Master's Thesis

Web security pentesting laboratory

João Pedro Arruda Pimentel2025

Key information

Authors:

João Pedro Arruda Pimentel (João Pedro Arruda Pimentel)

Supervisors:

Rui Jorge Morais Tomaz Valadas (Rui Jorge Morais Tomaz Valadas); Tiago Filipe Sequeira Domingues

Published in

November 13, 2025

Abstract

Web security is a critical area of cybersecurity, with escalating cybercrime rates and a pressing need for accessible knowledge to help users address emerging threats. We developed a laboratory for web security experimentation, designed for both the GNS3 network emulator and container runtime environments, providing a safe setting to identify, exploit, and mitigate vulnerabilities without endangering real systems. We cover a broad spectrum of web security attacks, including recent LLM-related threats that fall within this domain. While LLM attacks span a wide range, enough to merit a dedicated OWASP track, we focus specifically on those relevant to web security. Accordingly, the work addresses injection, access and resource exploitation, and request forgery attacks, as well as LLM-specific threats such as prompt injection, system prompt leakage, and improper output handling. The lab leverages Hackergram, a social network application originally designed to demonstrate web security concepts. We significantly extended it to support new vulnerabilities and countermeasures. To address LLM-related threats, we integrated LLMs into Hackergram using the Ollama framework. The lab also incorporates ZAP and Burp for automated scanning and request interception, respectively. In addition, we developed an automated installation and configuration solution, along with step‑by‑step lab guides for exploring attacks and countermeasures, all made available through a dedicated website. This work is supported by the Instituto de Telecomunicações.

Publication details

Authors in the community:

Supervisors of this institution:

Fields of Science and Technology (FOS)

electrical-engineering-electronic-engineering-information-engineering - Electrical engineering, electronic engineering, information engineering

Publication language (ISO code)

eng - English

Rights type:

Embargoed access

Date available:

September 19, 2026

Institution name

Instituto Superior Técnico