[HackerNotes Ep. 137] How We Do AI-Assisted Whitebox Review, New CSPT

Author

gr3pme
September 01, 2025

Hacker TLDR;

  • Coding Agents as Hacking Assistants & AI Safety: Use AI tools like Claude or the Gemini CLI for rapid codebase analysis. A key takeaway is to prompt the AI to analyze test files to identify security controls and then search for similar functions that are missing those same controls. We’ve got the rough process the guys used below. Also, keep an eye on lucrative AI safety programs from Anthropic and OpenAI, with bounties up to $35,000 for jailbreaks.

  • CSPT + Cache Deception: You can chain a Client-Side Path Traversal (CSPT) to exploit a cache deception that requires a specific header or token. Use the CSPT to hijack a fetch request, which automatically includes the victim's session and CSRF token. Craft the authenticated request to end in a cacheable extension (e.g., .css) to trigger the rule and have the sensitive response cached at the CDN level for retrieval. Original writeup here: https://zere.es/posts/cache-deception-cspt-account-takeover/

  • postMessage targetOrigin Bypass: A $20k Google VRP write-up demonstrates a classic bypass. The code checked the postMessage origin with origin.endswith(".google.com"). This was bypassed by providing an origin like attacker.com/codeassist.google.com, which allowed the attacker to leak the OAuth authorization code. Always check for loose endswith checks in authentication flows. Original writeup here: bughunters.google.com/reports/vrp/wG2bN8vZr

  • LLM C2 via Dig & New Tools: You can now query an LLM over DNS using dig ch.at TXT "your query here", perfect for restricted environments like in-flight WiFi. Also, check out new tool releases: Searchlight Cyber's hosted tools at tools.slcyber.io, Slice for LLM-powered SAST (github.com/noperator/slice), and Ebka, an AI plugin for Caido (github.com/Slonser/Ebka-Caido-AI).

Stop chasing breaches and start fixing the gaps that cause them. ThreatLocker DAC automatically finds and helps you fix system misconfigurations before they're exploited. Effortlessly align with compliance standards like NIST, CIS, and HIPAA while hardening your defenses.

Coding Agents as Hacking Assistants & AI Safety Bug Bounty

If you've had frustrating results with large codebases during code review or development, the guys dropped a few tips to make this process as painless as possible.

Initial Setup & Tooling

Joseph initially recommended using Claude Code for its ability to ingest code and create a detailed application profile.

However, Justin opted for the Gemini CLI client because of its massive context window and since he didn't have an active Claude subscription.

Justin even created custom commands and extensions within the Gemini CLI to perform the initial codebase analysis, tailoring the tool to his specific workflow.

Analysis & Prompting Process

The core of the process involves prompting the AI to analyze each file based on several key areas:

  • The business function of the file.

  • The primary functions within the file or class.

  • The defined security boundaries and their associated functions

  • Any security-related functionality - validation, permission checks expected input/output

  • The threat model, including potential attacker profiles and the prerequisites for an attack.

After the initial pass, the AI performs a two-step summarization: first, summarizing the analysis of all individual files, and then creating a final "summary of all the summaries."

This culminates in a comprehensive code architecture file that describes the application's functionality, data flow, and overall security architecture, highlighting the core security components.

Takeaways + Tips

Two key prompting strategies emerged that proved highly effective during this process:

  • Analyze Test Files: Have the AI specifically look at test files to identify any tests validating a security control. This can quickly point to critical security components and potential single points of failure.

  • Identify Missing Controls: Prompt the AI to find where security controls are implemented and then search for similar or adjacent functions that are missing that same control. This technique got Justin very close to the vulnerability he found.

Benefits

This AI-assisted approach offers significant advantages:

  • Efficiency: The process dramatically speeds up the time it takes to understand a codebase's security posture. Justin condensed what would normally take 4-5 hours of familiarization into about 30-60 minutes.

  • Vulnerability Identification: While it may not point directly to a vulnerability, it effectively highlights the areas of the application most likely to contain one and reduce time to identify high signal areas.

  • POC Generation: The AI assistant is highly effective at quickly spinning up Proof-of-Concept (POC) scripts to validate findings.

AI Safety Research + Bug Bounty

On a similar note, Rez0 mentioned using coding assistants in his AI safety research. AI safety has become a pretty big deal and potentially lucrative area within bug bounty. Researchers are getting paid to find vulnerabilities like jailbreaks, prompt injections, and biases in AI models.

Key programs and initiatives discussed include:

  • Anthropic's Safety Program: Anthropic offers high rewards, paying up to $35,000 for a "universal transferable jailbreak." These jailbreaks must elicit answers to specific, dangerous questions related to topics like bio-warfare, with strict rules on how the original question can be modified.

  • OpenAI Bio Bounty: While OpenAI didn't previously offer bounties for safety issues, they recently launched a "bio bounty," matching Anthropic's top reward of $35,000 for a full jailbreak. This payout might only apply to the first such vulnerability found.

  • GPT-OSS 20B Challenge: OpenAI also sponsored a $500,000 Kaggle challenge focused on their 20 billion parameter open-source model. The goal was for researchers to discover and showcase "novel harms," such as getting the model to produce biased content or give dangerous health advice.

It’s also worth mentioning that the GPT-OSS model is meant to be a pretty good local model that can run on local hardware pretty well. It might be worth checking out.

CSPT + Cache Deception

A nice writeup from Zere covered a cache deception that wasn't exploitable because it required a specific token in the request. However, by chaining it with a Client-Side Path Traversal (CSPT), it became possible to exploit.

He managed to invoke the cache deception using the CSPT due to the CSPT adding the necessary header - the below screenshot is taken from the blog of the standard flow:

The CSPT was used to hijack a fetch request, which then automatically included the victim's session and CSRF token. This authenticated request was crafted to end in .css, triggering the cache deception rule, looking like the below:

Because the request now contained the valid token, the sensitive response from the server was cached at the CDN level. The attacker could then retrieve the cached page containing the victim's sensitive data.

If you have a cache deception that requires a header or token, CSPT might be the gadget you need to exploit it.

Raw Dogging JS

Shout out to @efaav on X - https://x.com/efaav - for his dedication. When his power goes out during a hurricane, he doesn't stop hacking.

Instead, he opens his laptop and starts analyzing locally downloaded JavaScript files. Straight up raw dogging JS. That's the passion that finds bugs.

Communicating with an LLM - C2 Style - Via Dig

Yes, you read that right. It's 2025 and we can finally chat with an LLM via the dig command.

A company called Deep AI set up a service at ch.at that allows you to send queries to an LLM over DNS. This means on a flight with DNS pass-through, you can still get your AI fix.

dig ch.at TXT "your query here"

Amazing.

Tools: Searchlight Cyber Tools, Slice, and Ebka

Searchlight Cyber Tools

The team at Searchlight Cyber (formerly AssetNote) has released hosted versions of their popular tools, including New Towner and No Waf Please, available at tools.slcyber.io.

I had a look, you get 100 credits for free and they renew monthly. Nice if you need to quickly check something.

Searchlight Cyber Tools

tools.slcyber.io

Slice

Our friend Caleb Gross released Slice, a tool that combines static analysis (SAST) with an LLM to find vulnerabilities in code. It uses CodeQL queries to filter results and then ranks them by criticality.

It’s particularly effective for C codebases and has been used to consistently find complex vulnerabilities like the recent Linux kernel SMB bug.

Caido plugin - Ebka

Slonser released Ebka, an AI plugin for Kaido. It allows you to control the Caido interface from inside Claude Code, using natural language to perform actions like creating filters, searching history, and sending requests to the replayer.

Bug Writeup: postMessage targetOrigin bypass opens room for OAuth authorization code stealing scenarios

Researcher Jacob Domaraki dropped a fantastic $20k write-up on the Google VRP for a bug in the new Gemini CodeAssist tool. It's a great reminder that even on hardened targets like Google, high-impact bugs are still out there, especially in new and rapidly changing products.

He noticed that the OAuth flow's state parameter contained a JSON blob with an origin key. The redirect URI page used this origin value to verify the postMessage targetOrigin.

The check used origin.endswith(".google.com"), which he bypassed by providing an origin like attacker.com/codeassist.google.com. This allowed him to leak the OAuth authorization code.

This is the kind of bug you can find by paying attention to the details of authentication flows. Excellent work by Jacob.

As always, keep hacking!