Evaluating LLM based web application penetration testing: How does AI improve efficiency?

Brüsemeister, Patrick

10 May 2024

Die vorliegende Arbeit untersucht die Verwendung von Large Language Models (LLMs) in Penetrationstests von Web-Anwendungen. Ziel ist es, die Arbeit von Penetrationstestern zu unterstützen und den Prozess zu beschleunigen, um Sicherheitslücken in Web-Anwendungen effektiver aufzudecken und zu beheben. Die Arbeit vergleicht verschiedene Ansätze und prüft, wie LLMs wie ChatGPT und andere die Effizienz des Penetrationstests verbessern können. Es wird evaluiert, ob durch die Anwendung von LLMs der notwendige Aufwand für Penetrationstests reduziert werden kann, um Sicherheitslücken in Web-Anwendungen effektiver aufzudecken und zu beheben. Die Arbeit leistet einen Beitrag zum Thema, indem sie die Möglichkeiten und Grenzen von LLMs im Kontext der Penetrationstestung untersucht, bewertet und den aktuellen Stand skizziert.:1 Intro 2 Basics 2 1 Web Application Security 2 2 Penetration Testing 2 3 Penetration Testing Standards 2 4 Penetration Testing Tools 2 5 Artificial Intelligence 2 6 Large Language Models 2 7 LLM prompting techniques 2 8 AI’s Growing Role in Cybersecurity 2 9 Penetration Testing and AI 2 10 Research Objectives and Scope 2 11 Significance of the Study and Research Question 2 12 Structure of the Thesis 3 Literature Review 4 Market Analysis 4 1 Use of LLMs in Combination with Existing Penetration Testing Software 4 2 Open-Source Solutions Leveraging LLMs 4 3 Commercial Solutions Leveraging LLMs for Cybersecurity purposes 4 4 ChatGPT-GPTs 4 5 Identifying the Need for Optimization in Penetration Testing Processes 4 6 Opinions of Penetration Testers on Generative AI Use 5 Methodology 5 1 Research Methods and Approaches 5 2 Benchmarks Used for Evaluation 6 Concept and Implementation 6 1 Limitations of LLMs 6 2 Deciding Which LLM Models to Use 6 3 Identifying and Executing Tasks with LLMs 6 4 Tailoring the LLM for Penetration Testing 6 5 Resource Requirements 7 Evaluation of LLMs for Penetration Testing 7 1 Interviews: Identifying the use of LLMs for Pentesting 7 2 Preparing the Test Environment 7 3 Evaluation of Command Generation 7 4 ChatGPT Assistant GPT 7 5 Google Gemini Advanced 7 6 Discussion of results 7 7 Answering the Research Question 7 8 Resulting Penetration Testing Workflow 8 Conclusion / The thesis examines the use of Large Language Models (LLMs) in web application penetration testing. The goal is to support penetration testers and accelerate the process, to identify and fix security vulnerabilities in web applications more effectively. The thesis compares different approaches and evaluates how LLMs, such as ChatGPT and others, can improve the efficiency of penetration testing. It is evaluated whether the application of LLMs can reduce the necessary effort for penetration testing, to more effectively identify and fix security vulnerabilities in web applications. The research contributes to the topic by investigating, evaluating, and outlining the possibilities and limitations of LLMs in the context of penetration testing.:1 Intro 2 Basics 2 1 Web Application Security 2 2 Penetration Testing 2 3 Penetration Testing Standards 2 4 Penetration Testing Tools 2 5 Artificial Intelligence 2 6 Large Language Models 2 7 LLM prompting techniques 2 8 AI’s Growing Role in Cybersecurity 2 9 Penetration Testing and AI 2 10 Research Objectives and Scope 2 11 Significance of the Study and Research Question 2 12 Structure of the Thesis 3 Literature Review 4 Market Analysis 4 1 Use of LLMs in Combination with Existing Penetration Testing Software 4 2 Open-Source Solutions Leveraging LLMs 4 3 Commercial Solutions Leveraging LLMs for Cybersecurity purposes 4 4 ChatGPT-GPTs 4 5 Identifying the Need for Optimization in Penetration Testing Processes 4 6 Opinions of Penetration Testers on Generative AI Use 5 Methodology 5 1 Research Methods and Approaches 5 2 Benchmarks Used for Evaluation 6 Concept and Implementation 6 1 Limitations of LLMs 6 2 Deciding Which LLM Models to Use 6 3 Identifying and Executing Tasks with LLMs 6 4 Tailoring the LLM for Penetration Testing 6 5 Resource Requirements 7 Evaluation of LLMs for Penetration Testing 7 1 Interviews: Identifying the use of LLMs for Pentesting 7 2 Preparing the Test Environment 7 3 Evaluation of Command Generation 7 4 ChatGPT Assistant GPT 7 5 Google Gemini Advanced 7 6 Discussion of results 7 7 Answering the Research Question 7 8 Resulting Penetration Testing Workflow 8 Conclusion

A Study On API Security Pentesting

Asemi, Hadi

01 October 2023

Application Programming Interfaces (APIs) are essential in the digital realm as the bridge enabling seamless communication and collaboration between diverse software applications. Their significance lies in simplifying the integration of different systems, allowing them to work together effortlessly and share data. APIs are used in various applications, for example, healthcare, banks, authentication, etc. Ensuring the security of APIs is critical to ensure data security, privacy, and more. Therefore, the security of APIs is not only urgent but mandatory for pentesting APIs at every stage of development and to catch vulnerabilities early. The primary purpose of this research is to provide guidelines to help apply existing tools for reconnaissance and authentication pentesting. To achieve this goal, we first introduce the basics of API and OWASP's Top 10 API security vulnerabilities. Secondly, we propose deployable scripts developed for Ubuntu Debian Systems to install pentesting tools automatically. These scripts allow future students to participate in API security courses and conduct API security pentesting. API security pentesting, regarding reconnaissance and authentication, is discussed based on the configured system. For reconnaissance, passive and active approaches are introduced with different tools for authentication, including password-based authentication brute-forcing, one-time password (OTP) brute-forcing, and JSON web token brute force.

Cyber Security

API Pentesting

Cyber Tools

API

Ethical hacking

The ADS-B protocol and its'weaknesses : Exploring potential attack vectors

Sjödin, Andreas, Gruneau, Marcus

January 2020

ADS-B är ett protokoll som används över hela världen för att piloter och flygledning ska få en bättre bild över trafiksituationen i luften.Tidigare studier har uppmärksammat att säkerheten kring protokollet är bristfällig eftersom det saknas kryptering. Det huvudsakliga sårbarheten som finns i protokollet beror på att autentisering saknas. Protokollet är alltså byggt på ett blint förtroende mellan sändare och mottagare.Vårt arbete är inspirerat av tidigare forskning som gjorts inom området som bland annat visar att det går att skapa s.k. “spökflygplan” genom att sända falsk data över protokollet. Syftet bakom denna rapport var att utföra ett penetrationstest på en populär ADS-B produkt riktad mot piloter. Våra tester bygger på OSSTMM3, en vetenskaplig metod för att testa säkerhet.Våra tester visar att mottagaren som testade, inte helt oväntat, följer protokollet utan att validera data. Vi lyckades precis som tidigare forskare injicera statiska spökflygplan men också manipulera rörelsen av ett spökflygplan på ett sätt som strider mot fysikens rörelselagar. Våra tester visar att tjänsten som levereras av mottagaren kan störas ut genom att utföra liknande attacker. / The ADS-B protocol is currently in use all around the world. The purpose behind the protocol is to give pilots and traffic control a better picture of the situation in the air. Previous research shows that there exists a vulnerability in the protocol since it lacks authentication. The protocol is solely built upon trust between sender and receiver.Our work is inspired by previous studies made in the area, where it has been demonstrated that one can inject fake aircraft by sending fake ADS-B data using the protocol. The purpose behind this report was to perform a penetration test according to the OSSTMM3, a manual on how to perform scientific penetration tests.We wanted to test a real product (ADS-B receiver) made for pilots and measure if we could manipulate the environment presented to the pilot.Our testing shows that the receiver blindly trusts the protocol without any data validation. We managed to inject fake static aircraft just like previous researchers have done, but also move them around in the environment in a way that breaks the laws of physics and flood the device with fake data, effectively denying the service provided.Since we managed to deny the service, which is to give the user a correct picture of the nearby air traffic, we feel like our tests were successful.

Computer and Information Sciences

Data- och informationsvetenskap

Är gymnasieskolans digitala säkerhet tillräcklig? : Risk- och sårbarhetsanalys, ur ett informationssäkert perspektiv / Is the Swedish highschooldigital security adequate? : Risk and Vulnerability assesment

Rahimi, Farhad, Isufi, Mevlyde

January 2020

This work presents a study of how information security has been implemented in the municipal high school. The study covers applications' resistance to intrusion, hardware security, students & the IT department's overall competence, also requirements for confidentiality in relation to municipal and state guidelines. The study includes field visits that have been carried out at two municipal high schools with technical vulnerabilities in focus. Based on this study, a risk and vulnerability analysis and an action plan for identified risks are presented.

Cybersecurity

Highschool

Phishing

Pentesting

Vulnerability

Cloud

Informationssäkerhet

Gymnasieskola

Sårbarhet

Molnet

Engineering and Technology

Teknik och teknologier

ANEX: Automated Network Exploitation Through Penetration Testing

Dazet, Eric Francis

01 June 2016

Cyber attacks are a growing concern in our modern world, making security evaluation a critical venture. Penetration testing, the process of attempting to compromise a computer network with controlled tests, is a proven method of evaluating a system's security measures. However, penetration tests, and preventive security analysis in general, require considerable investments in money, time, and labor, which can cause them to be overlooked. Alternatively, automated penetration testing programs are used to conduct a security evaluation with less user effort, lower cost, and in a shorter period of time than manual penetration tests. The trade-off is that automated penetration testing tools are not as effective as manual tests. They are not as flexible as manual testing, cannot discover every vulnerability, and can lead to a false sense of security. The development of better automated tools can help organizations quickly and frequently know the state of their security measures and can help improve the manual penetration testing process by accelerating repetitive tasks without sacrificing results. This thesis presents Automated Network Exploitation through Penetration Testing (ANEX), an automated penetration testing system designed to infiltrate a computer network and map paths from a compromised network machine to a specified target machine. Our goal is to provide an effective security evaluation solution with minimal user involvement that is easily deployable in an existing system. ANEX demonstrates that important security information can be gathered through automated tools based solely on free-to-use programs. ANEX can also enhance the manual penetration testing process by quickly accumulating information about each machine to develop more focused testing procedures. Our results show that we are able to successfully infiltrate multiple network levels and exploit machines not directly accessible to our testing machine with mixed success. Overall, our design shows the efficacy of utilizing automated and open-source tools for penetration testing.

network exploitation

penetration testing

pentesting

computer security

Computational Engineering

Other Computer Engineering

Unauthorized Smart Lock Access : Ethical Hacking of Smart Lock Systems / Obehörig åtkomst av smarta lås : Etisk hackning av smarta låssystem

Winkelmann, Albin

January 2022

IoT devices have become more common in our everyday lives as they provide more useful features than traditional devices. One such device is the smart door lock, which enables homeowners to grant access on a user-specified level through digital keys and remote operation. However, as smart locks are meant to protect everything we own, they become an attractive target for attackers. This thesis evaluates the Yale Linus and Gimdow smart lock systems through a comprehensive security examination. In order to provide insight into the IT security of common smart locks on the market today and whether or not the companies behind the locks researched have implemented mitigations towards common attacks on smart locks found in earlier research. In doing so, Gimdow proved to lack basic security measures as an attacker could easily get unauthorized access. The Yale Linus system was deemed to have sufficient IT security as no immediate vulnerabilities were found. / IoT-enheter har blivit vanligare i vår vardag eftersom de tillhandahåller fler funktioner än traditionella enheter. En av dessa enheter är det smarta dörrlåset. Låset gör det möjligt för husägare att, på en användarspecificerad nivå, ge åtkomst till hushållet genom digitala nycklar och fjärrstyrning. Men eftersom smarta lås är avsedda att skydda allt vi äger, blir de ett attraktivt mål för angripare. Denna avhandling utvärderade två smarta låssystem av Yale Linus och Gimdow genom en omfattande säkerhetsundersökning. Målet var att ge insikt i IT-säkerheten för smarta lås på marknaden idag, samt kolla ifall låsföretagena bakom de valda låsen har tagit tidigare forskning angående attacker på smart lås i åtanke. I den här studien visade det sig att Gimdow saknar grundläggande säkerhetsåtgärder vilket tillåter en angripare att lätt få obehörig åtkomst. Yale Linus-systemet ansågs ha tillräcklig IT-säkerhet eftersom inga omedelbara sårbarheter kunde hittas.

IoT

threat modeling

computer security

smart lock

pentesting

IoT

hotmodellering

datasäkerhet

smarta lås

penetrationstestning

Computer and Information Sciences

Data- och informationsvetenskap

Penetration Testing and PrivacyAssessment of Top-RankedHealth and Fitness Apps : An Empirical Study / Penetrationstestning och Integritetsbedömning av Toppklassade Hälso-och Fitnessappar : En Empirisk Studie

Forsberg, Albin

January 2024

Mobile health applications (mHealth apps), particularly in the health and fitness category, have experienced an increase in popularity due to their convenience and availability. However, this widespread adoption has raised concerns regarding the security and privacy of user data within these apps. This study investigates the security and privacy risks associated with ten top-ranked Android health and fitness apps, a set which accounts for 237 million downloads. By utilizing tools such as MobSF, Qualys SSL, and CLAUDETTE, we performed a static, dynamic, server-side, and privacy policy analysis in order to gain comprehensive insights into the security and privacy posture of the investigated mobile health and fitness apps. The results from the analysis revealed vulnerabilities in coding practices, hardcoded sensitive information, insecure encryption configurations, misconfiguration, and extensive domain communication. For instance, our analysis revealed that all apps stored their database API key directly in the code, with eight apps additionally exposing the database URL. Furthermore, six apps employed insecure encryption methods, such as CBC mode with PKCS5/PKCS7 padding (five apps) and ECB mode (two apps).In total, the apps interacted with 404 distinct domains. Notably, two apps communicated with more than 230 domains each, while a third app connected with over 100 domains. Despite these findings, developers demonstrated improved awareness and proficiency in addressing privacy and security risks compared to previous studies in the field. The study underscores the importance of continuous research to comprehensively understand the security and privacy landscape of health and fitness apps.

Security

Privacy

Pentesting

Cyber Security

Vulnerability Assessment

Testing

Mobile Health Applications

Vetting

Health and Fitness Applications

Computer and Information Sciences

Data- och informationsvetenskap

Identifiering och Utnyttjande av Sårbarheter hos en IP-Kamera / Identification and Exploitation of Vulnerabilities in an IP-Camera

Fjellborg, Joakim

January 2021

Idag blir det vanligare och vanligare att system såsom kameror eller kylskåp är eller har kapabiliteten att vara anslutna till internet och kommunicera över nätet av sig själva, så kallade IoT-system. Att ett system är anslutet till internet innebär att risken för angrepp på systemet ökar, och att systemet, om infekterat, har potentialen att kommunicera med omvärlden för att exempelvis utföra denial-of-service-attacker. Detta examensarbete undersöker säkerheten hos en internetansluten kamera (IP-kamera). Målet är att identifiera sårbarheter, och om möjligt, utveckla angrepp som utnyttjar sårbarheter hos kameran, för att testa säkerheten hos systemet. Resultatet visar att systemet är sårbart för ett antal olika angrepp, främst man-in-the-middle och cross-site-request-forgery. / Today systems such as cameras or fridges with the capability of being connected to the internet and communicating without human intervention are becoming increasingly common, so called IoT-systems. A system being connected to the internet means that the system’s attack surface is increased, and the system can, if infected, be used by the attacker to communicate with the outside world to perform denial-of-service- or other types of attacks. This thesis examines the security of an internet connected security camera, (IP-camera). The aim is to identify vulnerabilities in the system, and if possible to develop attacks that exploit these vulnerabilities in the goal of evaluating the security of the system. The results show that the system is vulnerable to some attacks, mainly including man-in-the-middle aswell as cross-site-request-forgery based attacks.

Pentesting

Threat modeling

Security

IP-camera

CSRF

MITM

Exploiting

DOS

IoT

Penetrationstesting

Hotmodelling

Säkerhet

IP-kamera

CSRF

MITM

Utnyttjande

DOS

IoT

Computer and Information Sciences

Data- och informationsvetenskap

Security analysis of a modern smart camera / Säkerhetsanalys av en smart kamera

Johannesson, Simon, Pettersson, Victor

January 2022

IoT devices have historically lacked in the security standards but at the same time it is a continuously growing market it is important that the security analyzes continue in order to evaluate the development of the security in the IoT industry. This research is a security analysis of the Deltaco SH-IPC05 WIFI Camera, it is an inexpensive device that can be accessed through a mobile application from anywhere on the internet via the cloud. It follows the Practical and Agile Threat Research for IoT (PatrIoT) methodology and is delimited to network traffic and the software of the device. Due to legal limitations the cloud is not included in the analysis and the hardware security is not included due to time constraints. The device was found to use default credentials for its Open Network Video Interface Forum (ONVIF) service, but it is easy for a user to change the default password from the mobile application if the user can guess what the default password is, and the service is not enabled by default. Three DoS attacks were identified to be effective, two of which caused the device to crash and reboot and the third one prevented the camera from responding until the attack ended. One of the attacks that consistently crashed the camera, could keep crashing the camera repeatedly thus keeping it offline. When analyzing the network traffic, it was possible to consistently detect the packets that notified users of motion or sound detection by looking for specific TCP packet sizes and ports. Although some issues were found the device appeared to be generally secure with encrypted network traffic and minimally exposed services. / Bland IoT-enheter har säkerheten historiskt sett ofta varit eftersatt men det är samtidigt en ständigt växande marknad, därför är det viktigt att säkerhetsanalyserna fortsätter för att utvärdera utvecklingen av säkerheten inom IoT industrin. Denna rapport är resultatet av en säkerhetsanalys av Deltaco SH-IPC05 WIFI Camera, det är en billig enhet som kan nås genom en mobilapplikation via molnet. Den följer metodiken för Practical and Agile Threat Research for IoT (PatrIoT) och är avgränsad till nätverkstrafik och enhetens programvara. På grund av juridiska begränsningar ingår det inte att analysera molnet och hårdvara ingår inte på grund av tidsbrist. Enheten visade sig använda standardlösenord för sin ONVIF-tjänst men tjänsten måste aktiveras av användaren och det är möjligt att ändra lösenordet via mobilapplikationen om användaren kan gissa sig till standardlösenordet. Enheten var mottaglig för tre olika DoS-attacker. Två av dem fick kameran att krasha och starta om varav en av dem kunde återupprepas för att hålla enheten offline så länge som önskades. Det var möjligt att identifiera de paket som skickades från kameran när den skulle notifiera användare om upptäckta rörelser eller ljud. Även om vissa problem hittades verkade enheten vara säker i allmänhet med krypterad nätverkstrafik och minimalt exponerade tjänster.

Internet of Things

Security

Pentesting

PatrIoT

Wi-Fi Camera

Sakernas internet

Säkerhet

Penetrationstest

PatrIot

Wi-Fi-Kamera

Computer and Information Sciences

Data- och informationsvetenskap