Skip to main content

webFuzz: Grey-Box Fuzzing for Web Applications

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)

Abstract

Fuzzing is significantly evolved in analysing native code, but web applications, invariably, have received limited attention until now. This paper designs, implements and evaluates webFuzz, a gray-box fuzzing prototype for discovering vulnerabilities in web applications.

webFuzz is successful in leveraging instrumentation for detecting cross-site scripting (XSS) vulnerabilities, as well as covering more code faster than black-box fuzzers. In particular, webFuzz has discovered one zero-day vulnerability in WordPress, a leading CMS platform, and five in an online commerce application named CE-Phoenix.

Moreover, in order to systematically evaluate webFuzz, and similar tools, we provide the first attempt for automatically synthesizing reflective cross-site scripting (RXSS) vulnerabilities in vanilla web applications.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_8
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.

References

  1. Agrawal, H.: Dominators, super blocks, and program coverage. In: Proceedings of the 21st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 25–34 (1994)

    Google Scholar 

  2. Aho, A., Lam, M., Ullman, J., Sethi, R.: Compilers: Principles, Techniques, and Tools. Pearson Education (2011). https://books.google.com.cy/books?id=NTIrAAAAQBAJ

  3. Alhuzali, A., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Chainsaw: chained automated workflow-based exploit generation. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 641–652 (2016)

    Google Scholar 

  4. Alhuzali, A., Gjomemo, R., Eshete, B., Venkatakrishnan, V.: NAVEX: precise and scalable exploit generation for dynamic web applications. In: 27th USENIX Security Symposium (2018)

    Google Scholar 

  5. Ammann, P., Offutt, J.: Introduction to Software Testing. Cambridge University Press, Cambridge (2016)

    Google Scholar 

  6. Artzi, S., et al.: Finding bugs in web applications using dynamic test generation and explicit-state model checking. IEEE Trans. Softw. Eng. 36, 474–494 (2010)

    Google Scholar 

  7. Backes, M., Rieck, K., Skoruppa, M., Stock, B., Yamaguchi, F.: Efficient and flexible discovery of PHP application vulnerabilities. In: 2017 IEEE European Symposium on Security And Privacy (EuroS&P), pp. 334–349. IEEE (2017)

    Google Scholar 

  8. Balzarotti, D., et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: 2008 IEEE Symposium on Security and Privacy (SP 2008) (2008)

    Google Scholar 

  9. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: 2010 IEEE Symposium on Security and Privacy (2010)

    Google Scholar 

  10. Ben Khadra, M.A., Stoffel, D., Kunz, W.: Efficient binary-level coverage analysis. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 1153–1164 (2020)

    Google Scholar 

  11. Black, P.E., Black, P.E.: Juliet 1.3 test suite: changes from 1.2. US Department of Commerce, National Institute of Standards and Technology (2018)

    Google Scholar 

  12. Böhme, M., Pham, V.T., Nguyen, M.D., Roychoudhury, A.: Directed greybox fuzzing. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2329–2344 (2017)

    Google Scholar 

  13. Cornelius Aschermann et al.: REDQUEEN: fuzzing with input-to-state correspondence. In: NDSS, vol. 19, pp. 1–15 (2019)

    Google Scholar 

  14. Corporation, T.M.: Common vulnerabilities and exposures (CVE) (2020). https://cve.mitre.org/

  15. Dolan-Gavitt, B., et al.: LAVA: large-scale automated vulnerability addition. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE (2016)

    Google Scholar 

  16. Doupé, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the state: a state-aware black-box web vulnerability scanner. In: 21st USENIX Security Symposium (USENIX Security 12), Bellevue, WA, pp. 523–538. USENIX Association, August 2012. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/doupe

  17. Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14215-4_7

    CrossRef  Google Scholar 

  18. Duchene, F., Rawat, S., Richier, J.L., Groz, R.: KameleonFuzz: evolutionary fuzzing for black-box XSS detection. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY 2014, New York, NY, USA, p. 3748. Association for Computing Machinery (2014). https://doi.org/10.1145/2557547.2557550

  19. Germán Méndez Bravoi, A.H.: esprima-python (2017). https://github.com/Kronuz/esprima-python

  20. Ghaleb, A., Pattabiraman, K.: How effective are smart contract analysis tools? Evaluating smart contract static analysis tools using bug injection. arXiv preprint arXiv:2005.11613 (2020)

  21. Godefroid, P., Klarlund, N., Sen, K.: Dart: directed automated random testing. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, New York, NY, USA, pp. 213–223. Association for Computing Machinery (2005). https://doi.org/10.1145/1065010.1065036

  22. Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Queue (2012)

    Google Scholar 

  23. Householder, A.D., Foote, J.M.: Probability-based parameter selection for black-box fuzz testing, Technical report. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst. (2012)

    Google Scholar 

  24. James Graham, S.S.: html5lib-python (2007). https://github.com/html5lib/html5lib-python

  25. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy (S&P 2006), pp. 6-pp. IEEE (2006)

    Google Scholar 

  26. Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security, PLAS 2006, New York, NY, USA, pp. 27–36. Association for Computing Machinery (2006). https://doi.org/10.1145/1134744.1134751

  27. Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: 2009 IEEE 31st International Conference on Software Engineering, pp. 199–209 (2009)

    Google Scholar 

  28. Klees, G., Ruef, A., Cooper, B., Wei, S., Hicks, M.: Evaluating fuzz testing. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, New York, NY, USA, pp. 2123–2138. Association for Computing Machinery (2018). https://doi.org/10.1145/3243734.3243804

  29. Medeiros, I., Neves, N., Correia, M.: DEKANT: a static analysis tool that learns to detect web application vulnerabilities. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 1–11 (2016)

    Google Scholar 

  30. Medeiros, I., Neves, N.F., Correia, M.: Automatic detection and correction of web application vulnerabilities using data mining to predict false positives. In: Proceedings of the 23rd International Conference on World Wide Web, WWW 2014, pp. 63–74, New York, NY, USA. Association for Computing Machinery (2014). https://doi.org/10.1145/2566486.2568024

  31. Mendez, X.: Wfuzz - the web fuzzer (2011). https://github.com/xmendez/wfuzz

  32. Mu, D., Cuevas, A., Yang, L., Hu, H., Xing, X., Mao, B., Wang, G.: Understanding the reproducibility of crowd-reported security vulnerabilities. In: 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD. pp. 919–936. USENIX Association, August 2018. https://www.usenix.org/conference/usenixsecurity18/presentation/mu

  33. Nilson, G., Wills, K., Stuckman, J., Purtilo, J.: BugBox: a vulnerability corpus for PHP web applications. In: 6th Workshop on Cyber Security Experimentation and Test (CSET 13). USENIX Association, Washington, D.C., August 2013. https://www.usenix.org/conference/cset13/workshop-program/presentation/nilson

  34. Pewny, J., Holz, T.: EvilCoder: automated bug insertion. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, New York, NY, USA, p. 214225. Association for Computing Machinery (2016). https://doi.org/10.1145/2991079.2991103

  35. Pham, V.T., Böhme, M., Santosa, A.E., Caciulescu, A.R., Roychoudhury, A.: Smart greybox fuzzing. IEEE Trans. Softw. Eng. (2019)

    Google Scholar 

  36. Popov, N.: PHP parser. https://github.com/nikic/PHP-Parser

  37. Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: VUzzer: application-aware evolutionary fuzzing. In: NDSS, vol. 17, pp. 1–14 (2017)

    Google Scholar 

  38. Rizzo, L., Landi, M.: Netmap: Memory mapped access to network devices. SIGCOMM Comput. Commun. Rev. 41(4), 422–423 (2011). https://doi.org/10.1145/2043164.2018500

  39. Seal, S.M.: Optimizing web application fuzzing with genetic algorithms and language Theory. Master’s thesis, Wake Forest University (2016)

    Google Scholar 

  40. Serebryany, K.: Libfuzzer-a library for coverage-guided fuzz testing (2015). https://llvm.org/docs/LibFuzzer.html

  41. Sparks, S., Embleton, S., Cunningham, R., Zou, C.: Automated vulnerability analysis: leveraging control flow for evolutionary input crafting. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 477–486 (2007)

    Google Scholar 

  42. Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: NDSS, vol. 16, pp. 1–16 (2016)

    Google Scholar 

  43. Tikir, M.M., Hollingsworth, J.K.: Efficient instrumentation for code coverage testing. ACM SIGSOFT Softw. Eng. Notes 27(4), 86–96 (2002)

    CrossRef  Google Scholar 

  44. Wang, Y., et al.: Not all coverage measurements are equal: fuzzing by coverage accounting for input prioritization. In: NDSS (2020)

    Google Scholar 

  45. Woo, M., Cha, S.K., Gottlieb, S., Brumley, D.: Scheduling black-box mutational fuzzing. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 511–522 (2013)

    Google Scholar 

  46. Zalewski, M.: Binary fuzzing strategies: what works, what doesn’t, August 2014. https://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html

  47. Zalewski, M.: More about AFL - AFL 2.53b documentation (2019). https://afl-1.readthedocs.io/en/latest/about_afl.html

Download references

Acknowledgements

We thank the anonymous reviewers for helping us to improve the final version of this paper. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct), No. 830929 (CyberSec4Europe) and No. 101007673 (RESPECT).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Orpheas van Rooij .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

van Rooij, O., Charalambous, M.A., Kaizer, D., Papaevripides, M., Athanasopoulos, E. (2021). webFuzz: Grey-Box Fuzzing for Web Applications. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)