “/” + GITHUB_REPO)
Build the fuzzers for your repository
os.system(“cd oss-fuzz && python3 infra/helper.py build_fuzzers –sanitizer=address ” + PROJECT_NAME)
Push the fuzzers to your GitHub repository
os.system(“cd oss-fuzz && python3 infra/helper.py upload_fuzzers ” + PROJECT_NAME)
Start fuzzing the project
os.system(“cd oss-fuzz && python3 infra/helper.py start_fuzzing ” + PROJECT_NAME)
ChatGPT concludes:
After running this script, the OSS-Fuzz tool will automatically start fuzzing your GitHub repository and generate a report on any vulnerabilities it finds. You can also check the OSS-Fuzz dashboard to get more information about the fuzzing process.
For C1a and C1b, you can use the HackerOne API to generate a vulnerability report for all programs listed that use the critical open source project, and for the open source project on GitHub, respectively. You can use a combination of API calls and data processing to generate this report.
If you are successful with the last part, find vulns, you could be eligible for up to $30K from Google OSS-Fuzz. I sincerely hope someone tries this and succeeds!
Tofu Security Solutions 