A Quick Look into ChatGPT's Network Traffic

ChatGPT is making waves as the Internet's favorite chatbot. Apart from being hailed as the replacement for conventional Search Engines, its text generation capabilities are surprising everyone. To demonstrate how good it is, I have asked it to write the Introduction for this blog. Take a look:

In this blog, we will try to look at the network communications that happens in the background while people gleefully wait for the ChatGPT to respond to their questions. We also investigated the hostnames that it uses, custom HTTP headers, and its API traffic.

Network Traffic Analysis

We have analysed the ChatGPT web application traffic and found some interesting insights, which can be helpful for other researchers.

Here are the findings for different actions –

1. Login:

We have observed that when a user clicks “Login” on the ChatGPT webpage, it sends a POST request to the server including the username (email address) and the password in URL-encoded format (x-www-form-urlencoded) inside the payload.

Since the hostname related to this traffic is “auth0.openai.com” and “x-auth0-requestid” is used as one of the custom headers inside the Response, it seems that ChatGPT is using “Auth0” service (provided by Okta) to authenticate and authorize the user.

2. Open ChatGPT Chat Session:

After the successful login, a new ChatGPT session starts using the “chat.openai.com” host and the traffic looks like this –

After that it sends a GET request to the conversation API of the server to get a list of the existing conversations setting the max limit to 20.

Then the server replies with the list in JSON format including creation date, title, and a unique id (Version 4 UUID) for each.

Next, the client also sends a GET request to the server to get the list of available AI models.

And the server replies with the list of AI models like “text-davinci-002-render” in JSON format

3. Chat with Chatbot:

We have seen that ChatGPT is using QUIC Version 1 (RFC 9000) for the actual chatting with the Chatbot.

For each of the chat message we ask to the ChatGPT chatbot, it first sends a POST request to the conversation API of the chat.openai.com server

Also, in the payload part it sends the message in text format, the AI models that the client chooses from the previous request, a unique message id and the parent message id in JSON format.

Then, the message is sent to the moderation api through a POST request to check whether the message content complies with the set of predefined rules.

The response is also sent through the moderation API again for checking the same.

4. Logout:

When the user clicks logout, it first sends GET request to the chat.openai.com server followed by another GET to the auth0.openai.com server.

ChatGPT in Keysight Technologies ATI:

At Keysight Technologies Application and Threat Intelligence (ATI), since we always try to deliver the hot trending application, we have published the ChatGPT application traffic in ATI-2023-02 StrikePack released in February 1, 2023 which includes both the generic QUIC traffic and the native ChatGPT traffic.

We have also published another version of ChatGPT in ATI-2023-03 StrikePack which simulates the HAR collected from the ChatGPT web application as of February 2023 including different user actions like login, chatting with the ChatGPT bot and logout. Here all the HTTP transactions are replayed in HTTP1.1 over TLS1.2.

Leverage Subscription Service to Stay Ahead of Attacks

Keysight's Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPointnow have access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security control's ability to detect or block such attacks.