CISPA
Browse
- No file added yet -

Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities.

Download (497.18 kB)
conference contribution
posted on 2024-08-26, 10:51 authored by Emre Güler, Sergej Schumilo, Moritz SchloegelMoritz Schloegel, Nils BarsNils Bars, Philipp GoerzPhilipp Goerz, Xinyi XuXinyi Xu, Cemal Kaygusuz, Thorsten HolzThorsten Holz
Server-side web applications are still predominantly implemented in the PHP programming language. Even nowadays, PHP-based web applications are plagued by many different types of security vulnerabilities, ranging from SQL injection to file inclusion and remote code execution. Automated security testing methods typically focus on static analysis and taint analysis. These methods are highly dependent on accurate modeling of the PHP language and often suffer from (potentially many) false positive alerts. Interestingly, dynamic testing techniques such as fuzzing have not gained acceptance in web applications testing, even though they avoid these common pitfalls and were rapidly adopted in other domains, e. g., for testing native applications written in C/C++. In this paper, we present ATROPOS, a snapshot-based, feedback-driven fuzzing method tailored for PHP-based web applications. Our approach considers the challenges associated with web applications, such as maintaining session state and generating highly structured inputs. Moreover, we propose a feedback mechanism to automatically infer the key-value structure used by web applications. Combined with eight new bug oracles, each covering a common class of vulnerabilities in server-side web applications, ATROPOS is the first approach to fuzz web applications effectively and efficiently. Our evaluation shows that ATROPOS significantly outperforms the current state of the art in web application testing. In particular, it finds, on average, at least 32% more bugs, while not reporting a single false positive on different test suites. When analyzing real-world web applications, we identify seven previously unknown vulnerabilities that can be exploited even by unauthenticated users.

History

Editor

Balzarotti D ; Xu W

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

Usenix Security Symposium (USENIX-Security)

Journal

USENIX Security Symposium

Publisher

USENIX Association

BibTeX

@conference{Güler:Schumilo:Schloegel:Bars:Görz:Xu:Kaygusuz:Holz:2024, title = "Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities.", author = "Güler, Emre" AND "Schumilo, Sergej" AND "Schloegel, Moritz" AND "Bars, Nils" AND "Görz, Philipp" AND "Xu, Xinyi" AND "Kaygusuz, Cemal" AND "Holz, Thorsten", editor = "Balzarotti, Davide" AND "Xu, Wenyuan", year = 2024, month = 1, journal = "USENIX Security Symposium", publisher = "USENIX Association" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC