NahamSec Explores AI in Cybersecurity with DeepSeek and ChatGPT

In this new video, NahamSec explores the use of artificial intelligence in the field of cybersecurity and hacking, testing two AI models, DeepSeek and ChatGPT, to see how they handle a Capture The Flag (CTF) challenge. The goal is to determine which of the two models is more effective in identifying and exploiting a vulnerability in a web application. NahamSec begins by presenting the context of the CTF challenge, which involves an application that allows users to enter their name and address, which are then reflected in a generated PDF. The objective is to identify the backend of the application and exploit a known vulnerability. He sends the same information to both AI models and compares their responses. ChatGPT, using model 01, proposes several avenues to identify the backend, including testing HTML and JavaScript injection, looking for clues in the PDF's metadata, and attempting template injections. However, it does not immediately suggest pointing to a controlled URL to identify the backend, which NahamSec had hoped for. DeepSeek, on the other hand, proposes similar approaches but goes further by suggesting specific exploits such as command injection, reading local files, and exploiting XXE (XML External Entity) vulnerabilities. It also mentions the possibility of escalating a template injection into a remote command execution (RCE), which is an interesting lead. After confirming the possibility of injecting HTML into the PDF, NahamSec asks both models how to identify the backend. ChatGPT suggests using a network request with a specific user-agent, which effectively identifies that the backend uses Prince 10, an HTML to PDF converter known for its vulnerabilities. However, when asked if there are exploits to read local files from the server, ChatGPT does not provide a usable solution. DeepSeek, however, immediately identifies the XXE vulnerability in Prince XML and provides a precise exploit to read local files. NahamSec then uses webhook.site to host a malicious XML file and exploit the vulnerability, allowing him to read the /etc/passwd file from the server. He concludes that DeepSeek was more effective in this particular case, although he remains a big fan of ChatGPT. In conclusion, NahamSec demonstrates that using AI for hacking and bug hunting is not only possible but also very effective. AI models can help identify vulnerabilities and create exploits, although their effectiveness depends on the quality of the information provided and the user's ability to interpret their suggestions. To watch the full video and learn more about the use of AI in cybersecurity, visit: https://www.youtube.com/watch?v=jWPXwEfGsAA