Penetration Testing for Websites using LLM
Article Sidebar
Main Article Content
Despite growing interest in applying Large Lan-guage Models (LLMs) to security assessment, existing prototype systems rarely provide controlled benchmarks, reproducible ar-tifacts, significance testing, or structured human evaluation. We introduce a reproducible, safety-bounded LLM-augmented web assessment framework that layers an LLM reasoning module atop conventional scanners to perform context-aware triage, con-strained payload proposal, evidence-grounded response analysis, false-alarm suppression, and actionable fix guidance. Empirical evaluation across WebGoat v2023.4, DVWA v1.9, bWAPP v2.2, and five authorized staging replicas of disclosed targets — spanning 1,247 endpoints and 462 labeled ground-truth flaws shows that the proposed approach raises micro-averaged F1 from 0.58 to 0.82 over scanner-only baselines, lowers the false-alarm rate from 23.4% to 7.2% (McNemar p<0.001), and shortens analyst review time by 43%, from 47 to 27 minutes per engagement (Wilcoxon p=0.008). Over 2,500 test executions, the safety layer blocked every destructive candidate payload with zero unsafe executions. A structured 10-person evaluation with five security practitioners and five application developers con-firmed statistically significant improvements in comprehension speed, report clarity, and remediation actionability (p<0.01).
Downloads
References
G. Bacudio, X. Yuan, B. T. B. Chu, and M. Jones, “An overview of penetration testing,” Int. J. Netw. Secur. Its Appl., vol. 3, no. 6, pp. 19–38, 2011.
S. Chaudhary, A. O’Brien, and S. Xu, “Automated post-breach penetra-tion testing through reinforcement learning,” 2020.
D. N. Raikar and S. Joshi, “A comprehensive literature review of artificial intelligent practices in the field of penetration testing,” in Intelligent Systems and Applications. Springer, 2023, pp. 75–85.
Z. Zhang, H. Al Hamadi, E. Damiani, C. Y. Yeun, and F. Taher, “Explainable artificial intelligence applications in cyber security: State-of-the-art in research,” IEEE Access, vol. 10, pp. 94123–94159, 2022.
OWASP Foundation, “OWASP Top 10: The ten most critical web application security risks,” 2021.
MITRE, “Common Weakness Enumeration (CWE),” 2024.
sqlmap Development Team, “sqlmap: Automatic SQL injection and database takeover tool.”
N. Moustafa, B. Turnbull, and K. R. Choo, “Towards automation of vulnerability and exploitation identification in IIoT networks,” 2018.
F. Kamoun, F. Iqbal, M. A. Essgehir, and T. Baker, “AI and machine learning: A mixed blessing for cybersecurity,” 2020.
WebGoat, DVWA, and bWAPP project documentation.
G. Deng et al., “PentestGPT: Evaluating and harnessing large language models for automated penetration testing,” in Proc. 33rd USENIX Security Symp., pp. 847–864, 2024.
L. Gioacchini, M. Mellia, I. Drago, A. Delsanto, G. Siracusano, and R. Bifulco, “AutoPenBench: Benchmarking generative agents for penetra-tion testing,” arXiv:2410.03225, 2024.
Happe and J. Cito, “Getting pwn’d by AI: Penetration testing with large language models,” in Proc. ESEC/FSE 2023, pp. 2082–2086, 2023.
L. Derczynski, E. Galinkin, J. Martin, S. Majumdar, and N. Inie, “garak: A framework for security probing large language models,” 2024.

This work is licensed under a Creative Commons Attribution 4.0 International License.
All articles published in our journal are licensed under CC-BY 4.0, which permits authors to retain copyright of their work. This license allows for unrestricted use, sharing, and reproduction of the articles, provided that proper credit is given to the original authors and the source.