What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications
Pages 1523 - 1538
Abstract
Coverage-guided fuzz testing has received significant attention from the research community, with a strong focus on binary applications, greatly disregarding other targets, such as web applications. The importance of the World Wide Web in everyone's life cannot be overstated, and to this day, many web applications are developed in PHP. In this work, we address the challenges of applying coverage-guided fuzzing to PHP web applications and introduce Phuzz, a modular fuzzing framework for PHP web applications. Phuzz uses novel approaches to detect more client-side and server-side vulnerability classes than state-of-the-art related work, including SQL injections, remote command injections, insecure deserialization, path traversal, external entity injection, cross-site scripting, and open redirection. We evaluate Phuzz on a diverse set of artificial and real-world web applications with known and unknown vulnerabilities, and compare it against a variety of state-of-the-art fuzzers. In order to show Phuzz' effectiveness, we fuzz over 1,000 API endpoints of the 115 most popular WordPress plugins, resulting in over 20 security issues and 2 new CVE-IDs. Finally, we make the framework publicly available to motivate and encourage further research on web application fuzz testing.
References
[1]
Abeer Alhuzali, Birhanu Eshete, Rigel Gjomemo, and V.N. Venkatakrishnan. 2016. Chainsaw. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, 641--652.
[2]
Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and VN Venkatakrishnan. 2018. NAVEX: Precise and scalable exploit generation for dynamic web applications. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, USA, 377--392.
[3]
Ionut Arghire. 2023. 1 Million WordPress Sites Impacted by Exploited Plugin Vulnerability - SecurityWeek. https://www.securityweek.com/1-million-wordpress-sites-impacted-by-exploited-plugin-vulnerability/
[4]
Ionut Arghire. 2023. Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability - SecurityWeek. https://www.securityweek.com/millions-of-wordpress-sites-patched-against-critical-jetpack-vulnerability/
[5]
Vaggelis Atlidakis, Patrice Godefroid, and Marina Polishchuk. 2019. RESTler: Stateful REST API Fuzzing. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, Canada, 748--758.
[6]
Automattic Inc. 2022. Submission Terms | WPScan. https://wpscan.com/submission-terms/
[7]
Automattic Inc. 2023. WooCommerce - Open Source Ecommerce Platform. https://woocommerce.com/
[8]
The MITRE Corporation. 2008. CWE - CWE-699: Software Development (4.9). https://cwe.mitre.org/data/definitions/699.html
[9]
Johannes Dahse and Thorsten Holz. 2014. Simulation of Built-in PHP Features for Precise Static Code Analysis. In Proceedings 2014 Network and Distributed System Security Symposium. Internet Society, USA, 284--298.
[10]
Docker Inc. 2023. Docker: Accelerated, Containerized Application Development. https://docker.com/
[11]
Docker Inc. 2023. Docker Compose overview | Docker Documentation. https://docs.docker.com/compose/
[12]
Adam Doupé, Marco Cova, and Giovanni Vigna. 2010. Why Johnny can't pentest: An analysis of black-box web vulnerability scanners. In Detection of Intrusions and Malware, and Vulnerability Assessment: 7th International Conference, DIMVA 2010, Bonn, Germany, July 8--9, 2010. Proceedings 7. Springer, Springer Berlin Heidelberg, Berlin, Heidelberg, 111--131.
[13]
DVWAteam. 2023. GitHub-digininja/DVWA: Damn Vulnerable Web Application (DVWA). https://github.com/digininja/DVWA
[14]
Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. 2020. AFL++ combining incremental steps of fuzzing research. In Proceedings of the 14th USENIX Conference on Offensive Technologies. USENIX Association, USA, 10--10.
[15]
FrancescoArcuri13. 2023. Info of the code · Issue #14 · sefcom/Witcher. https://github.com/sefcom/Witcher/issues/14
[16]
FrancescoArcuri13. 2023. run-single-experiment.sh · Issue #1 · sefcom/Witcher-experiment. https://github.com/sefcom/Witcher-experiment/issues/1
[17]
Vijay Ganesh, Tim Leek, and Martin Rinard. 2009. Taint-based directed whitebox fuzzing. In 2009 IEEE 31st International Conference on Software Engineering. IEEE, Vancouver, BC, Canada, 474--484.
[18]
François Gauthier, Behnaz Hassanshahi, Benjamin Selwyn-Smith, Trong Nhan Mai, Max Schlüter, and Micah Williams. 2022. Experience: Model-Based, Feedback-Driven, Greybox Web Fuzzing with BackREST. In 36th European Conference on Object-Oriented Programming (ECOOP 2022) (Leibniz International Proceedings in Informatics (LIPIcs), Vol. 222), Karim Ali and Jan Vitek (Eds.). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Dagstuhl, Germany, 29:1--29:30.
[19]
Patrice Godefroid. 2007. Random testing for security. In Proceedings of the 2nd international workshop on Random testing: co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2007). Association for Computing Machinery, New York, NY, USA, 1.
[20]
Patrice Godefroid, Michael Y Levin, David A Molnar, et al. 2008. Automated whitebox fuzz testing. In NDSS, Vol. 8. The Internet Society, USA, 151--166.
[21]
Google LLC. 2023. GitHub - google/fuzztest. https://github.com/google/fuzztest
[22]
Google LLC. 2023. GitHub - google/honggfuzz: Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage (SW and HW based). https://github.com/google/honggfuzz
[23]
Google LLC. 2023. OSS-Fuzz | Documentation for OSS-Fuzz. https://google.github.io/oss-fuzz/
[24]
Bernardo Damele Assumpcao Guimaraes and Miroslav Stampar. 2006. sqlmap: automatic SQL injection and database takeover tool. https://sqlmap.org/
[25]
Emre Güler, Sergej Schumilo, Moritz Schloegel, Nils Bars, Philipp Görz, Xinyi Xu, Cemal Kaygusuz, and Thorsten Holz. 2024. Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities.
[26]
Jin Huang, Junjie Zhang, Jialun Liu, Chuang Li, and Rui Dai. 2021. UFuzzer: Lightweight Detection of PHP-Based Unrestricted File Upload Vulnerabilities Via Static-Fuzzing Co-Analysis. In 24th International Symposium on Research in Attacks, Intrusions and Defenses. Association for Computing Machinery, New York, NY, USA, 78--90.
[27]
Invicti Security Corp. 2023. Acunetix | Web Application Security Scanner. https://www.acunetix.com/
[28]
N. Jovanovic, C. Kruegel, and E. Kirda. 2006. Pixy: a static analysis tool for detecting Web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy (S&P'06). IEEE, Berkeley/Oakland, CA, USA, 6 pp.-263.
[29]
Taekjin Lee, Seongil Wi, Suyoung Lee, and Sooel Son. 2020. FUSE: Finding File Upload Bugs via Penetration Testing. In Proceedings 2020 Network and Distributed System Security Symposium. Internet Society, San Diego, California, USA.
[30]
Jun Li, Bodong Zhao, and Chao Zhang. 2018. Fuzzing: a survey. Cybersecurity 1, 1 (June 2018).
[31]
Valentin J.M. Manes, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo. 2021. The Art, Science, and Engineering of Fuzzing: A Survey. IEEE Transactions on Software Engineering 47, 11 (Nov. 2021), 2312--2331.
[32]
Xavi Mendez. 2011. Wfuzz: The Web fuzzer --- Wfuzz 2.1.4 documentation. https://wfuzz.readthedocs.io/
[33]
Malik Messellem. 2014. bWAPP, a buggy web app. http://www.itsecgames.com/
[34]
Microsoft. 2024. Fast and reliable end-to-end testing for modern web apps | Playwright. https://playwright.dev/
[35]
Larissa Moroz. 2018. bWAPP latest modified for PHP7. https://github.com/lmoroz/bWAPP
[36]
Sebastian Neef and Lorenz Kleissner. 2024. PHUZZ: A grey-box fuzzer for PHP web applications. https://github.com/gehaxelt/phuzz
[37]
Henrik Nielsen, Jeffrey Mogul, Larry M. Masinter, Roy T. Fielding, Jim Gettys, Paul J. Leach, and Tim Berners-Lee. 1999. Hypertext Transfer Protocol - HTTP/1.1. Request for Comments RFC 2616. Internet Engineering Task Force. Num Pages: 176.
[38]
OWASP Foundation. 2021. OWASP Top 10:2021. https://owasp.org/Top10/
[39]
OWASP Foundation. 2023. Command Injection | OWASP Foundation. https://owasp.org/www-community/attacks/Command_Injection
[40]
OWASP Foundation. 2023. Cross Site Scripting (XSS) | OWASP Foundation. https://owasp.org/www-community/attacks/xss/
[41]
OWASP Foundation. 2023. Deserialization of untrusted data | OWASP Foundation. https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data
[42]
OWASP Foundation. 2023. Path Traversal | OWASP Foundation. https://owasp.org/www-community/attacks/Path_Traversal
[43]
OWASP Foundation. 2023. SQL Injection | OWASP Foundation. https://owasp.org/www-community/attacks/SQL_Injection
[44]
OWASP Foundation. 2023. Unvalidated Redirects and Forwards - OWASP Cheat Sheet Series. https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
[45]
OWASP Foundation. 2023. XML External Entity (XXE) Processing| OWASP Foundation. https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
[46]
PortSwigger. 2023. Burp Suite Professional - PortSwigger. https://portswigger.net/burp/pro
[47]
Q-Success. 2023. Usage Statistics and Market Share of PHP for Websites, June 2023. https://w3techs.com/technologies/details/pl-php
[48]
Q-Success. 2023. Usage Statistics and Market Share of Server-side Programming Languages for Websites, June 2023. https://w3techs.com/technologies/overview/programming_language
[49]
Kenneth Reitz. 2023. Requests: HTTP for Humans --- Requests documentation. https://requests.readthedocs.io/en/latest/
[50]
Derick Rethans. 2002. Xdebug: Documentation Code Coverage Analysis. https://xdebug.org/docs/code_coverage
[51]
Andres Riancho. 2014. w3af - Open Source Web Application Security Scanner. https://w3af.org/
[52]
Thomas Sanoop. 2015. XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. https://github.com/s4n7h0/xvwa
[53]
Nicolas Surribas. 2006. Wapiti: a Free and Open-Source web-application vulnerability scanner in Python. https://wapiti-scanner.github.io/
[54]
The PHP Group. 2023. PHP: Description of core php.ini directives - Manual. https://www.php.net/manual/en/ini.core.php
[55]
The PHP Group. 2023. PHP: Errors - Manual. https://www.php.net/manual/en/language.errors.php
[56]
The PHP Group. 2023. PHP: History of PHP - Manual. https://www.php.net/manual/en/history.php.php
[57]
The PHP Group. 2023. PHP: register_shutdown_function - Manual. https://www.php.net/manual/en/function.register-shutdown-function.php
[58]
The PHP Group. 2023. PHP: uopz - Manual. https://www.php.net/manual/en/book.uopz.php
[59]
Erik Trickel, Fabio Pagani, Chang Zhu, Lukas Dresel, Giovanni Vigna, Christopher Kruegel, Ruoyu Wang, Tiffany Bao, Yan Shoshitaishvili, and Adam Doupé. 2022. Toss a fault to your witcher: Applying grey-box coverage-guided mutational fuzzing to detect sql and command injection vulnerabilities. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, IEEE, San Francisco, CA, USA, 116--133.
[60]
Vincent Ulitzsch, Deniz Scholz, and Dominik Maier. 2023. ASanity: On Bug Shadowing by Early ASan Exits. In 2023 IEEE Security and Privacy Workshops (SPW). IEEE, IEEE, San Francisco, California, USA, 364--370.
[61]
Orpheas van Rooij, Marcos Antonios Charalambous, Demetris Kaizer, Michalis Papaevripides, and Elias Athanasopoulos. 2021. webfuzz: Grey-box fuzzing for web applications. In Computer Security-ESORICS 2021: 26th European Symposium on Research in Computer Security, Darmstadt, Germany, October 4--8, 2021, Proceedings, Part I 26. Springer, Springer Cham, Darmstadt, Germany, 152--172.
[62]
Joe Watkins. 2023. PCOV - CodeCoverage compatible driver for PHP. https://github.com/krakjoe/pcov/
[63]
Michal Zalewski. 2014. american fuzzy lop. https://lcamtuf.coredump.cx/afl/
[64]
ZAP Dev Team. 2023. OWASP ZAP. https://www.zaproxy.org/
[65]
Jiazhen Zhao, Yuliang Lu, Kailong Zhu, Zehan Chen, and Hui Huang. 2022. Cefuzz: An Directed Fuzzing Framework for PHP RCE Vulnerability. Electronics 11, 5 (March 2022), 758.
[66]
Xiaogang Zhu, Sheng Wen, Seyit Camtepe, and Yang Xiang. 2022. Fuzzing: A Survey for Roadmap. Comput. Surveys 54, 11s (Jan. 2022), 1--36.
Index Terms
- What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications
Recommendations
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Static analysis for detecting taint-style vulnerabilities in web applications
The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Comments
Information & Contributors
Information
Published In
July 2024
1987 pages
ISBN:9798400704826
DOI:10.1145/3634737
- Chair:
- Jianying Zhou,
- Co-chair:
- Tony Q. S. Quek,
- Program Chairs:
- Debin Gao,
- Alvaro Cardenas
This work is licensed under a Creative Commons Attribution-NonCommercial International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 01 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ASIA CCS '24
Sponsor:
ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security
July 1 - 5, 2024
Singapore, Singapore
Acceptance Rates
Overall Acceptance Rate 418 of 2,322 submissions, 18%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 492Total Downloads
- Downloads (Last 12 months)492
- Downloads (Last 6 weeks)176
Reflects downloads up to 24 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in