Open Access

Web applications play a crucial role in modern business operations but remain prime targets for cyberattacks due to the sensitive data they handle. Despite continuous advancements in cybersecurity, many applications are still susceptible to common vulnerabilities such as SQL Injection (SQLi), Cross-Site Scripting (XSS), Local File Inclusion (LFI), and Remote Code Execution (RCE), many of which are listed in the OWASP Top 10. Existing security tools often provide limited coverage, focusing on specific aspects like SSL validation or static code analysis, while failing to comprehensively detect and confirm exploitation attempts in real-world scenarios. This thesis addresses these gaps by leveraging AI-driven attack automation for vulnerability detection and analysis. The system integrates automated reconnaissance, penetration testing, and AI-assisted exploitation validation to identify security flaws dynamically. Unlike conventional tools that rely on static analysis, this approach executes real attack scenarios, analyzes system responses, and determines whether an exploit truly succeeded. The research specifically evaluates the effectiveness of AI models in generating attack execution commands, constructing multi-stage attack chains, and assessing post-exploitation outcomes. The system is tested against a controlled vulnerable web environment, measuring its accuracy, efficiency, and reliability in detecting and validating real vulnerabilities. A structured methodology is followed, beginning with a comprehensive literature review of web vulnerabilities and attack automation techniques, followed by the design, development, and experimental evaluation of the AI-driven penetration testing framework. The results indicate significant challenges in AI-assisted exploitation validation, with both models exhibiting high false positive rates and misclassification of vulnerabilities. However, the study highlights key areas for improvement, including enhancing AI’s exploit validation mechanisms and reducing false positives through contextual analysis. By bridging the gap between automated attack execution and intelligent exploit validation, this research contributes to the advancement of AI-driven penetration testing methodologies. The findings underscore the potential and limitations of current AI models in cybersecurity, paving the way for future enhancements in AI-assisted vulnerability assessment and exploitation validation techniques.

Biometric authentication is the process of using an individual’s unique physical or behavioral traits to confirm their identity, such as fingerprints, iris patterns, facial features, and voice recognition. Unlike traditional methods like ID cards or passwords, it relies on inherent attributes for identification. It is widely used in information security for its accurate identification and has revolutionized data protection. However, challenges in implementation include technical issues, user acceptance, and privacy concerns.

Strong security measures are required to protect sensitive data and provide ongoing service as a result of the rising reliance on online applications for a range of purposes, including e-commerce, social networking, and commercial activities. This has brought to light the necessity of strengthening security measures. There have been multiple incidents of attackers acquiring access to information, holding providers hostage with distributed denial of service attacks, or accessing the company’s network by compromising the application. The Bundesamt für Sicherheit in der Informationstechnik (BSI) has published a comprehensive set of information security principles and standards that can be utilized as a solid basis for the development of a web application that is secure. The purpose of this thesis is to build and construct a secure web application that adheres to the requirements established in the BSI guideline. This will be done in order to answer the growing concerns regarding the security of web applications. We will also evaluate the efficacy of the recommendations by conducting security tests on the prototype application and determining whether or not the vulnerabilities that are connected with a web application that is not secure have been mitigated.

Die vorliegende Arbeit beschäftigt sich mit der Nutzung von Reinforcement Learning in der Informationsbeschaffungs-Phase eines Penetration Tests. Es werden Kernprobleme in den bisherigen Ansätzen anderer das Thema betreffender wissenschaftlicher Arbeiten analysiert und praktische Lösungsansätze für diese bisherigen Hindernisse vorgestellt und implementiert. Die Arbeit zeigt damit eine beispielhafte Implementierung eines Reinforcement Learning Agenten zur Automatisierung der Informationsbeschaffungs-Phase eines Penetration Tests und stellt Lösungen für existierende Probleme in diesem Bereich dar. Eingebettet wird diese wissenschaftliche Arbeit in die Anforderungen der Herrenknecht AG hinsichtlich der Absicherung des Tunnelbohrmaschinen-Netzwerks. Dabei werden praktische Ergebnisse des eigen entwickelten Reinforcement Learning Modells im Tunnelbohrmaschinen-Test-Netzwerk der Herrenknecht AG vorgestellt.

Privacy is the capacity to keep some things private despite their social repercussions. It relates to a person’s capacity to control the amount, time, and circumstances under which they disclose sensitive personal information, such as a person’s physiology, psychology, or intelligence. In the age of data exploitation, privacy has become even more crucial. Our privacy is now more threatened than it was 20 years ago, outside of science and technology, due to the way data and technology highly used. Both the kinds and amounts of information about us and the methods for tracking and identifying us have grown a lot in recent years. It is a known security concern that human and machine systems face privacy threats. There are various disagreements over privacy and security; every person and group has a unique perspective on how the two are related. Even though 79% of the study’s results showed that legal or compliance issues were more important, 53% of the survey team thought that privacy and security were two separate things. Data security and privacy are interconnected, despite their distinctions. Data security and data privacy are linked with each other; both are necessary for the other to exist. Data may be physically kept anywhere, on our computers or in the cloud, but only humans have authority over it. Machine learning has been used to solve the problem for our easy solution. We are linked to our data. Protect against attackers by protecting data, which also protects privacy. Attackers commonly utilize both mechanical systems and social engineering techniques to enter a target network. The vulnerability of this form of attack rests not only in the technology but also in the human users, making it extremely difficult to fight against. The best option to secure privacy is to combine humans and machines in the form of a Human Firewall and a Machine Firewall. A cryptographic route like Tor is a superior choice for discouraging attackers from trying to access our system and protecting the privacy of our data There is a case study of privacy and security issues in this thesis. The problems and different kinds of attacks on people and machines will then be briefly talked about. We will explain how Human Firewalls and machine learning on the Tor network protect our privacy from attacks such as social engineering and attacks on mechanical systems. As a real-world test, we will use genomic data to try out a privacy attack called the Membership Inference Attack (MIA). We’ll show Machine Firewall as a way to protect ourselves, and then we’ll use Differential Privacy (DP), which has already been done. We applied the method of Lasso and convolutional neural networks (CNN), which are both popular machine learning models, as the target models. Our findings demonstrate a logarithmic link between the desired model accuracy and the privacy budget.