Improving Web Application Vulnerability Detection Leveraging Ensemble Fuzzing

João Caseirito, Ibéria Medeiros

Abstract

The vast majority of online services we use nowadays provide their web application to the users. The correctness of the source code of these applications is crucial to prevent attackers from exploiting its vulnerabilities, leading to severe consequences like the disclosure of sensitive information or the degradation of the availability of the application. Currently, multiple existent solutions analyse and detect vulnerabilities in the source code. Attackers, however, do not usually have access to the source code and must work with the information that is made public. Their goals are clear – exploit vulnerabilities without accessing the code –, and they resort of black-box fuzzing tools to achieve such. In this paper, we propose an ensemble fuzzing approach to check the correctness of the web applications from the point of view of an attacker and, in a posterior phase, analyse the source code to correlate with the collected information. The approach focuses first on the quality of fuzzers’ crawlers and afterwards on fuzzers capabilities of exploiting the results of all crawlers between them, in order to provide better coverage and precision in the detection of web vulnerabilities. Our preliminary results show that the ensemble performs better than fuzzers individually.

Download


Paper Citation


in Harvard Style

Caseirito J. and Medeiros I. (2021). Improving Web Application Vulnerability Detection Leveraging Ensemble Fuzzing. In Proceedings of the 16th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE, ISBN 978-989-758-508-1, pages 405-412. DOI: 10.5220/0010484904050412


in Bibtex Style

@conference{enase21,
author={João Caseirito and Ibéria Medeiros},
title={Improving Web Application Vulnerability Detection Leveraging Ensemble Fuzzing},
booktitle={Proceedings of the 16th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE,},
year={2021},
pages={405-412},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010484904050412},
isbn={978-989-758-508-1},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 16th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE,
TI - Improving Web Application Vulnerability Detection Leveraging Ensemble Fuzzing
SN - 978-989-758-508-1
AU - Caseirito J.
AU - Medeiros I.
PY - 2021
SP - 405
EP - 412
DO - 10.5220/0010484904050412