LLM-based web application scanner recognizes tasks and workflows
Web Application Security
2025-02-21
(Press-News.org)
A new automated web application scanner autonomously understands and executes tasks and workflows on web applications. The tool named YuraScanner harnesses the world knowledge stored in Large Language Models (LLMs) to navigate through web applications in the same way a human user would. It is capable of working through tasks in a coherent fashion, performing the correct sequence of steps as required by, for example, an online shop. YuraScanner was tested against 20 web applications, unearthing 12 zero-day cross-site scripting (XSS) vulnerabilities. The technique behind YuraScanner as well as the tool itself have been developed by researchers at the CISPA Helmholtz Center for Information Security.
Automated web application scanners are commonly used to test the security of online applications such as, for example, online shops, learning platforms or project management tools. Typically, these scanners consist of two parts: the crawler component, which scans the web application for user interfaces, and the attack module, which then proceeds to test the interfaces identified by the crawler. CISPA-researcher Aleksei Stafeev, who works in the research group of Dr. Giancarlo Pellegrino, highlights the importance of the crawler component for such automated testing to be successful: “One of the main challenges in security testing is determining the scope of the web application and identifying its functionalities and workflows. We know quite well how to detect the security issues, but how do we identify all the entry points?” Stafeev and his CISPA colleagues have developed YuraScanner with the aim of identifying as much of the attack surface as possible.
YuraScanner: Using LLMs to navigate web applications
The main innovation YuraScanner proposes is enhancing the reach and performance of the scanner’s crawler component by harnessing it to a LLM. “LLMs have been trained on the data from the web, which is rich on documentation on how to interact with websites. We tap into this knowledge by combining a crawler and a LLM to guide the exploration of a web application”, Stafeev explains. For the purpose of their study, Stafeev and his colleagues used the OpenAI API to establish the connection between their crawler component and OpenAI model GPT-4. The attack module on the YuraScanner is identical to Black Widow, an established state-of-the-art cross-site scripting scanner. This parallel setup allowed the CISPA researchers to directly compare the performances of the two crawler components. Testing YuraScanner against 20 web applications, they were in fact able to detect 12 previously unknown XSS vulnerabilities, in comparison to only three detected by Black Widow.
Taking automated web application scanning to a deeper level
Guided by an LLM, YuraScanner operates in a task-driven fashion, which allows it to access the deeper layers of the web application being tested. Not only can it identify the tasks that are offered by the web application, it can also carry them out in a deliberate fashion, performing the sequence of steps required to finish the task at hand. It proceeds vertically, while other, already established scanners, tend to proceed horizontally. Stafeev explains: “Usually, testing tools don’t distinguish between different kinds of buttons, they just click on whatever is available. The main drawback of that is that if there is some very specific multi-step workflow as in, for example, an online shop, where you have to put an item into a cart, proceed to check-out and fill in a form – the chances of a simple web crawler to succeed at that are very slim.” With YuraScanner, Stafeev and his colleagues have shown that LLMs can be used in web security scanning, paving the way for further research in the field. Their research on YuraScanner will be presented at the Network and Distributed System Security Symposium (NDSS) 2025, which is taking place in San Diego, California, from February 24 to 28, 2025.
To encourage further research, the source code of YuraScanner has been made available on GitHub: https://github.com/pixelindigo/yurascanner/tree/ndss25
END
[Attachments] See images for this press release:
ELSE PRESS RELEASES FROM THIS DATE:
2025-02-21
Preeclampsia, a complication of pregnancy characterized by high blood pressure and high levels of protein in the urine (proteinuria), indicating damage to the kidneys or other organ damage, is the main cause of maternal-fetal death in Brazil and the runner-up worldwide. In a Brazilian study published in the journal PLOS ONE, the pattern of substances present in patient blood samples varied according to the severity of the preeclampsia concerned.
The findings from the study, which was supported by FAPESP, ...
2025-02-21
Researchers from the University of Vaasa, Finland, and Kent Business School, UK, have gathered insights on innovation policy, its current status and future perspectives in their new book “The Evolving Innovation Space”. The book offers research-based insights on how innovation can best be used to drive economic change and to find solutions to global problems.
– In a changing world, where geopolitical tensions are rising and artificial intelligence is gaining ground, innovation policy must also be reconsidered from new perspectives, says Helka Kalliomäki, one of the editors.
With digital ...
2025-02-21
Most dietary programs are designed to help people achieve weight loss or adhere to U.S. nutrition guidelines, which currently make no mention of ultra-processed foods (UPFs). UPFs – like chips or candy – are the mass-produced, packaged products that contain little or no naturally occurring foods. Eating UPFs is strongly associated with increased risk of diseases and early death.
Because almost no existing programs focus specifically on reducing UPF intake, researchers from Drexel University’s College of Arts and Sciences designed an intervention that included a variety of tactics to target the uniquely problematic ...
2025-02-21
The University of Vaasa has received funding from Business Finland for the FlexiPower research and development project, which focuses on developing and commercializing the "Building as a Battery" (BaaB) solution. The project aims to find solutions that utilize existing building infrastructure as flexible energy sources.
The goal of the FlexiPower project is to develop and commercialize a solution that enables the dynamic response of building heating and cooling systems to the needs of the power system. This innovation offers a cost-effective and scalable solution for balancing the power grid without significant initial ...
2025-02-21
Infection with Zika virus in pregnancy can lead to neurological disorders, fetal abnormalities and fetal death. Until now, how the virus manages to cross the placenta, which nurtures the developing fetus and forms a strong barrier against microbes and chemicals that could harm the fetus, has not been clear. Researchers at Baylor College of Medicine with collaborators at Pennsylvania State University report in Nature Communications a strategy Zika virus uses to covertly spread in placental cells, raising little alarm in the immune system.
“The Zika virus, which is transmitted by mosquitoes, triggered an epidemic in the Americas that began in 2015 and ...
2025-02-21
In the delicate balancing act between human development and protecting the fragile natural world, sand is weighing down the scales on the human side.
A group of international scientists in this week’s journal One Earth are calling for balancing those scales to better identify the significant damage sand extraction across the world heaps upon marine biodiversity. The first step: acknowledging sand and gravel (discussed as sand in this publication) – the world’s most extracted solid materials by mass – are a threat hiding in plain sight.
“Sand is a critical resource that shapes the built and ...
2025-02-21
About The Study: This study found persistent patterns of potentially aggressive care, but low uptake of supportive care, among Medicare decedents with advanced cancer. A multifaceted approach targeting patient-, physician-, and system-level factors associated with potentially aggressive care is imperative for improving quality of care at the end of life.
Corresponding Author: To contact the corresponding author, Youngmin Kwon, PhD, email youngmin.kwon@vumc.org.
To access the embargoed study: Visit our For The Media website at this link https://media.jamanetwork.com/
(doi:10.1001/jamahealthforum.2024.5436)
Editor’s Note: Please see the article ...
2025-02-21
About The Study: In this systematic review and dose-response meta-analysis, a daily 1-hour increment in digital screen time was associated with 21% higher odds of myopia (nearsightedness) and the dose-response pattern exhibited a sigmoidal shape, indicating a potential safety threshold of less than 1 hour per day of exposure, with an increase in odds up to 4 hours. These findings can offer guidance to clinicians and researchers regarding myopia risk.
Corresponding Author: To contact the corresponding author, Young Kook Kim, PhD, email md092@naver.com.
To access the embargoed study: Visit our For The Media website at this link https://media.jamanetwork.com/
(doi:10.1001/jamanetworkopen.2024.60026)
Editor’s ...
2025-02-21
About The Study: In this cohort study using a target trial emulation, a higher proportion of weight loss after initiating anti-obesity medications within 1 year was associated with a lower risk of 5-year and 10-year revision among patients with obesity undergoing joint replacement. These results suggest that anti-obesity medication use, with relatively safe and sustainable weight loss, may be an effective strategy for improving implant survivorship of hip and knee replacements in the obese population.
Corresponding Author: To ...
2025-02-21
Despite considerable efforts to improve the quality of end-of-life care in the United States, a new retrospective study led by American Cancer Society (ACS) researchers revealed that close to half of patients with advanced cancer received potentially aggressive care at the end-of-life at the expense of supportive care. The findings are out today in the Journal of the American Medical Association (JAMA) Health Forum.
“Even though clinicians and professional healthcare organizations have recommended early integration of supportive and ...
LAST 30 PRESS RELEASES:
[Press-News.org] LLM-based web application scanner recognizes tasks and workflows
Web Application Security
