ChatGPT

Adapted from NahamSec's video on YouTube: https://www.youtube.com/watch?v=0lq-CokNjSI

General format

Legitimacy statement
Task
Technical context
Output constraints
Knowledge boundaries
Success criteria

1. Legitimacy statement

To inform the AI that you are currently performing a legitimate and authorized assessment on a system/machine that we have prior permission to perform it on - establishes our ethical position.

Examples

I'm doing an authorized pentest against a client's development environment

I am working on a CTF

2. Task

The task that we want the AI to perform.

Examples

Generate 5 working XSS paylods based on the following criteria

3. Technical context

Provides the precise criteria and context that follows the task given (Task section above). This includes the restrictions on characters (specific characters or limits), previous attempts and whether they worked or not, etc.

Examples

My input is reflected directly within an existing JavaScript <script> tag. I'm restricted from using these characters: .... Inputs can't exceed 100 characters. My previous attempts are: <script>...</script>, and the results were ....

4. Output constraints

Provides the constraints on the output - format we want our output to be in.

Examples

Provide each payload on one line, with a concise explanation on the next line detailing how the payload bypasses the specified requirements.

Provide outputs in JSON format

Provide the output in url-encoded format

5. Knowledge boundaries

Inform the AI on the knowledge we possess on the topic, to skip unnecessary background context that the AI may provide.

Examples

I already understand the basics on reflected XSS concepts. Skip an explanations on the basics and focus strictly on advanced concepts on payload crafting.

6. Success criteria

What defines how we judge a good response from the AI.

Examples

Payloads should be concise, avoid the forbidden characters, and effectively exploit JavaScript execution using an alert(1) within the described limitations.

Useful tools

PreviousOWASP WebGoat

Last updated 3 months ago

ChatGPT

Adapted from NahamSec's video on YouTube: https://www.youtube.com/watch?v=0lq-CokNjSI

General format

Legitimacy statement
Task
Technical context
Output constraints
Knowledge boundaries
Success criteria

1. Legitimacy statement

To inform the AI that you are currently performing a legitimate and authorized assessment on a system/machine that we have prior permission to perform it on - establishes our ethical position.

Examples

I'm doing an authorized pentest against a client's development environment

I am working on a CTF

2. Task

The task that we want the AI to perform.

Examples

Generate 5 working XSS paylods based on the following criteria

3. Technical context

Examples

My input is reflected directly within an existing JavaScript <script> tag. I'm restricted from using these characters: .... Inputs can't exceed 100 characters. My previous attempts are: <script>...</script>, and the results were ....

4. Output constraints

Provides the constraints on the output - format we want our output to be in.

Examples

Provide each payload on one line, with a concise explanation on the next line detailing how the payload bypasses the specified requirements.

Provide outputs in JSON format

Provide the output in url-encoded format

5. Knowledge boundaries

Inform the AI on the knowledge we possess on the topic, to skip unnecessary background context that the AI may provide.

Examples

I already understand the basics on reflected XSS concepts. Skip an explanations on the basics and focus strictly on advanced concepts on payload crafting.

6. Success criteria

What defines how we judge a good response from the AI.

Examples

Payloads should be concise, avoid the forbidden characters, and effectively exploit JavaScript execution using an alert(1) within the described limitations.

Useful tools

GitHub - simonw/llm: Access large language models from the command-lineGitHub

PreviousOWASP WebGoat

Last updated 3 months ago