With the increasing use of web applications,challenges in the field of cybersecurity are becoming more complex.This paper explores the application of fine-tuned large language models(LLMs)for the automatic generation ...With the increasing use of web applications,challenges in the field of cybersecurity are becoming more complex.This paper explores the application of fine-tuned large language models(LLMs)for the automatic generation of synthetic attacks,including XSS(Cross-Site Scripting),SQL Injections,and Command Injections.A web application has been developed that allows penetration testers to quickly generate high-quality payloads without the need for in-depth knowledge of artificial intelligence.The fine-tuned language model demonstrates the capability to produce synthetic payloads that closely resemble real-world attacks.This approach not only improves the model’s precision and dependability but also serves as a practical resource for cybersecurity professionals to enhance the security of web applications.The methodology and structured implementation underscore the importance and potential of advanced language models in cybersecurity,illustrating their effectiveness in generating high-quality synthetic data for penetration testing purposes.The research results demonstrate that this approach enables the identification of vulnerabilities that traditional methods may not uncover,providing deeper insights into potential threats and enhancing overall security measures.The performance evaluation of the model indicated satisfactory results,while further hyperparameter optimization could improve accuracy and generalization capabilities.This research represents a significant step forward in improving web application security and opens new opportunities for the use of LLMs in security testing,thereby contributing to the development of more effective cybersecurity strategies.展开更多
Web applications have become a widely accepted method to support the internet for the past decade.Since they have been successfully installed in the business activities and there is a requirement of advanced functiona...Web applications have become a widely accepted method to support the internet for the past decade.Since they have been successfully installed in the business activities and there is a requirement of advanced functionalities,the configuration is growing and becoming more complicated.The growing demand and complexity also make these web applications a preferred target for intruders on the internet.Even with the support of security specialists,they remain highly problematic for the complexity of penetration and code reviewing methods.It requires considering different testing patterns in both codes reviewing and penetration testing.As a result,the number of hacked websites is increasing day by day.Most of these vulnerabilities also occur due to incorrect input validation and lack of result validation for lousy programming practices or coding errors.Vulnerability scanners for web applications can detect a few vulnerabilities in a dynamic approach.These are quite easy to use;however,these often miss out on some of the unique critical vulnerabilities in a different and static approach.Although these are time-consuming,they can find complex vulnerabilities and improve developer knowledge in coding and best practices.Many scanners choose both dynamic and static approaches,and the developers can select them based on their requirements and conditions.This research explores and provides details of SQL injection,operating system command injection,path traversal,and cross-site scripting vulnerabilities through dynamic and static approaches.It also examines various security measures in web applications and selected five tools based on their features for scanning PHP,and JAVA code focuses on SQL injection,cross-site scripting,Path Traversal,operating system command.Moreover,this research discusses the approach of a cyber-security tester or a security developer finding out vulnerabilities through dynamic and static approaches using manual and automated web vulnerability scanners.展开更多
基金supported by the Ministry of Science,Technological Development and Innovation of the Republic of Serbia,and these results are parts of Grant No.451-03-66/2024-03/200132 with the University of Kragujevac-Faculty of Technical Sciences Cacak.
文摘With the increasing use of web applications,challenges in the field of cybersecurity are becoming more complex.This paper explores the application of fine-tuned large language models(LLMs)for the automatic generation of synthetic attacks,including XSS(Cross-Site Scripting),SQL Injections,and Command Injections.A web application has been developed that allows penetration testers to quickly generate high-quality payloads without the need for in-depth knowledge of artificial intelligence.The fine-tuned language model demonstrates the capability to produce synthetic payloads that closely resemble real-world attacks.This approach not only improves the model’s precision and dependability but also serves as a practical resource for cybersecurity professionals to enhance the security of web applications.The methodology and structured implementation underscore the importance and potential of advanced language models in cybersecurity,illustrating their effectiveness in generating high-quality synthetic data for penetration testing purposes.The research results demonstrate that this approach enables the identification of vulnerabilities that traditional methods may not uncover,providing deeper insights into potential threats and enhancing overall security measures.The performance evaluation of the model indicated satisfactory results,while further hyperparameter optimization could improve accuracy and generalization capabilities.This research represents a significant step forward in improving web application security and opens new opportunities for the use of LLMs in security testing,thereby contributing to the development of more effective cybersecurity strategies.
基金The author swould like to thank the Deanship of Scientific Research at Majmaah University for supporting this work under Project Number No-R-14xx-4x.
文摘Web applications have become a widely accepted method to support the internet for the past decade.Since they have been successfully installed in the business activities and there is a requirement of advanced functionalities,the configuration is growing and becoming more complicated.The growing demand and complexity also make these web applications a preferred target for intruders on the internet.Even with the support of security specialists,they remain highly problematic for the complexity of penetration and code reviewing methods.It requires considering different testing patterns in both codes reviewing and penetration testing.As a result,the number of hacked websites is increasing day by day.Most of these vulnerabilities also occur due to incorrect input validation and lack of result validation for lousy programming practices or coding errors.Vulnerability scanners for web applications can detect a few vulnerabilities in a dynamic approach.These are quite easy to use;however,these often miss out on some of the unique critical vulnerabilities in a different and static approach.Although these are time-consuming,they can find complex vulnerabilities and improve developer knowledge in coding and best practices.Many scanners choose both dynamic and static approaches,and the developers can select them based on their requirements and conditions.This research explores and provides details of SQL injection,operating system command injection,path traversal,and cross-site scripting vulnerabilities through dynamic and static approaches.It also examines various security measures in web applications and selected five tools based on their features for scanning PHP,and JAVA code focuses on SQL injection,cross-site scripting,Path Traversal,operating system command.Moreover,this research discusses the approach of a cyber-security tester or a security developer finding out vulnerabilities through dynamic and static approaches using manual and automated web vulnerability scanners.
