Master's Thesis
Web security pentesting laboratory
— 2025
Key information
Authors:
Supervisors:
Published in
November 13, 2025
Abstract
Web security is a critical area of cybersecurity, with escalating cybercrime rates and a pressing need for accessible knowledge to help users address emerging threats. We developed a laboratory for web security experimentation, designed for both the GNS3 network emulator and container runtime environments, providing a safe setting to identify, exploit, and mitigate vulnerabilities without endangering real systems. We cover a broad spectrum of web security attacks, including recent LLM-related threats that fall within this domain. While LLM attacks span a wide range, enough to merit a dedicated OWASP track, we focus specifically on those relevant to web security. Accordingly, the work addresses injection, access and resource exploitation, and request forgery attacks, as well as LLM-specific threats such as prompt injection, system prompt leakage, and improper output handling. The lab leverages Hackergram, a social network application originally designed to demonstrate web security concepts. We significantly extended it to support new vulnerabilities and countermeasures. To address LLM-related threats, we integrated LLMs into Hackergram using the Ollama framework. The lab also incorporates ZAP and Burp for automated scanning and request interception, respectively. In addition, we developed an automated installation and configuration solution, along with step‑by‑step lab guides for exploring attacks and countermeasures, all made available through a dedicated website. This work is supported by the Instituto de Telecomunicações.
Publication details
Authors in the community:
João Pedro Arruda Pimentel
ist198951
Supervisors of this institution:
Rui Jorge Morais Tomaz Valadas
ist126537
Fields of Science and Technology (FOS)
electrical-engineering-electronic-engineering-information-engineering - Electrical engineering, electronic engineering, information engineering
Publication language (ISO code)
eng - English
Rights type:
Embargoed access
Date available:
September 19, 2026
Institution name
Instituto Superior Técnico