From 618d9b28f4621a44e5ec66a5c20ac533abb8cacf Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sun, 28 Jun 2026 13:54:17 +0000 Subject: [PATCH] Add content from: Local AI for Cyber Security: Finding phpIPAM LFI and myVesta... --- ...ted-Fuzzing-and-Vulnerability-Discovery.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/src/AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md b/src/AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md index a94a6a101ad..c9ca7187f55 100644 --- a/src/AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md +++ b/src/AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md @@ -133,6 +133,37 @@ Implement a queue where confirmed PoV-validated patches and *speculative* patche --- +## 6. Deterministic File-by-File AI Code Review + +A frequent failure mode in AI-assisted review is asking one agent to inspect a whole repository and hoping it chooses the right files and grep terms. A more reliable pattern is to **force repository coverage**: + +1. Enumerate source files. +2. Send **one file at a time** plus minimal context (entrypoint, imports, nearby routes/callers). +3. Require a **structured report** for each file: sources, sink, missing validation, exploit preconditions, and confidence. +4. Deduplicate reports by **source→sink pattern** and manually validate the high-risk ones. + +This is token-heavy and noisy, but it is very effective at surfacing **simple high-impact source/sink bugs** that broad agentic reviews often miss. + +### Triage patterns worth prioritising + +- **Dynamic PHP include/dispatch**: attacker-controlled route/controller/module names flowing into `require_once()`, `include()`, or `include_once()` without strict allowlisting and path canonicalisation. +- **Shell execution in admin/account workflows**: usernames, domains, FTP accounts, or other identifiers reaching `exec()`, `system()`, `shell_exec()`, `passthru()`, `proc_open()`, or `popen()`. +- **Structured input fan-in**: the same parameter accepted from `$_GET`, `$_POST`, JSON, XML, or framework body parsers and later reused in filesystem or OS-command sinks. + +### Two practical bug classes this method finds well + +- **PHP controller-dispatch LFI/RCE**: if a request-controlled controller name is concatenated into `require_once()` with no allowlist/path normalisation, traversal sequences such as `../` can make PHP include an unintended local `.php` file. If the attacker can point the include at a planted or otherwise useful PHP file, the LFI becomes code execution. See [File Inclusion / Path Traversal](../pentesting-web/file-inclusion/README.md). +- **Authenticated command injection in hosting/admin panels**: if account-management fields such as usernames are embedded into shell commands, a low-privileged authenticated user may turn a normal create/delete action into RCE. The impact increases when the panel executes the command as a more privileged service account. See [Command Injection](../pentesting-web/command-injection.md). + +### Practical review notes + +- Use the LLM as a **source/sink reviewer first**, not as an exploit generator. +- Ask it to explicitly list the **attacker-controlled field**, the **normalization/validation gap**, and the **dangerous sink**. +- For large repos, deterministic per-file review is often more reliable than a single autonomous agent run, even when the latter uses a stronger model. +- Expect weaker results on **Broken Access Control** and other business-logic bugs where exploitability depends on cross-file assumptions, role semantics, or product-specific threat models. + +--- + ## Putting It All Together An end-to-end CRS (Cyber Reasoning System) may wire the components like this: @@ -152,6 +183,9 @@ graph TD --- ## References +* [Project Black - Local AI for Cyber Security: Finding phpIPAM LFI and myVesta Authenticated RCE](https://projectblack.io/blog/local-ai-for-cyber-security) +* [Strix](https://github.com/usestrix/strix) +* [GitHub Copilot community security-review skill](https://github.com/github/awesome-copilot/blob/main/skills/security-review/SKILL.md) * [Trail of Bits – AIxCC finals: Tale of the tape](https://blog.trailofbits.com/2025/08/07/aixcc-finals-tale-of-the-tape/) * [CTF Radiooo AIxCC finalist interviews](https://www.youtube.com/@ctfradiooo) {{#include ../banners/hacktricks-training.md}}