Generative AI for web application pentesting

Raul  Diaz Parra

doi:10.48009/1_iis_2025_137

Generative AI for web application pentesting

Raul Diaz Parra

Systems Engineering School

Research output: Contribution to journal › Article (Contribution to Journal) › peer-review

Abstract

The integration of Generative AI into cybersecurity practices has opened new possibilities for automating and enhancing offensive security operations. This study explores the application of ShellGPT in the context of web application penetration testing using the OWASP Web Security Testing Guide (WSTG) as the methodological framework. The experiment targeted a vulnerable application and systematically progressed through reconnaissance, enumeration, and exploitation phases. Notably, ShellGPT successfully identified and exploited an SQL injection vulnerability, enabling full data extraction from the backend database. Results show that LLMs can generate accurate commands and support non-expert users throughout the penetration testing lifecycle.

Original language	Spanish (Peru)
Pages (from-to)	502-514
Journal	Issues in Information Systems
Volume	26
Issue number	1
DOIs	https://doi.org/10.48009/1_iis_2025_137
State	Published - 4 Oct 2025

Access to Document

10.48009/1_iis_2025_137

Cite this

@article{71cc095dde4c4c188b50e3fa6e5c712e,

title = "Generative AI for web application pentesting",

abstract = "The integration of Generative AI into cybersecurity practices has opened new possibilities for automating and enhancing offensive security operations. This study explores the application of ShellGPT in the context of web application penetration testing using the OWASP Web Security Testing Guide (WSTG) as the methodological framework. The experiment targeted a vulnerable application and systematically progressed through reconnaissance, enumeration, and exploitation phases. Notably, ShellGPT successfully identified and exploited an SQL injection vulnerability, enabling full data extraction from the backend database. Results show that LLMs can generate accurate commands and support non-expert users throughout the penetration testing lifecycle. ",

keywords = "Cybersecurity, Offensive security, Penetration testing, Large language models, ShellGPT",

author = "\{Diaz Parra\}, Raul",

year = "2025",

month = oct,

day = "4",

doi = "10.48009/1\_iis\_2025\_137",

language = "Espa{\~n}ol (Per{\'u})",

volume = "26",

pages = "502--514",

journal = "Issues in Information Systems",

issn = "1529-7314",

publisher = "International Association for Computer Information Systems",

number = "1",

}

TY - JOUR

T1 - Generative AI for web application pentesting

AU - Diaz Parra, Raul

PY - 2025/10/4

Y1 - 2025/10/4

N2 - The integration of Generative AI into cybersecurity practices has opened new possibilities for automating and enhancing offensive security operations. This study explores the application of ShellGPT in the context of web application penetration testing using the OWASP Web Security Testing Guide (WSTG) as the methodological framework. The experiment targeted a vulnerable application and systematically progressed through reconnaissance, enumeration, and exploitation phases. Notably, ShellGPT successfully identified and exploited an SQL injection vulnerability, enabling full data extraction from the backend database. Results show that LLMs can generate accurate commands and support non-expert users throughout the penetration testing lifecycle.

AB - The integration of Generative AI into cybersecurity practices has opened new possibilities for automating and enhancing offensive security operations. This study explores the application of ShellGPT in the context of web application penetration testing using the OWASP Web Security Testing Guide (WSTG) as the methodological framework. The experiment targeted a vulnerable application and systematically progressed through reconnaissance, enumeration, and exploitation phases. Notably, ShellGPT successfully identified and exploited an SQL injection vulnerability, enabling full data extraction from the backend database. Results show that LLMs can generate accurate commands and support non-expert users throughout the penetration testing lifecycle.

KW - Cybersecurity

KW - Offensive security

KW - Penetration testing

KW - Large language models

KW - ShellGPT

U2 - 10.48009/1_iis_2025_137

DO - 10.48009/1_iis_2025_137

M3 - Artículo (Contribución a Revista)

SN - 1529-7314

VL - 26

SP - 502

EP - 514

JO - Issues in Information Systems

JF - Issues in Information Systems

IS - 1

ER -