Syilloam, Jacinta (2026) From Prompts to Pwns: A Deliberately Insecure Playground for Web Exploitation in Applications with Language Model Integration. Other thesis, Institut Teknologi Sepuluh Nopember.
![[thumbnail of 5027221036-Undergraduate_Thesis.pdf]](http://repository.its.ac.id/style/images/fileicons/text.png) |
Text
5027221036-Undergraduate_Thesis.pdf - Accepted Version Restricted to Repository staff only Download (4MB) |
Abstract
Meluasnya integrasi language models dalam aplikasi web memunculkan threat landscapes baru yang memerlukan materi pelatihan keamanan yang lebih relevan dan spesifik. Proyek ini menghadirkan cyber range berupa sebuah aplikasi web e-commerce yang sengaja dirancang tidak aman guna memfasilitasi eksplorasi kerentanan web pada aplikasi yang terintegrasi dengan language model. Platform ini mengimplementasikan enam tantangan keamanan yang mencakup command injection, cross-site scripting, SQL injection, dan server-side request forgery pada small language models, vision language models, serta layanan machine learning. Pengujian dari tantangan yang dibuat menunjukkan tingkat reprodusibilitas 100% di semua skenario, sedangkan user testing dengan delapan partisipan menunjukkan peningkatan kompetensi yang signifikan, dengan rata-rata Confidence Score Gain sebesar 1,15/5,0, terutama pada eksploitasi vision language model dengan peningkatan skor sebesar +1,62/5,0. Aplikasi ini mencapai engagement scores yang tinggi, yakni >4,2/5,0, serta progresi kesulitan yang proporsional. Dengan demikian, tantangan aplikasi web yang dibuat efektif baik sebagai lingkungan eksplorasi maupun sarana edukasi bagi praktisi keamanan, mahasiswa, dan penggiat yang sedang beradaptasi dengan threat landscapes pada language model.
=====================================================================================================================================
The widespread integration of language models in web applications introduces new attack surfaces requiring specialized security training. This project presents a deliberately insecure e-commerce web application designed to facilitate exploration of web vulnerabilities in applications with language model integration. The platform implements six security challenges spanning command injection, cross-site scripting, SQL injection, and server-side request forgery across small language models, vision language models, and machine learning services. Challenge testing validated 100% reproducibility across all scenarios, while user testing with eight participants demonstrated significant competency improvements, with average Confidence Score Gain of 1.15/5.0, and particularly in vision language model exploitation. with a score of +1.62/5.0. The application achieved high engagement scores of >4.2/5.0 and appropriate difficulty progression, confirming its effectiveness as both an exploratory environment and educational tool for security practitioners, students, and enthusiasts adapting to language model threat landscapes.
| Item Type: | Thesis (Other) |
|---|---|
| Uncontrolled Keywords: | Web Exploitation, Language Model Vulnerability, Cybersecurity Education, Cyber Range, AI Security |
| Subjects: | Q Science > QA Mathematics > QA76.9.A25 Computer security. Digital forensic. Data encryption (Computer science) |
| Divisions: | Faculty of Intelligent Electrical and Informatics Technology (ELECTICS) > Information Technology > 59201-(S1) Undergraduate Thesis |
| Depositing User: | Jacinta Syilloam |
| Date Deposited: | 03 Feb 2026 01:22 |
| Last Modified: | 03 Feb 2026 01:22 |
| URI: | http://repository.its.ac.id/id/eprint/131806 |
Actions (login required)
 |
View Item |