LLMs in Web Development: Evaluating LLM-Generated PHP Code Unveiling Vulnerabilities and Limitations

TL;DR

This paper assesses the security vulnerabilities in PHP code generated by GPT-4 for web applications, revealing significant risks like SQL injection and XSS, and emphasizing the need for rigorous testing of AI-generated code.

Contribution

It provides a comprehensive evaluation of security flaws in GPT-4 generated PHP code, highlighting prevalent vulnerabilities and offering a dataset for further research.

Findings

26% of sites had exploitable vulnerabilities

78% of file upload scenarios were insecure

11.56% of sites could be compromised directly

Abstract

This study evaluates the security of web application code generated by Large Language Models, analyzing 2,500 GPT-4 generated PHP websites. These were deployed in Docker containers and tested for vulnerabilities using a hybrid approach of Burp Suite active scanning, static analysis, and manual review. Our investigation focuses on identifying Insecure File Upload, SQL Injection, Stored XSS, and Reflected XSS in GPT-4 generated PHP code. This analysis highlights potential security risks and the implications of deploying such code in real-world scenarios. Overall, our analysis found 2,440 vulnerable parameters. According to Burp's Scan, 11.56% of the sites can be straight out compromised. Adding static scan results, 26% had at least one vulnerability that can be exploited through web interaction. Certain coding scenarios, like file upload functionality, are insecure 78% of the time, underscoring significant risks to software safety and security. To support further research, we have made the source codes and a detailed vulnerability record for each sample publicly available. This study emphasizes the crucial need for thorough testing and evaluation if generative AI technologies are used in software development.