YuraScanner: Leveraging LLMs for Task-driven Web App Scanning (god2025)

Chaos Computer Club - recent events feed (low quality)

Innhold levert av CCC media team. Alt podcastinnhold, inkludert episoder, grafikk og podcastbeskrivelser, lastes opp og leveres direkte av CCC media team eller deres podcastplattformpartner. Hvis du tror at noen bruker det opphavsrettsbeskyttede verket ditt uten din tillatelse, kan du følge prosessen skissert her https://no.player.fm/legal.

11d ago 22:08

MP4•Episoder hjem

Web application scanners are popular and effective black-box testing tools, automating the detection of vulnerabilities by exploring and interacting with user interfaces. Despite their effectiveness, these scanners struggle with discovering deeper states in modern web applications due to their limited understanding of workflows. This study addresses this limitation by introducing YuraScanner, a task-driven web application scanner that leverages large-language models (LLMs) to autonomously execute tasks and workflows. YuraScanner operates as a goal-based agent, suggesting actions to achieve predefined objectives by processing webpages to extract semantic information. Unlike traditional methods that rely on user-provided traces, YuraScanner uses LLMs to bridge the semantic gap, making it web application-agnostic. Using the XSS engine of Black Widow, YuraScanner tests discovered input points for vulnerabilities, enhancing the scanning process's comprehensiveness and accuracy. We evaluated YuraScanner on 20 diverse web applications, focusing on task extraction, execution accuracy, and vulnerability detection. The results demonstrate YuraScanner's superiority in discovering new attack surfaces and deeper states, significantly improving vulnerability detection. Notably, YuraScanner identified 12 unique zero-day XSS vulnerabilities, compared to three by Black Widow. This study highlights YuraScanner's potential to revolutionize web application scanning with its automated, task-driven approach. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

1695 episoder

#Technologie #CCC media team #Ccc Congress Hacking Security Netzpolitik #Video