Abstract
Fuzzing is significantly evolved in analysing native code, but web applications, invariably, have received limited attention until now. This paper designs, implements and evaluates webFuzz, a gray-box fuzzing prototype for discovering vulnerabilities in web applications.
webFuzz is successful in leveraging instrumentation for detecting cross-site scripting (XSS) vulnerabilities, as well as covering more code faster than black-box fuzzers. In particular, webFuzz has discovered one zero-day vulnerability in WordPress, a leading CMS platform, and five in an online commerce application named CE-Phoenix.
Moreover, in order to systematically evaluate webFuzz, and similar tools, we provide the first attempt for automatically synthesizing reflective cross-site scripting (RXSS) vulnerabilities in vanilla web applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, H.: Dominators, super blocks, and program coverage. In: Proceedings of the 21st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 25–34 (1994)
Aho, A., Lam, M., Ullman, J., Sethi, R.: Compilers: Principles, Techniques, and Tools. Pearson Education (2011). https://books.google.com.cy/books?id=NTIrAAAAQBAJ
Alhuzali, A., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Chainsaw: chained automated workflow-based exploit generation. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 641–652 (2016)
Alhuzali, A., Gjomemo, R., Eshete, B., Venkatakrishnan, V.: NAVEX: precise and scalable exploit generation for dynamic web applications. In: 27th USENIX Security Symposium (2018)
Ammann, P., Offutt, J.: Introduction to Software Testing. Cambridge University Press, Cambridge (2016)
Artzi, S., et al.: Finding bugs in web applications using dynamic test generation and explicit-state model checking. IEEE Trans. Softw. Eng. 36, 474–494 (2010)
Backes, M., Rieck, K., Skoruppa, M., Stock, B., Yamaguchi, F.: Efficient and flexible discovery of PHP application vulnerabilities. In: 2017 IEEE European Symposium on Security And Privacy (EuroS&P), pp. 334–349. IEEE (2017)
Balzarotti, D., et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: 2008 IEEE Symposium on Security and Privacy (SP 2008) (2008)
Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: 2010 IEEE Symposium on Security and Privacy (2010)
Ben Khadra, M.A., Stoffel, D., Kunz, W.: Efficient binary-level coverage analysis. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 1153–1164 (2020)
Black, P.E., Black, P.E.: Juliet 1.3 test suite: changes from 1.2. US Department of Commerce, National Institute of Standards and Technology (2018)
Böhme, M., Pham, V.T., Nguyen, M.D., Roychoudhury, A.: Directed greybox fuzzing. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2329–2344 (2017)
Cornelius Aschermann et al.: REDQUEEN: fuzzing with input-to-state correspondence. In: NDSS, vol. 19, pp. 1–15 (2019)
Corporation, T.M.: Common vulnerabilities and exposures (CVE) (2020). https://cve.mitre.org/
Dolan-Gavitt, B., et al.: LAVA: large-scale automated vulnerability addition. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE (2016)
Doupé, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the state: a state-aware black-box web vulnerability scanner. In: 21st USENIX Security Symposium (USENIX Security 12), Bellevue, WA, pp. 523–538. USENIX Association, August 2012. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/doupe
Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14215-4_7
Duchene, F., Rawat, S., Richier, J.L., Groz, R.: KameleonFuzz: evolutionary fuzzing for black-box XSS detection. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY 2014, New York, NY, USA, p. 3748. Association for Computing Machinery (2014). https://doi.org/10.1145/2557547.2557550
Germán Méndez Bravoi, A.H.: esprima-python (2017). https://github.com/Kronuz/esprima-python
Ghaleb, A., Pattabiraman, K.: How effective are smart contract analysis tools? Evaluating smart contract static analysis tools using bug injection. arXiv preprint arXiv:2005.11613 (2020)
Godefroid, P., Klarlund, N., Sen, K.: Dart: directed automated random testing. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, New York, NY, USA, pp. 213–223. Association for Computing Machinery (2005). https://doi.org/10.1145/1065010.1065036
Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Queue (2012)
Householder, A.D., Foote, J.M.: Probability-based parameter selection for black-box fuzz testing, Technical report. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst. (2012)
James Graham, S.S.: html5lib-python (2007). https://github.com/html5lib/html5lib-python
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy (S&P 2006), pp. 6-pp. IEEE (2006)
Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security, PLAS 2006, New York, NY, USA, pp. 27–36. Association for Computing Machinery (2006). https://doi.org/10.1145/1134744.1134751
Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: 2009 IEEE 31st International Conference on Software Engineering, pp. 199–209 (2009)
Klees, G., Ruef, A., Cooper, B., Wei, S., Hicks, M.: Evaluating fuzz testing. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, New York, NY, USA, pp. 2123–2138. Association for Computing Machinery (2018). https://doi.org/10.1145/3243734.3243804
Medeiros, I., Neves, N., Correia, M.: DEKANT: a static analysis tool that learns to detect web application vulnerabilities. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 1–11 (2016)
Medeiros, I., Neves, N.F., Correia, M.: Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In: Proceedings of the 23rd International Conference on World Wide Web, WWW 2014, pp. 63–74, New York, NY, USA. Association for Computing Machinery (2014). https://doi.org/10.1145/2566486.2568024
Mendez, X.: Wfuzz - the web fuzzer (2011). https://github.com/xmendez/wfuzz
Mu, D., Cuevas, A., Yang, L., Hu, H., Xing, X., Mao, B., Wang, G.: Understanding the reproducibility of crowd-reported security vulnerabilities. In: 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD. pp. 919–936. USENIX Association, August 2018. https://www.usenix.org/conference/usenixsecurity18/presentation/mu
Nilson, G., Wills, K., Stuckman, J., Purtilo, J.: BugBox: a vulnerability corpus for PHP web applications. In: 6th Workshop on Cyber Security Experimentation and Test (CSET 13). USENIX Association, Washington, D.C., August 2013. https://www.usenix.org/conference/cset13/workshop-program/presentation/nilson
Pewny, J., Holz, T.: EvilCoder: automated bug insertion. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, New York, NY, USA, p. 214225. Association for Computing Machinery (2016). https://doi.org/10.1145/2991079.2991103
Pham, V.T., Böhme, M., Santosa, A.E., Caciulescu, A.R., Roychoudhury, A.: Smart greybox fuzzing. IEEE Trans. Softw. Eng. (2019)
Popov, N.: PHP parser. https://github.com/nikic/PHP-Parser
Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: VUzzer: application-aware evolutionary fuzzing. In: NDSS, vol. 17, pp. 1–14 (2017)
Rizzo, L., Landi, M.: Netmap: Memory mapped access to network devices. SIGCOMM Comput. Commun. Rev. 41(4), 422–423 (2011). https://doi.org/10.1145/2043164.2018500
Seal, S.M.: Optimizing web application fuzzing with genetic algorithms and language Theory. Master’s thesis, Wake Forest University (2016)
Serebryany, K.: Libfuzzer-a library for coverage-guided fuzz testing (2015). https://llvm.org/docs/LibFuzzer.html
Sparks, S., Embleton, S., Cunningham, R., Zou, C.: Automated vulnerability analysis: leveraging control flow for evolutionary input crafting. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 477–486 (2007)
Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: NDSS, vol. 16, pp. 1–16 (2016)
Tikir, M.M., Hollingsworth, J.K.: Efficient instrumentation for code coverage testing. ACM SIGSOFT Softw. Eng. Notes 27(4), 86–96 (2002)
Wang, Y., et al.: Not all coverage measurements are equal: fuzzing by coverage accounting for input prioritization. In: NDSS (2020)
Woo, M., Cha, S.K., Gottlieb, S., Brumley, D.: Scheduling black-box mutational fuzzing. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 511–522 (2013)
Zalewski, M.: Binary fuzzing strategies: what works, what doesn’t, August 2014. https://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html
Zalewski, M.: More about AFL - AFL 2.53b documentation (2019). https://afl-1.readthedocs.io/en/latest/about_afl.html
Acknowledgements
We thank the anonymous reviewers for helping us to improve the final version of this paper. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct), No. 830929 (CyberSec4Europe) and No. 101007673 (RESPECT).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
van Rooij, O., Charalambous, M.A., Kaizer, D., Papaevripides, M., Athanasopoulos, E. (2021). webFuzz: Grey-Box Fuzzing for Web Applications. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-88418-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88417-8
Online ISBN: 978-3-030-88418-5
eBook Packages: Computer ScienceComputer Science (R0)