MSc Thesis Defense: Duygu Tümer, AUTOMATED GENERATION OF EDUCATIONAL WEB APPLICATION CYBERSECURITY CHALLENGES USING LARGE LANGUAGE MODELS, Date & Time: 21 July, 2026 – 10:00 AM, Place: FENS L061
AUTOMATED GENERATION OF EDUCATIONAL WEB APPLICATION CYBERSECURITY CHALLENGES USING LARGE LANGUAGE MODELS
Duygu Tümer
Cyber Security, MSc Thesis, 2026
Thesis Jury
Asst. Prof. Orçun Çetin (Thesis Advisor)
Assoc. Prof. Budi Arief
Asst. Prof. Süha Orhun Mutluergil
Date & Time: July 21, 2026 – 10:00 AM
Place: FENS L061
Keywords : Large Language Models, Cybersecurity Education, Web Application Security, Vulnerability Injection, Automated Code Generation
Abstract
Hands-on practice with realistic, deployable systems is widely recognized as central to cybersecurity education. Large Language Models (LLMs) have been used in this field to generate question–answer pairs, tutoring dialogues, teaching cases, and textual exercise scenarios. However, to our knowledge, no prior system uses LLMs to produce a complete, deployable web application that students can attack with professional penetration testing tools. This thesis presents a system that leverages commodity LLMs to automatically generate realistic, educational web application cybersecurity challenges. It uses a modular architecture with multiple LLMs, Google Gemini 2.5 Flash for frontend generation and OpenAI GPT-4.1-mini for backend logic and content, to create challenges embedding CWE-mapped vulnerabilities (such as SQL injection, cross-site scripting, and command injection) and design-level weaknesses such as weak password policies and privilege escalation, aligned with the OWASP Top 10. Isolated instances were deployed on a hardened Docker infrastructure behind an authenticated Nginx reverse proxy with centralized Grafana–Loki monitoring. The system was evaluated through three studies. In two graduate courses at Sabancı University, 24 master’s-level students penetration-tested dedicated instances. A third study, an open Capture-the-Flag exercise, was offered to 45 technical high-school students, of whom 18 actively attempted exploitation and 9 submitted written reports. Critically, no participant identified the challenges as LLM-generated, supporting the realism of the approach. Post-experiment surveys confirmed strong educational value, with participants reporting improved understanding of real-world web application security.