Effective and scalable black-box fuzzing approach for modern web applications

被引:5
作者
Alsaedi, Aseel [1 ,2 ]
Alhuzali, Abeer [1 ]
Bamasag, Omaimah [1 ]
机构
[1] King Abdulaziz Univ, Fac Comp & Informat Technol, Comp Sci Dept, Jeddah, Saudi Arabia
[2] King Abdulaziz Univ, Fac Comput Informat Technol, Comp Sci Dept, Jeddah, Saudi Arabia
关键词
Black -box fuzzing; Web application security; Dynamic features; Vulnerability analysis; Dynamic analysis; Constraint solving; XQUERY INJECTION; VULNERABILITIES;
D O I
10.1016/j.jksuci.2022.10.006
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Web applications' security is critical because we share sensitive data through them frequently, which attracts attackers who exploit their vulnerabilities. Detecting and exploiting such vulnerabilities automatically is challenging because of the applications' increasing complexity and strong dependence upon dynamic features such as JavaScript. In this paper, we propose an approach that addresses the difficulties presented in web applications by using dynamic analysis techniques in a black-box fashion to explore applications' space. It also performs a client-side validation analysis to increase the coverage and therefore, identify more vulnerabilities. We implemented our approach with a tool and evaluated its effectiveness using real-world web applications. Our system discovered 207 unique URLs, submitted 102 web forms successfully, and exploited 32 vulnerabilities automatically. A detailed comparison of state-ofthe-art black-box fuzzing approaches showed that our system exceeds them in coverage, the number of vulnerabilities detected, and performance. (c) 2022 The Authors. Published by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
引用
收藏
页码:10068 / 10078
页数:11
相关论文
共 32 条
  • [11] Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications
    Deepa, G.
    Thilagam, P. Santhi
    Khan, Furqan Ahmed
    Praseed, Amit
    Pais, Alwyn R.
    Palsetia, Nushafreen
    [J]. INTERNATIONAL JOURNAL OF INFORMATION SECURITY, 2018, 17 (01) : 105 - 120
  • [12] Doupé A, 2010, LECT NOTES COMPUT SC, V6201, P111, DOI 10.1007/978-3-642-14215-4_7
  • [13] Data Preparation for Mining World Wide Web Browsing Patterns
    Robert Cooley
    Bamshad Mobasher
    Jaideep Srivastava
    [J]. Knowledge and Information Systems, 1999, 1 (1) : 5 - 32
  • [14] Eriksson B., 2021, P IEEE SSP
  • [15] Fielding RT, 2014, Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content, DOI 10.17487/rfc7230
  • [16] Google Inc, 2022, PUPPETEER
  • [17] Hanrigou P., 2022, SELENIUM GRID 2022
  • [18] Khalil Rana Fouad., 2018, Why Johnny Still Canat Pentest: A Comparative Analysis of Open-Source Black-box Web Vulnerability Scanners
  • [19] Koswara K.J., 2019, 2019 INT C DATA SOFT, P1, DOI DOI 10.1109/ICODSE48700.20199092613
  • [20] Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities inWeb Applications
    Kushnir, Malte
    Favre, Olivier
    Rennhard, Marc
    Esposito, Damiano
    Zahnd, Valentin
    [J]. ICISSP: PROCEEDINGS OF THE 7TH INTERNATIONAL CONFERENCE ON INFORMATION SYSTEMS SECURITY AND PRIVACY, 2021, : 204 - 216