BackREST: A Model-Based Feedback-Driven Greybox Fuzzer for Web Applications

08/19/2021
by   Francois Gauthier, et al.
0

Following the advent of the American Fuzzy Lop (AFL), fuzzing had a surge in popularity, and modern day fuzzers range from simple blackbox random input generators to complex whitebox concolic frameworks that are capable of deep program introspection. Web application fuzzers, however, did not benefit from the tremendous advancements in fuzzing for binary programs and remain largely blackbox in nature. This paper introduces BackREST, a fully automated, model-based, coverage- and taint-driven fuzzer that uses its feedback loops to find more critical vulnerabilities, faster (speedups between 7.4x and 25.9x). To model the server-side of web applications, BackREST automatically infers REST specifications through directed state-aware crawling. Comparing BackREST against three other web fuzzers on five large (>500 KLOC) Node.js applications shows how it consistently achieves comparable coverage while reporting more vulnerabilities than state-of-the-art. Finally, using BackREST, we uncovered nine 0-days, out of which six were not reported by any other fuzzer. All the 0-days have been disclosed and most are now public, including two in the highly popular Sequelize and Mongodb libraries.

READ FULL TEXT
research
04/14/2020

Gelato: Feedback-driven and Guided Security Analysis of Client-side Web Applications

Even though a lot of effort has been invested in analyzing client-side w...
research
05/19/2019

Model-based Automated Testing of JavaScript Web Applications via Longer Test Sequences

JavaScript has become one of the most widely used languages for Web deve...
research
05/25/2019

PTrix: Efficient Hardware-Assisted Fuzzing for COTS Binary

Despite its effectiveness in uncovering software defects, American Fuzzy...
research
12/20/2021

Deriving Semantics-Aware Fuzzers from Web API Schemas

Fuzzing – whether generating or mutating inputs – has found many bugs an...
research
05/07/2020

Database Traffic Interception for Graybox Detection of Stored and Context-Sensitive XSS

XSS is a security vulnerability that permits injecting malicious code in...
research
07/24/2018

Automatically Assessing Vulnerabilities Discovered by Compositional Analysis

Testing is the most widely employed method to find vulnerabilities in re...

Please sign up or login with your details

Forgot password? Click here to reset