Generative AI for web application pentesting

Raul  Diaz Parra

doi:10.48009/1_iis_2025_137

Generative AI for web application pentesting

Raul Diaz Parra

Carrera de Ingenieria de Sistemas

Producción científica: Contribución a una revista › Artículo (Contribución a Revista) › revisión exhaustiva

Resumen

The integration of Generative AI into cybersecurity practices has opened new possibilities for automating and enhancing offensive security operations. This study explores the application of ShellGPT in the context of web application penetration testing using the OWASP Web Security Testing Guide (WSTG) as the methodological framework. The experiment targeted a vulnerable application and systematically progressed through reconnaissance, enumeration, and exploitation phases. Notably, ShellGPT successfully identified and exploited an SQL injection vulnerability, enabling full data extraction from the backend database. Results show that LLMs can generate accurate commands and support non-expert users throughout the penetration testing lifecycle.

Idioma original	Español (Perú)
Páginas (desde-hasta)	502-514
Publicación	Issues in Information Systems
Volumen	26
N.º	1
DOI	https://doi.org/10.48009/1_iis_2025_137
Estado	Publicada - 4 oct. 2025

Palabras Clave

Cybersecurity
Offensive security
Penetration testing
Large language models
ShellGPT

Acceder al documento

10.48009/1_iis_2025_137

Citar esto

@article{71cc095dde4c4c188b50e3fa6e5c712e,

title = "Generative AI for web application pentesting",

abstract = "The integration of Generative AI into cybersecurity practices has opened new possibilities for automating and enhancing offensive security operations. This study explores the application of ShellGPT in the context of web application penetration testing using the OWASP Web Security Testing Guide (WSTG) as the methodological framework. The experiment targeted a vulnerable application and systematically progressed through reconnaissance, enumeration, and exploitation phases. Notably, ShellGPT successfully identified and exploited an SQL injection vulnerability, enabling full data extraction from the backend database. Results show that LLMs can generate accurate commands and support non-expert users throughout the penetration testing lifecycle. ",

keywords = "Cybersecurity, Offensive security, Penetration testing, Large language models, ShellGPT",

author = "\{Diaz Parra\}, Raul",

year = "2025",

month = oct,

day = "4",

doi = "10.48009/1\_iis\_2025\_137",

language = "Espa{\~n}ol (Per{\'u})",

volume = "26",

pages = "502--514",

journal = "Issues in Information Systems",

issn = "1529-7314",

publisher = "International Association for Computer Information Systems",

number = "1",

}

TY - JOUR

T1 - Generative AI for web application pentesting

AU - Diaz Parra, Raul

PY - 2025/10/4

Y1 - 2025/10/4

N2 - The integration of Generative AI into cybersecurity practices has opened new possibilities for automating and enhancing offensive security operations. This study explores the application of ShellGPT in the context of web application penetration testing using the OWASP Web Security Testing Guide (WSTG) as the methodological framework. The experiment targeted a vulnerable application and systematically progressed through reconnaissance, enumeration, and exploitation phases. Notably, ShellGPT successfully identified and exploited an SQL injection vulnerability, enabling full data extraction from the backend database. Results show that LLMs can generate accurate commands and support non-expert users throughout the penetration testing lifecycle.

AB - The integration of Generative AI into cybersecurity practices has opened new possibilities for automating and enhancing offensive security operations. This study explores the application of ShellGPT in the context of web application penetration testing using the OWASP Web Security Testing Guide (WSTG) as the methodological framework. The experiment targeted a vulnerable application and systematically progressed through reconnaissance, enumeration, and exploitation phases. Notably, ShellGPT successfully identified and exploited an SQL injection vulnerability, enabling full data extraction from the backend database. Results show that LLMs can generate accurate commands and support non-expert users throughout the penetration testing lifecycle.

KW - Cybersecurity

KW - Offensive security

KW - Penetration testing

KW - Large language models

KW - ShellGPT

U2 - 10.48009/1_iis_2025_137

DO - 10.48009/1_iis_2025_137

M3 - Artículo (Contribución a Revista)

SN - 1529-7314

VL - 26

SP - 502

EP - 514

JO - Issues in Information Systems

JF - Issues in Information Systems

IS - 1

ER -