Enhancing Penetration Testing with AI: Arcanum Cyber Security Bot in Action

In the ever-evolving landscape of cybersecurity, artificial intelligence (AI) is becoming an indispensable tool for penetration testing. Craig, a former software developer and red teamer at Black Hills Infosec, has been exploring how AI can assist in this critical process. One of the tools he has experimented with is the Arcanum Cyber Security Bot, created by Jason Haddix.

Jason engineered this bot to leverage up-to-date technical information related to application security and penetration testing. The bot is available on platforms like chatgpt.com/gpts and can be used to analyze JavaScript source code for security vulnerabilities.

For this experiment, Craig used OWASP’s intentionally vulnerable Juice Shop web application. It's crucial to maintain client confidentiality when performing penetration tests, so real customer information should not be sent to remote language models. Instead, local on-premises models are recommended for actual penetration tests.

When Craig first tried to paste the entire main.js file from the Juice Shop application into the Arcanum chatbot, the prompt was too large. He used parallel-prettier to make the file more readable and broke it into smaller chunks for submission.

The chatbot quickly identified a list of API endpoints in the source code, which is a valuable step in discovering additional attack surfaces. It even attempted to provide documentation for the API calls, significantly reducing the time and effort required for manual analysis.

The bot continued with a comprehensive security analysis of the file. It recognized the presence of hacking tutorial content and deduced that the code was part of an intentionally vulnerable web application, specifically the Juice Shop.

The chatbot then suggested possible attack paths and provided defensive recommendations. It offered to generate proof-of-concept exploits for the identified vulnerabilities, which Craig found particularly useful. The bot also guided him through the process of using Intruder to perform attacks against the reported vulnerabilities, providing various payloads and even Python code to automate the attacks.

Additionally, the bot suggested other advanced vulnerabilities to check for and provided payloads and automation scripts for those vulnerabilities. While the bot occasionally veered off into unrelated topics like post-exploitation and cloud attacks, it remained a valuable tool for security testing.

Overall, the Arcanum Cyber Security Bot proved to be helpful and easy to use. It demonstrated the potential of AI to improve efficiency and performance in penetration testing workflows. However, it also highlighted the importance of maintaining client confidentiality and the need for careful consideration when integrating AI into security processes.

The article demonstrates practical applications of AI in security testing, showing both benefits (time savings, automated analysis) and limitations (context awareness, ethical restrictions) of current AI tools in penetration testing workflows. As Craig notes, there are opportunities to leverage AI to enhance penetration testing, but it's essential to avoid getting bogged down in AI experimentation and to ensure the confidentiality of client data.

Ready to learn more? Level up your skills with affordable classes from Antisyphon! Available live/virtual and on-demand.