{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T15:16:08Z","timestamp":1780326968394,"version":"3.54.1"},"reference-count":48,"publisher":"MDPI AG","issue":"10","license":[{"start":{"date-parts":[[2023,9,28]],"date-time":"2023-09-28T00:00:00Z","timestamp":1695859200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Ministry of Innovation and Technology NRDI Office","award":["RRF-2.3.1-21-2022-00004"],"award-info":[{"award-number":["RRF-2.3.1-21-2022-00004"]}]},{"name":"Ministry of Innovation and Technology NRDI Office","award":["TKP2021-NVA"],"award-info":[{"award-number":["TKP2021-NVA"]}]},{"name":"Ministry of Innovation and Technology of Hungary","award":["RRF-2.3.1-21-2022-00004"],"award-info":[{"award-number":["RRF-2.3.1-21-2022-00004"]}]},{"name":"Ministry of Innovation and Technology of Hungary","award":["TKP2021-NVA"],"award-info":[{"award-number":["TKP2021-NVA"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Due to the proliferation of large language models (LLMs) and their widespread use in applications such as ChatGPT, there has been a significant increase in interest in AI over the past year. Multiple researchers have raised the question: how will AI be applied and in what areas? Programming, including the generation, interpretation, analysis, and documentation of static program code based on promptsis one of the most promising fields. With the GPT API, we have explored a new aspect of this: static analysis of the source code of front-end applications at the endpoints of the data path. Our focus was the detection of the CWE-653 vulnerability\u2014inadequately isolated sensitive code segments that could lead to unauthorized access or data leakage. This type of vulnerability detection consists of the detection of code segments dealing with sensitive data and the categorization of the isolation and protection levels of those segments that were previously not feasible without human intervention. However, we believed that the interpretive capabilities of GPT models could be explored to create a set of prompts to detect these cases on a file-by-file basis for the applications under study, and the efficiency of the method could pave the way for additional analysis tasks that were previously unavailable for automation. In the introduction to our paper, we characterize in detail the problem space of vulnerability and weakness detection, the challenges of the domain, and the advances that have been achieved in similarly complex areas using GPT or other LLMs. Then, we present our methodology, which includes our classification of sensitive data and protection levels. This is followed by the process of preprocessing, analyzing, and evaluating static code. This was achieved through a series of GPT prompts containing parts of static source code, utilizing few-shot examples and chain-of-thought techniques that detected sensitive code segments and mapped the complex code base into manageable JSON structures.Finally, we present our findings and evaluation of the open source project analysis, comparing the results of the GPT-based pipelines with manual evaluations, highlighting that the field yields a high research value. The results show a vulnerability detection rate for this particular type of model of 88.76%, among others.<\/jats:p>","DOI":"10.3390\/fi15100326","type":"journal-article","created":{"date-parts":[[2023,9,29]],"date-time":"2023-09-29T02:47:30Z","timestamp":1695955650000},"page":"326","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":33,"title":["A New Approach to Web Application Security: Utilizing GPT Language Models for Source Code Inspection"],"prefix":"10.3390","volume":"15","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3863-7595","authenticated-orcid":false,"given":"Zolt\u00e1n","family":"Szab\u00f3","sequence":"first","affiliation":[{"name":"Department of Software Engineering, University of Szeged, Dugonics Square 13., 6720 Szeged, Hungary"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7793-2661","authenticated-orcid":false,"given":"Vilmos","family":"Bilicki","sequence":"additional","affiliation":[{"name":"Department of Software Engineering, University of Szeged, Dugonics Square 13., 6720 Szeged, Hungary"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2023,9,28]]},"reference":[{"key":"ref_1","unstructured":"(2023, July 20). Introduction to the Angular Docs. Available online: https:\/\/angular.io\/docs."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"773","DOI":"10.1038\/d41586-023-00816-5","article-title":"GPT-4 is here: What scientists think","volume":"615","author":"Sanderson","year":"2023","journal-title":"Nature"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"81","DOI":"10.54097\/fcis.v2i2.4465","article-title":"The Benefits and Challenges of ChatGPT: An Overview","volume":"2","author":"Deng","year":"2023","journal-title":"Front. Comput. Intell. Syst."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"J\u00e1nki, Z.R., and Bilicki, V. (2023). Rule-Based Architectural Design Pattern Recognition with GPT Models. Electronics, 12.","DOI":"10.3390\/electronics12153364"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Hourani, H., Hammad, A., and Lafi, M. (2019, January 9\u201311). The Impact of Artificial Intelligence on Software Testing. Proceedings of the 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT), Amman, Jordan.","DOI":"10.1109\/JEEIT.2019.8717439"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"1185","DOI":"10.1109\/32.60298","article-title":"Miro: Visual specification of security","volume":"16","author":"Heydon","year":"1990","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"62","DOI":"10.1109\/MS.2012.112","article-title":"Visual Computer-Managed Security: A Framework for Developing Access Control in Enterprise Applications","volume":"30","author":"Giordano","year":"2013","journal-title":"IEEE Softw."},{"key":"ref_8","unstructured":"Hossain Misu, M.R., and Sakib, K. (2017, January 8\u201312). FANTASIA: A Tool for Automatically Identifying Inconsistency in AngularJS MVC Applications. Proceedings of the Twelfth International Conference on Software Engineering Advances, Athens, Greece."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"485","DOI":"10.14232\/actacyb.290283","article-title":"Access Control of EHR Records in a Heterogeneous Cloud Infrastructure","volume":"25","author":"Bilicki","year":"2021","journal-title":"Acta Cybern."},{"key":"ref_10","unstructured":"Martin, B., Brown, M., Paller, A., Kirby, D., and Christey, S. (2011). CWE. SANS Top, 25."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Rainey, S., McGillivray, K., Akintoye, S., Fothergill, T., Bublitz, C., and Stahl, B. (2020). Is the European Data Protection Regulation sufficient to deal with emerging data concerns relating to neurotechnology?. J. Law Biosci., 7.","DOI":"10.1093\/jlb\/lsaa051"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Cheng, S., Zhang, J., and Dong, Y. (2022, January 26\u201328). How to Understand Data Sensitivity? A Systematic Review by Comparing Four Domains. Proceedings of the 2022 4th International Conference on Big Data Engineering, Beijing, China.","DOI":"10.1145\/3538950.3538953"},{"key":"ref_13","first-page":"103163","article-title":"Personal information: Perceptions, types and evolution","volume":"66","author":"Nurse","year":"2022","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Lang, C., Woo, C., and Sinclair, J. (2020, January 23\u201327). Quantifying data sensitivity. Proceedings of the Tenth International Conference on Learning Analytics & Knowledge, Frankfurt, Germany.","DOI":"10.1145\/3375462.3375506"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"102453","DOI":"10.1016\/j.cose.2021.102453","article-title":"The effects of different personal data categories on information privacy concern and disclosure","volume":"110","author":"Chua","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1016\/j.bdr.2017.11.001","article-title":"What Are Data? A Categorization of the Data Sensitivity Spectrum","volume":"12","author":"Rumbold","year":"2018","journal-title":"Big Data Res."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Botti-Cebri\u00e1, V., del Val, E., and Garc\u00eda-Fornes, A. (2020, January 14). Automatic Detection of Sensitive Information in Educative Social Networks. Proceedings of the 13th International Conference on Computational Intelligence in Security for Information Systems (CISIS 2020), Burgos, Spain.","DOI":"10.1007\/978-3-030-57805-3_18"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Jiang, L., Liu, H., and Jiang, H. (2019, January 11\u201315). Machine Learning Based Recommendation of Method Names: How Far are We. Proceedings of the 2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE), San Diego, CA, USA.","DOI":"10.1109\/ASE.2019.00062"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Momeni, P., Wang, Y., and Samavi, R. (2019, January 26\u201328). Machine Learning Model for Smart Contracts Security Analysis. Proceedings of the 2019 17th International Conference on Privacy, Security and Trust (PST), Fredericton, NB, Canada.","DOI":"10.1109\/PST47121.2019.8949045"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1428","DOI":"10.1007\/s11390-020-0323-7","article-title":"Predicting Code Smells and Analysis of Predictions: Using Machine Learning Techniques and Software Metrics","volume":"35","author":"Mhawish","year":"2020","journal-title":"J. Comput. Sci. Technol."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"125","DOI":"10.1016\/j.comcom.2020.02.078","article-title":"Towards predictive analysis of android vulnerability using statistical codes and machine learning for IoT applications","volume":"155","author":"Cui","year":"2020","journal-title":"Comput. Commun."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"3035741","DOI":"10.1155\/2020\/3035741","article-title":"Malware Detection in Self-Driving Vehicles Using Machine Learning Algorithms","volume":"2020","author":"Park","year":"2020","journal-title":"J. Adv. Transp."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Jiang, N., Lutellier, T., and Tan, L. (2021, January 22\u201330). CURE: Code-Aware Neural Machine Translation for Automatic Program Repair. Proceedings of the 2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE), Madrid, Spain.","DOI":"10.1109\/ICSE43902.2021.00107"},{"key":"ref_24","unstructured":"Sharma, T., Kechagia, M., Georgiou, S., Tiwari, R., Vats, I., Moazen, H., and Sarro, F. (2022). A Survey on Machine Learning Techniques for Source Code Analysis. arXiv."},{"key":"ref_25","unstructured":"Sarkar, A., Gordon, A.D., Negreanu, C., Poelitz, C., Ragavan, S.S., and Zorn, B. (2022). What is it like to program with artificial intelligence?. arXiv."},{"key":"ref_26","unstructured":"Wei, J., Tay, Y., Bommasani, R., Raffel, C., Zoph, B., Borgeaud, S., Yogatama, D., Bosma, M., Zhou, D., and Metzler, D. (2022). Emergent Abilities of Large Language Models. arXiv."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Liu, Y., Han, T., Ma, S., Zhang, J., Yang, Y., Tian, J., He, H., Li, A., He, M., and Liu, Z. (2023). Summary of ChatGPT\/GPT-4 Research and Perspective Towards the Future of Large Language Models. arXiv.","DOI":"10.1016\/j.metrad.2023.100017"},{"key":"ref_28","first-page":"17","article-title":"Use Chat GPT to Solve Programming Bugs","volume":"3","author":"Surameery","year":"2023","journal-title":"Int. J. Inf. Technol. Comput. Eng."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Borji, A., and Mohammadian, M. (2023). Battle of the Wordsmiths: Comparing ChatGPT, GPT-4, Claude, and Bard. SSRN Electron. J.","DOI":"10.2139\/ssrn.4476855"},{"key":"ref_30","unstructured":"Wu, J. (2021). Literature review on vulnerability detection using NLP technology. arXiv."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Thapa, C., Jang, S.I., Ahmed, M.E., Camtepe, S., Pieprzyk, J., and Nepal, S. (2022, January 5\u20139). Transformer-based language models for software vulnerability detection. Proceedings of the 38th Annual Computer Security Applications Conference, Austin, TX, USA.","DOI":"10.1145\/3564625.3567985"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Omar, M. (2023). Detecting software vulnerabilities using Language Models. arXiv.","DOI":"10.1109\/CSR57506.2023.10224924"},{"key":"ref_33","unstructured":"Sun, Y., Wu, D., Xue, Y., Liu, H., Wang, H., Xu, Z., Xie, X., and Liu, Y. (2023). When GPT Meets Program Analysis: Towards Intelligent Detection of Smart Contract Logic Vulnerabilities in GPTScan. arXiv."},{"key":"ref_34","unstructured":"Cheshkov, A., Zadorozhny, P., and Levichev, R. (2023). Evaluation of ChatGPT Model for Vulnerability Detection. arXiv."},{"key":"ref_35","unstructured":"Feng, S., and Chen, C. (2023). Prompting Is All You Need: Automated Android Bug Replay with Large Language Models. arXiv."},{"key":"ref_36","unstructured":"Ferraiolo, D., Cugini, J., and Kuhn, D.R. (1995, January 11\u201315). Role-based access control (RBAC): Features and motivations. Proceedings of the 11th Annual Computer Security Application Conference, New Orleans, LA, USA."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Yuan, E., and Tong, J. (2005, January 11\u201315). Attributed based access control (ABAC) for Web services. Proceedings of the IEEE International Conference on Web Services (ICWS\u201905), Orlando, FL, USA.","DOI":"10.1109\/ICWS.2005.25"},{"key":"ref_38","unstructured":"(2023, July 20). Pricing of GPT. Available online: https:\/\/openai.com\/pricing."},{"key":"ref_39","unstructured":"(2023, September 25). OpenAI\u2014Privacy Policy. Available online: https:\/\/openai.com\/policies\/privacy-policy."},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1108\/DTS-05-2023-066","article-title":"Editorial: GPT revolutionizing AI applications: Empowering future digital transformation","volume":"2","author":"Qiu","year":"2023","journal-title":"Digit. Transform. Soc."},{"key":"ref_41","unstructured":"Shoeybi, M., Patwary, M., Puri, R., LeGresley, P., Casper, J., and Catanzaro, B. (2019). Megatron-lm: Training multi-billion parameter language models using model parallelism. arXiv."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"248","DOI":"10.1145\/3571730","article-title":"Survey of Hallucination in Natural Language Generation","volume":"55","author":"Ji","year":"2023","journal-title":"ACM Comput. Surv."},{"key":"ref_43","unstructured":"Moghaddam, S.R., and Honey, C.J. (2023). Boosting Theory-of-Mind Performance in Large Language Models via Prompting. arXiv."},{"key":"ref_44","first-page":"1877","article-title":"Language models are few-shot learners","volume":"33","author":"Brown","year":"2020","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_45","unstructured":"Wang, X., Wei, J., Schuurmans, D., Le, Q., Chi, E., Narang, S., Chowdhery, A., and Zhou, D. (2023). Self-Consistency Improves Chain of Thought Reasoning in Language Models. arXiv."},{"key":"ref_46","unstructured":"(2023, July 20). What Is the Difference between the GPT-4 Models?. Available online: https:\/\/help.openai.com\/en\/articles\/7127966-what-is-the-difference-between-the-gpt-4-models."},{"key":"ref_47","unstructured":"Martin, R.C. (2023, September 26). Getting a SOLID Start. Robert C Martin-objectmentor.com. Available online: https:\/\/sites.google.com\/site\/unclebobconsultingllc\/getting-a-solid-start."},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"7","DOI":"10.1556\/606.2021.00372","article-title":"The impact of the software architecture on the developer productivity","volume":"17","author":"Kokrehel","year":"2022","journal-title":"Pollack Period."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/15\/10\/326\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T21:01:25Z","timestamp":1760130085000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/15\/10\/326"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,9,28]]},"references-count":48,"journal-issue":{"issue":"10","published-online":{"date-parts":[[2023,10]]}},"alternative-id":["fi15100326"],"URL":"https:\/\/doi.org\/10.3390\/fi15100326","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,9,28]]}}}