cckuailong/awesome-gpt-security

A curated list of awesome security tools, experimental case or other interesting things with LLM or GPT.

Awesome GPT + Security

A curated list of awesome security tools, experimental case or other interesting things with LLM or GPT.

Contents

• Tools
  • Integrated
  • Audit
  • Reconnaissance
  • Offensive
  • Detecting
  • Preventing
  • Social Engineering
  • Reverse Engineering
  • Investigation
  • Fix
  • Assessment
• Cases
  • Experimental
  • Academic
  • Blogs
  • Fun
• GPT Security
  • Standard
  • Bypass Security Policy
  • Bug Bounty
  • Crack
  • Plugin Security
• Contributing

Attention

Here is A nice tool to Finetune ALL LLMs with ALL Adapeters on ALL Platforms!

Tools

🧰

Integrated

• SecGPT - SecGPT aims to make further contributions to network security by combining LLM, including penetration testing, red-blue confrontations, CTF competitions, and other aspects.
• AutoAudit - An LLM for Cyber Security
• secgpt - Cyber security LLM(Lora finetuned with baichuan-13B using some material of cyber security)
• HackerGPT-2.0 - HackerGPT is your indispensable digital companion in the world of hacking.

Audit

• SourceGPT - prompt manager and source code analyzer built on top of ChatGPT as the oracle
• ChatGPTScanner - A white box code scan powered by ChatGPT
• chatgpt-code-analyzer - ChatGPT Code Analyzer for Visual Studio Code
• hacker-ai - An online tool using AI to detect vulnerabilities in source code
• audit_gpt - Fine-tuning GPT for Smart Contract Auditing
• vulchatgpt - Use IDA PRO HexRays decompiler with OpenAI(ChatGPT) to find possible vulnerabilities in binaries
• Ret2GPT - Advanced AI-powered binary analysis tool leveraging OpenAI's LangChain technology, revolutionizing CTF Pwners' experience in binary file interpretation and vulnerability detection.

Reconnaissance

• CensysGPT Beta - The tool enables users to quickly and easily gain insights into hosts on the internet, streamlining the process and allowing for more proactive threat hunting and exposure management
• GPT_Vuln-analyzer - Uses ChatGPT API, Python-Nmap, DNS Recon modules and uses the GPT3 model to create vulnerability reports based on Nmap scan data, and DNS scan information. It can also perform subdomain enumeration to a great extent
• SubGPT - SubGPT looks at subdomains you have already discovered for a domain and uses BingGPT to find more.
• Navi - A QA based Reconnaissance Tool with GPT
• ChatCVE - The ChatCVE Lang Chain App is an AI-powered devSecOps application 🔍, for oganizations triaging and aggregating CVE (Common Vulnerabilities and Exposures) information.
• ZoomeyeGPT - ZoomEyeGPT browser extension is a GPT-based Chrome browser extension designed to bring AI-assisted search experience to ZoomEye users.
• uncover-turbo - Realize a general-purpose natural language surveying and mapping engine, and open up the last mile from natural language to surveying and mapping grammar.
• DevOpsGPT - AI-Driven Software Development Automation Solution

Offensive

• PentestGPT - A GPT-empowered penetration testing tool
• burpgpt - A Burp Suite extension that integrates OpenAI's GPT to perform an additional passive scan for discovering highly bespoke vulnerabilities, and enables running traffic-based analysis of any type.
• ReconAIzer - A Burp Suite extension to add OpenAI (GPT) on Burp and help you with your Bug Bounty recon to discover endpoints, params, URLs, subdomains and more!
• CodaMOSA - CodaMOSA is the paper code of CodaMOSA: Escaping Coverage Plateaus in Test Generation with Pre-trained Large Language Models. It implements a fuzzer combined with OpenAI API, aiming to alleviate the problem of stagnant coverage in traditional fuzz.
• PassGAN - A Deep Learning Approach for Password Guessing. HomeSecurityHeroes land a Product, and you can test how much time an AI would need to crack your password here.
• nuclei-ai-extension - Official by Nuclei Team. Browser Extension for Rapid Nuclei Template Generation.
• nuclei_gpt - Only need to submit the relevant Request and Response and the description of the vulnerability to generate a Nuclei PoC.
• Nuclei Templates AI Generator -- Create Nuclei templates by textual description (e.g., vulnerability scanners by PoC).
• hackGPT - Leverage OpenAI and ChatGPT to do hackerish things

Detecting

• k8sgpt - a tool for scanning your Kubernetes clusters, diagnosing, and triaging issues in simple English.
• cloudgpt - Vulnerability scanner for AWS customer managed policies using ChatGPT
• IATelligence - About IATelligence is a Python script that will extract the IAT of a PE file and request GPT to get more information about the API and the ATT&CK matrix related
• rebuff - Prompt Injection Detector.
• Callisto - An Intelligent Automated Binary Vulnerability Analysis Tool.
• LLMFuzzer - LLMFuzzer is the first open-source fuzzing framework specifically designed for Large Language Models (LLMs), especially for their integrations in applications via LLM APIs.
• Vigil - Prompt injection detection and LLM prompt security scanner

Preventing

Social Engineering

• ChatGPT-Web-Setting-Funny-Abuse - Play with ChatGPT-Web and found the HTML rendering in description settings.

Reverse Engineering

• LLM4Decompile - Reverse Engineering: Decompiling Binary Code with Large Language Models
• Gepetto - About IDA plugin which queries OpenAI's gpt-3.5-turbo language model to speed up reverse-engineering
• gpt-wpre - Whole-Program Reverse Engineering with GPT-3
• G-3PO - A Script that Solicits GPT-3 for Comments on Decompiled Code

Investigation

• beelzebub - Go-Based Low-Code Honeypot Framework with Enhanced Security, Leveraging GPT-3 for System Virtualization

Fix

• wolverine - Auto fix the bugs in your Python Script/Code

Assessment

• falco-gpt - AI-generated remediations for Falco audit events
• selefra - an open-source policy-as-code software that provides analytics for multi-cloud and SaaS.
• openai-cti-summarizer - openai-cti-summarizer is a tool for generating threat intelligence summary reports based on OpenAI's GPT-3.5 and GPT-4 API

---

Cases

🌰

Experimental

• Lost in ChatGPT's memories: escaping ChatGPT-3.5 memory issues to write CVE PoCs
• I built a Zero Day virus with undetectable exfiltration using only ChatGPT prompts
• Experimenting with GPT-3 for Detecting Security Vulnerabilities in Code
• We put GPT-4 in Semgrep to point out false positives & fix code
• A Practical, AI-Generated Phishing PoC With ChatGPT
• Capturing the Flag with GPT-4
• I Used GPT-3 to Find 213 Security Vulnerabilities in a Single Codebase
• Using ChatGPT to generate encoder and supporting WebShell
• Using OpenAI Chat to Generate Phishing Campaigns -- Include Phishing Platform
• Chat4GPT Experiments for Security
• GPT-3 use cases for Cybersecurity
• AI-Powered Fuzzing: Breaking the Bug Hunting Barrier

Academic

• GPT-4 Technical Report -- OpenAI's own security assessment and mitigation of the model
• Ignore Previous Prompt: Attack Techniques For Language Models -- Pioneering work of Prompt Injection
• More than you've asked for: A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models
• RealToxicityPrompts: Evaluating Neural Toxic Degeneration in Language Models
• Exploiting Programmatic Behavior of LLMs: Dual-Use Through Standard Security Attacks
• Red Teaming Language Models to Reduce Harms: Methods, Scaling Behaviors, and Lessons Learned
• Can We Generate Shellcodes via Natural Language? An Empirical Study

Blogs

• Dissecting redis CVE-2023-28425 with chatGPT as assistant
• Security Code Review With ChatGPT
• ChatGPT happy to write ransomware, just really bad at it
• Create ATT&CK Groups Knowledge Base
• Model Confusion - Weaponizing ML models for red teams and bounty hunters
• Using LLMs to reverse JavaScript variable name minification

Fun

• shortest prompt that will enable GPT to protect the secret key
• a CTF-like game that teaches how to bypass LLM using language hacks
• ai-goat - Learn AI security through a series of vulnerable LLM CTF challenges.

---

GPT Security

🚨

Standard

• ATT&CK for LLM Apps
• The OWASP Top 10 for Large Language Model Applications project
• Google AI Red Team
• PurpleLlama - Empowering developers, advancing safety, and building an open ecosystem

Bypass Security Policy

• Chat GPT "DAN" (and other "Jailbreaks")
• ChatGPT Prompts for Bug Bounty & Pentesting
• promptmap - automatically tests prompt injection attacks on ChatGPT instances
• Use "Typoglycemia" to Bypass the LLM's Security Policy
• Universal and Transferable Adversarial Attacks on Aligned Language Models
• promptbench - A robustness evaluation framework for large language models on adversarial prompts

Bug Bounty

• Building A Virtual Machine inside ChatGPT - deprecated but interesting
• LangChain vulnerable to code injection -- CVE-2023-29374

Crack

• gpt4free - Just API's from some language model sites.
• EdgeGPT - Reverse engineered API of Microsoft's Bing Chat AI
• GPTs - leaked prompts of GPTs

Plugin Security

• SecureGPT – Dynamically test the security of your ChatGPT Plugins APIs (Free DAST for ChatGPT Plugins).

Contributing

Your contributions are always welcome! Please take a look at the contribution guidelines first.

---

If you have any question about this opinionated list, do not hesitate to open an issue on GitHub.

Thanks again for your contribution and keeping this community vibrant. ❤️