webFuzz: Grey-Box Fuzzing for Web Applications

被引：11

作者：

van Rooij, Orpheas ^{[1
]}

Charalambous, Marcos Antonios ^{[1
]}

Kaizer, Demetris ^{[1
]}

Papaevripides, Michalis ^{[1
]}

Athanasopoulos, Elias ^{[1
]}

机构：

[1] Univ Cyprus, Nicosia, Cyprus

来源：

COMPUTER SECURITY - ESORICS 2021, PT I | 2021年 / 12972卷

基金：

欧盟地平线“2020”;

关键词：

D O I：

10.1007/978-3-030-88418-5_8

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Fuzzing is significantly evolved in analysing native code, but web applications, invariably, have received limited attention until now. This paper designs, implements and evaluates webFuzz, a gray-box fuzzing prototype for discovering vulnerabilities in web applications. webFuzz is successful in leveraging instrumentation for detecting cross-site scripting (XSS) vulnerabilities, as well as covering more code faster than black-box fuzzers. In particular, webFuzz has discovered one zero-day vulnerability in WordPress, a leading CMS platform, and five in an online commerce application named CE-Phoenix. Moreover, in order to systematically evaluate webFuzz, and similar tools, we provide the first attempt for automatically synthesizing reflective cross-site scripting (RXSS) vulnerabilities in vanilla web applications.

引用

页码：152 / 172

页数：21

共 50 条

[1] Refined Grey-Box Fuzzing with SIVO
Nikolic, Ivica
Mantu, Radu
Shen, Shiqi
Saxena, Prateek
[J]. DETECTION OF INTRUSIONS AND MALWARE, AND VULNERABILITY ASSESSMENT, DIMVA 2021, 2021, 12756 : 106 - 129
[2] EWVHunter: Grey-Box Fuzzing with Knowledge Guide on Embedded Web Front-Ends
Wang, Enze
Wang, Baosheng
Xie, Wei
Wang, Zhenhua
Luo, Zhenhao
Yue, Tai
[J]. APPLIED SCIENCES-BASEL, 2020, 10 (11):
[3] GTFuzz: Guard Token Directed Grey-Box Fuzzing
Li, Rundong
Liang, HongLiang
Liu, Liming
Ma, Xutong
Qu, Rong
Yan, Jun
Zhang, Jian
[J]. 2020 IEEE 25TH PACIFIC RIM INTERNATIONAL SYMPOSIUM ON DEPENDABLE COMPUTING (PRDC 2020), 2020, : 160 - 170
[4] Boosting Grey-box Fuzzing for Connected Autonomous Vehicle Systems
Moukahal, Lama J.
Zulkernine, Mohammad
Soukup, Martin
[J]. 2021 21ST INTERNATIONAL CONFERENCE ON SOFTWARE QUALITY, RELIABILITY AND SECURITY COMPANION (QRS-C 2021), 2021, : 516 - 527
[5] Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference
Manes, Valentin J. M.
Kim, Soomin
Cha, Sang Kil
[J]. 2020 ACM/IEEE 42ND INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING (ICSE 2020), 2020, : 1024 - 1036
[6] P-Fuzz: A Parallel Grey-Box Fuzzing Framework
Song, Congxi
Zhou, Xu
Yin, Qidi
He, Xinglu
Zhang, Hangwei
Lu, Kai
[J]. APPLIED SCIENCES-BASEL, 2019, 9 (23):
[7] Model-Based Grey-Box Fuzzing of Network Protocols
Pan, Yan
Lin, Wei
Jiao, Liang
Zhu, Yuefei
[J]. SECURITY AND COMMUNICATION NETWORKS, 2022, 2022
[8] BEACON : Directed Grey-Box Fuzzing with Provable Path Pruning
Huang, Heqing
Guo, Yiyuan
Shi, Qingkai
Yao, Peisen
Wu, Rongxin
Zhang, Charles
[J]. 43RD IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP 2022), 2022, : 36 - 50
[9] DAFL: Directed Grey-box Fuzzing Guided by Data Dependency
Kim, Tae Eun
Choi, Jaeseung
Heo, Kihong
Cha, Sang Kil
[J]. PROCEEDINGS OF THE 32ND USENIX SECURITY SYMPOSIUM, 2023, : 4931 - 4948
[10] Improving the Effectiveness of Grey-box Fuzzing By Extracting Program Information
Fu, Yu
Tong, Siming
Guo, Xiangyu
Cheng, Liang
Zhang, Yang
Feng, Dengguo
[J]. 2020 IEEE 19TH INTERNATIONAL CONFERENCE ON TRUST, SECURITY AND PRIVACY IN COMPUTING AND COMMUNICATIONS (TRUSTCOM 2020), 2020, : 434 - 441

← 1 2 3 4 5 →