TR EN

MSc Thesis Defense: Duygu Tümer, AUTOMATED GENERATION OF EDUCATIONAL WEB APPLICATION CYBERSECURITY CHALLENGES USING LARGE LANGUAGE MODELS, Date & Time: 21 July, 2026 – 10:00 AM, Place: FENS L061

AUTOMATED GENERATION OF EDUCATIONAL WEB APPLICATION CYBERSECURITY CHALLENGES USING LARGE LANGUAGE MODELS

 

 

Duygu Tümer
Cyber Security, MSc Thesis, 2026

 

Thesis Jury

     Asst. Prof. Orçun Çetin (Thesis Advisor)

  Assoc. Prof. Budi Arief

  Asst. Prof. Süha Orhun Mutluergil

 

 

Date & Time: July 21, 2026 – 10:00 AM

Place: FENS L061

Keywords : Large Language Models, Cybersecurity Education, Web Application Security, Vulnerability Injection, Automated Code Generation

 

 

Abstract

 

Hands-on practice with realistic, deployable systems is widely recognized as central to cybersecurity education. Large Language Models (LLMs) have been used in this field to generate question–answer pairs, tutoring dialogues, teaching cases, and textual exercise scenarios. However, to our knowledge, no prior system uses LLMs to produce a complete, deployable web application that students can attack with professional penetration testing tools. This thesis presents a system that leverages commodity LLMs to automatically generate realistic, educational web application cybersecurity challenges. It uses a modular architecture with multiple LLMs, Google Gemini 2.5 Flash for frontend generation and OpenAI GPT-4.1-mini for backend logic and content, to create challenges embedding CWE-mapped vulnerabilities (such as SQL injection, cross-site scripting, and command injection) and design-level weaknesses such as weak password policies and privilege escalation, aligned with the OWASP Top 10. Isolated instances were deployed on a hardened Docker infrastructure behind an authenticated Nginx reverse proxy with centralized Grafana–Loki monitoring. The system was evaluated through three studies. In two graduate courses at Sabancı University, 24 master’s-level students penetration-tested dedicated instances. A third study, an open Capture-the-Flag exercise, was offered to 45 technical high-school students, of whom 18 actively attempted exploitation and 9 submitted written reports. Critically, no participant identified the challenges as LLM-generated, supporting the realism of the approach. Post-experiment surveys confirmed strong educational value, with participants reporting improved understanding of real-world web application security.

Home

Orta Mahalle, 34956 Tuzla, İstanbul, Türkiye

Telefon: +90 216 483 90 00

Fax: +90 216 483 90 05

© Sabancı Üniversitesi 2023