Preliminary Study of LLM-Based Wordlist Generation for Validating Broken Web Access Control

Abstract

The public websites have become targets for hackers, resulting in reputational and financial losses. A considerable portion of cybersecurity issues arise from web attacks. Web vulnerabilities can often be traced back to web servers that have been misconfigured by unskilled administrators. Broken web access control leads to unauthorized access to sensitive resources and data. A wordlist-based testing is used to identify such vulnerabilities. This paper will discuss the threats posed by such misconfigured web services and explore how the LLM scanning approach generates wordlists, thereby enhancing the efficiency of identifying vulnerabilities within the web server. The study concluded that using different LLM models, in conjunction with summarization, role-playing, and Chain-of-Thought (CoT) techniques, enhances the discovery of web paths.