vulnhuntr: A tool to identify remotely exploitable vulnerabilities
vulnhuntr
Vulnhuntr leverages the power of LLMs to automatically create and analyze entire code call chains starting from remote user input and ending at server output for detection of complex, multi-step, security-bypassing vulnerabilities that go far beyond what traditional static code analysis tools are capable of performing. See all the details including the Vulnhuntr output for all the 0-days here: Protect AI Vulnhuntr Blog
Vulnerabilities Found
| Repository | Stars | Vulnerabilities |
|---|---|---|
| gpt_academic | 64k | LFI, XSS |
| ComfyUI | 50k | XSS |
| FastChat | 35k | SSRF |
| REDACTED | 29k | RCE, IDOR |
| REDACTED | 20k | SSRF |
| Ragflow | 16k | RCE |
| REDACTED | 19k | AFO |
| REDACTED | 12k | AFO, IDOR |
Limitations
- Only Python codebases are supported.
- Can only identify the following vulnerability classes:
- Local file include (LFI)
- Arbitrary file overwrite (AFO)
- Remote code execution (RCE)
- Cross site scripting (XSS)
- SQL Injection (SQLI)
- Server side request forgery (SSRF)
- Insecure Direct Object Reference (IDOR)
Logic flow
- LLM summarizes the README and includes this in the system prompt
- LLM does initial analysis on an entire file and reports any potential vulnerabilities
- Vulnhuntr then gives the LLM a vulnerability-specific prompt for secondary analysis
- Each time the LLM analyzes the code, it requests additional context functions/classes/variables from other files in the project
- It continues doing this until the entire call chain from user input to server processing is complete then gives a final analysis
- The final analysis consists of it’s reasoning, a proof of concept exploit, and a confidence score
