LLM Agents can Autonomously Hack Websites
Richard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, Daniel Kang
TL;DR
The paper demonstrates that autonomous LLM agents can hack websites without prior vulnerability knowledge, with GPT-4 achieving up to 73.3% success on a 15-vulnerability sandbox benchmark and even discovering vulnerabilities on real sites. It leverages tool use, planning, and document reading within a headless browser workflow (Playwright) under the OpenAI Assistants API and LangChain, and it shows a clear scaling advantage over open-source models. Ablation studies reveal the critical role of documents and detailed prompts for high performance, and real-world testing indicates non-trivial risk, including potential for responsible disclosure. The work highlights significant security and deployment implications for frontier models and argues for careful release policies and defense-oriented research.
Abstract
In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known about the offensive capabilities of LLM agents. In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand. This capability is uniquely enabled by frontier models that are highly capable of tool use and leveraging extended context. Namely, we show that GPT-4 is capable of such hacks, but existing open-source models are not. Finally, we show that GPT-4 is capable of autonomously finding vulnerabilities in websites in the wild. Our findings raise questions about the widespread deployment of LLMs.