A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code Inspection

Due to the proliferation of large language models (LLMs) and their widespread use in applications such as ChatGPT, there has been a significant increase in interest in AI over the past year. Multiple researchers have raised the question: how will AI be applied and in what areas? Programming, includi...

Full description

Bibliographic Details
Main Authors: Zoltán Szabó, Vilmos Bilicki
Format: Article
Language:English
Published: MDPI AG 2023-09-01
Series:Future Internet
Subjects:
Online Access:https://www.mdpi.com/1999-5903/15/10/326
_version_ 1797626742793306112
author Zoltán Szabó
Vilmos Bilicki
author_facet Zoltán Szabó
Vilmos Bilicki
author_sort Zoltán Szabó
collection DOAJ
description Due to the proliferation of large language models (LLMs) and their widespread use in applications such as ChatGPT, there has been a significant increase in interest in AI over the past year. Multiple researchers have raised the question: how will AI be applied and in what areas? Programming, including the generation, interpretation, analysis, and documentation of static program code based on promptsis one of the most promising fields. With the GPT API, we have explored a new aspect of this: static analysis of the source code of front-end applications at the endpoints of the data path. Our focus was the detection of the CWE-653 vulnerability—inadequately isolated sensitive code segments that could lead to unauthorized access or data leakage. This type of vulnerability detection consists of the detection of code segments dealing with sensitive data and the categorization of the isolation and protection levels of those segments that were previously not feasible without human intervention. However, we believed that the interpretive capabilities of GPT models could be explored to create a set of prompts to detect these cases on a file-by-file basis for the applications under study, and the efficiency of the method could pave the way for additional analysis tasks that were previously unavailable for automation. In the introduction to our paper, we characterize in detail the problem space of vulnerability and weakness detection, the challenges of the domain, and the advances that have been achieved in similarly complex areas using GPT or other LLMs. Then, we present our methodology, which includes our classification of sensitive data and protection levels. This is followed by the process of preprocessing, analyzing, and evaluating static code. This was achieved through a series of GPT prompts containing parts of static source code, utilizing few-shot examples and chain-of-thought techniques that detected sensitive code segments and mapped the complex code base into manageable JSON structures.Finally, we present our findings and evaluation of the open source project analysis, comparing the results of the GPT-based pipelines with manual evaluations, highlighting that the field yields a high research value. The results show a vulnerability detection rate for this particular type of model of 88.76%, among others.
first_indexed 2024-03-11T10:14:33Z
format Article
id doaj.art-2ed7b2c7ad0c4f03930eeda1b8b066b2
institution Directory Open Access Journal
issn 1999-5903
language English
last_indexed 2024-03-11T10:14:33Z
publishDate 2023-09-01
publisher MDPI AG
record_format Article
series Future Internet
spelling doaj.art-2ed7b2c7ad0c4f03930eeda1b8b066b22023-11-16T10:28:25ZengMDPI AGFuture Internet1999-59032023-09-01151032610.3390/fi15100326A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code InspectionZoltán Szabó0Vilmos Bilicki1Department of Software Engineering, University of Szeged, Dugonics Square 13., 6720 Szeged, HungaryDepartment of Software Engineering, University of Szeged, Dugonics Square 13., 6720 Szeged, HungaryDue to the proliferation of large language models (LLMs) and their widespread use in applications such as ChatGPT, there has been a significant increase in interest in AI over the past year. Multiple researchers have raised the question: how will AI be applied and in what areas? Programming, including the generation, interpretation, analysis, and documentation of static program code based on promptsis one of the most promising fields. With the GPT API, we have explored a new aspect of this: static analysis of the source code of front-end applications at the endpoints of the data path. Our focus was the detection of the CWE-653 vulnerability—inadequately isolated sensitive code segments that could lead to unauthorized access or data leakage. This type of vulnerability detection consists of the detection of code segments dealing with sensitive data and the categorization of the isolation and protection levels of those segments that were previously not feasible without human intervention. However, we believed that the interpretive capabilities of GPT models could be explored to create a set of prompts to detect these cases on a file-by-file basis for the applications under study, and the efficiency of the method could pave the way for additional analysis tasks that were previously unavailable for automation. In the introduction to our paper, we characterize in detail the problem space of vulnerability and weakness detection, the challenges of the domain, and the advances that have been achieved in similarly complex areas using GPT or other LLMs. Then, we present our methodology, which includes our classification of sensitive data and protection levels. This is followed by the process of preprocessing, analyzing, and evaluating static code. This was achieved through a series of GPT prompts containing parts of static source code, utilizing few-shot examples and chain-of-thought techniques that detected sensitive code segments and mapped the complex code base into manageable JSON structures.Finally, we present our findings and evaluation of the open source project analysis, comparing the results of the GPT-based pipelines with manual evaluations, highlighting that the field yields a high research value. The results show a vulnerability detection rate for this particular type of model of 88.76%, among others.https://www.mdpi.com/1999-5903/15/10/326large language modelsGPTsensitive datavulnerability detectionCWE-653Angular
spellingShingle Zoltán Szabó
Vilmos Bilicki
A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code Inspection
Future Internet
large language models
GPT
sensitive data
vulnerability detection
CWE-653
Angular
title A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code Inspection
title_full A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code Inspection
title_fullStr A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code Inspection
title_full_unstemmed A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code Inspection
title_short A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code Inspection
title_sort new approach to web application security utilizing gpt language models for source code inspection
topic large language models
GPT
sensitive data
vulnerability detection
CWE-653
Angular
url https://www.mdpi.com/1999-5903/15/10/326
work_keys_str_mv AT zoltanszabo anewapproachtowebapplicationsecurityutilizinggptlanguagemodelsforsourcecodeinspection
AT vilmosbilicki anewapproachtowebapplicationsecurityutilizinggptlanguagemodelsforsourcecodeinspection
AT zoltanszabo newapproachtowebapplicationsecurityutilizinggptlanguagemodelsforsourcecodeinspection
AT vilmosbilicki newapproachtowebapplicationsecurityutilizinggptlanguagemodelsforsourcecodeinspection