Generative Adversarial Network (GAN)-Based Autonomous Penetration Testing for Web Applications

Ankur Chowdhary, Kritshekhar Jha, Ming Zhao

Research output: Contribution to journalArticlepeer-review

3 Scopus citations


The web application market has shown rapid growth in recent years. The expansion of Wireless Sensor Networks (WSNs) and the Internet of Things (IoT) has created new web-based communication and sensing frameworks. Current security research utilizes source code analysis and manual exploitation of web applications, to identify security vulnerabilities, such as Cross-Site Scripting (XSS) and SQL Injection, in these emerging fields. The attack samples generated as part of web application penetration testing on sensor networks can be easily blocked, using Web Application Firewalls (WAFs). In this research work, we propose an autonomous penetration testing framework that utilizes Generative Adversarial Networks (GANs). We overcome the limitations of vanilla GANs by using conditional sequence generation. This technique helps in identifying key features for XSS attacks. We trained a generative model based on attack labels and attack features. The attack features were identified using semantic tokenization, and the attack payloads were generated using conditional sequence GAN. The generated attack samples can be used to target web applications protected by WAFs in an automated manner. This model scales well on a large-scale web application platform, and it saves the significant effort invested in manual penetration testing.

Original languageEnglish (US)
Article number8014
Issue number18
StatePublished - Sep 2023


  • Generative Adversarial Network (GAN)
  • Internet of Things (IoT)
  • Web Application Firewall (WAF)
  • Wireless Sensor Network (WSN)
  • autonomous pentesting
  • reinforcement learning

ASJC Scopus subject areas

  • Analytical Chemistry
  • Information Systems
  • Atomic and Molecular Physics, and Optics
  • Biochemistry
  • Instrumentation
  • Electrical and Electronic Engineering


Dive into the research topics of 'Generative Adversarial Network (GAN)-Based Autonomous Penetration Testing for Web Applications'. Together they form a unique fingerprint.

Cite this