
The World Wide Web has become a fundamental part of modern society, providing crucial services such as social networks, online shopping, and other web applications. To this day, web vulnerabilities continue to be discovered, and data breaches are reported, even on high-profile websites. While several viable methods exist to detect web vulnerabilities, such as penetration tests, source code reviews, and bug bounty programs, these approaches are typically costly and time-intensive. Therefore, discovering web vulnerabilities in an automated and cost-effective fashion is desirable.
One method to approach this problem is coverage-guided "fuzzing", which has been successfully used to identify memory corruption bugs in binary applications, but has seen limited application to web applications. Our academic research has resulted in an open-source prototype called "PHUZZ," which outperforms classic black-box vulnerability scanners in detecting web vulnerabilities with its fuzzing approach.
This talk will first introduce the concept of coverage-guided fuzzing and the differences from black-box web fuzzing performed by vulnerability scanners. After diving into the challenges of applying coverage-guided fuzzing to web applications, we will introduce PHUZZ and explain how its approach allows the detection of a wide variety of web vulnerabilities, including SQLi, RCE, XSS, XXE, open redirection, insecure deserialization, and path traversal in PHP web applications.
Our comparison of PHUZZ with state-of-the-art black-box vulnerability scanners, using a diverse set of artificial and real-world web applications containing known and unknown vulnerabilities, showed surprising results. Not only does PHUZZ outperform the other vulnerability scanners in the number of discovered vulnerabilities, but it also discovers over a dozen new potential vulnerabilities and two 0-days, which we will discuss in our talk. Finally, we will motivate the use of PHUZZ [1] and coverage-guided fuzzing methods to discover web vulnerabilities.
This presentation is based on our academic publication "What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications" [0].
[0] https://dl.acm.org/doi/10.1145/3634737.3661137 [1] https://github.com/gehaxelt/phuzz