Web Application Vulnerabilities Mining Method Based on Improved Fuzzing

doi:10.3969/j.issn.1006-2475.2016.08.021

Abstract

Abstract: To solve the problems that slower speed and fewer number of vulnerabilities found of Web fuzzing for mining vulnerabilities, a method to improve the generation of vectors of Web fuzzing is proposed. On the basis of the structure of commonly-used fuzzing for Web application (Web fuzzing) and the analyses of the current methods of testing vectors generation, the genetic algorithm to improve testing vector generation of Web fuzzing is applied. Based on this method, a XSS fuzzing tool is implemented. The testing results of multiple Web applications with XSS fuzzing tool and that with current fuzzing tool are compared, which indicates that the efficiency of mining vulnerability is increased with the method.

Key words: Web security, Web vulnerability, fuzzing, genetic algorithm, test vector

CLC Number:

TP393.08

DA Xiao-wen, WANG Xiao-cheng, CHEN Zhi-hao. Web Application Vulnerabilities Mining Method Based on Improved Fuzzing[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2016.08.021.

References

[1] 陈衍铃,王正. 模糊测试研究进展[J]. 计算机应用与软件, 2011,28(7):291-293.

[2] 中国信息安全测评中心. 信息安全漏洞周报[DB/OL]. http://www.cnnvd.org.cn/news/vulreport#, 2015-12-04.

[3] Miller B P, Fredriksen L, So B. An empirical study of the reliability of Unix utilities[J]. Communications of the ACM, 1990,33(12):32-44.

[4] 彭越. Web脆弱性检测关键技术的研究与系统实现[D]. 北京:北京邮电大学, 2014.

[5] Hammersland R, Snekkenes E. Fuzz Testing of Web Applications[DB/OL]. http://www.aqualab.cs.northwestern.edu/conferences/HotWeb08/papers/Hammersland-FTW.pdf, 2012-12-20.

[6] Bozic J, Garn B, Kapsalis I, et al. Attack pattern-based combinatorial testing with constraints for Web security testing[C]// Proceedings of the 2015 IEEE International Conference on Software Quality, Reliability and Security (QRS). 2015:207-212.

[7] Garn B, Kapsalis I, Simos D E, et al. On the applicability of combinatorial testing to Web application security testing: A case study[C]// Proceedings of the 2014 Workshop on Joining AcadeMiA and Industry Contributions to Test Automation and Model-based Testing. 2014:16-21.

[8] Duchene F, Groz R, Rawat S, et al. XSS vulnerability detection using model inference assisted evolutionary fuzzing[C]// Proceedings of the IEEE 5th International Conference on Software Testing, Verification and Validation. 2012:815-817.

[9] 李彤,黄轩,刘海燕,等. 基于Fuzzing的软件漏洞发掘技术[J]. 价值工程, 2014,33(3):197-199.

[[1]0] Hydara I, Sultan A B M, Zulzalil H, et al. An approach for cross-site scripting detection and removal based on genetic algorithms[C]// Proceedings of the 9th International Conference on Software Engineering Advances. 2014:227-232.

[[1]1] 边霞,米良. 遗传算法理论及其应用研究进展[J]. 计算机应用研究, 2010,27(7):2425-2429.

[[1]2] Srivastava P R, Kim T. Application of genetic algorithm in software testing[J]. International Journal of Software Engineering and Its Applications, 2009,3(4):87-96.

[[1]3] Banković Z, Stepanović D, Bojanić S, et al. Improving network security using genetic algorithm approach[J]. Computers & Electrical Engineering, 2007,33(5-6):438-451.

[[1]4] Islam A B M, Azad A, Alarm K, et al. Security attack detection using genetic algorithm (GA) in policy based network[C]// Proceedings of the 2007 International Conference on Information and Communication Technology. 2007:341-347.

[[1]5] DeMott J D, Enbody R J, Punch W F. Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing[DB/OL]. https://www.blackhat.com/presentations/bh-usa-07/DeMott_Enbody_and_Punch/Whitepaper/bh-usa-07-demott_enbody_and_punch-WP.pdf, 2007-12-20.

[[1]6] Del Grosso C, Antoniol G, Merlo E, et al. Detecting buffer overflow via automatic test input data generation[J]. Computers & Operations Research, 2008,35(10):3125-3143.

[1]	LIU Xian-zhuo, DENG Wei-si, XIE En-yan. Adaptive Protection System for Distribution Network Considering Grid Connection of Distributed Generation [J]. Computer and Modernization, 2023, 0(09): 120-126.
[2]	ZHANG Zhi-xia, XIE Bao-qiang. Natural Gas Load Forecasting Based on FCGA-LSTM and Transfer Learning [J]. Computer and Modernization, 2023, 0(07): 7-12.
[3]	WANG Min, XU Ying-hao, ZHU Xi-jun. Prediction Model of Diabetic Complications Based on BP Neural Network Optimized by Improved Genetic Algorithm#br# [J]. Computer and Modernization, 2022, 0(11): 69-74.
[4]	WANG Yang, CHEN Mei, LI Hui. FOCoR: A Course Recommendation Approach Based on Feature Selection Optimization [J]. Computer and Modernization, 2022, 0(10): 1-7.
[5]	RAN Hao-jie, WANG Hong-zhi. Distribution Center Site Selection of Fresh Agricultural Products Based on Improved Simulated Annealing Algorithm [J]. Computer and Modernization, 2022, 0(10): 36-40.
[6]	ZHAN Jun-wei, ZHUANG Yi. Mobile Edge Computing Task Offloading Model and Algorithm Based on Energy Consumption and Delay Optimization [J]. Computer and Modernization, 2022, 0(08): 86-93.
[7]	WU Dai-yang, ZHAO Jie, LIANG Jia-ming, DONG Zhen-ning, LIANG Zhou-yang. Host Matching for C2C Online Short-term Rentals [J]. Computer and Modernization, 2022, 0(06): 43-48.
[8]	XU Sheng-chao, XIONG Mao-hua. Optimization of Container Cloud Resource Allocation Based on Genetic Algorithm [J]. Computer and Modernization, 2022, 0(01): 108-112.
[9]	XU Ming, ZHANG Jian-ming, CHEN Song-hang, CHEN Hao. Multi-objective Optimization Algorithm for Flexible Job Shop Scheduling Problem [J]. Computer and Modernization, 2021, 0(12): 1-6.
[10]	ZHANG Lin-peng, WANG Xi-yuan, LI Qiang. Image Classification Based on Double-pooling Feature Weighted Convolutional Neural Network [J]. Computer and Modernization, 2021, 0(11): 67-71.
[11]	YANG Xiao-dong. Risk Assessment Model of Accounting Resource Sharing Management Based on Genetic Algorithm [J]. Computer and Modernization, 2021, 0(06): 24-28.
[12]	LIU Jun, PENG Hui-xian, HUANG Bin, Tony SHAY. Breast Cancer Diagnosis Model Based on BP-GamysBoost [J]. Computer and Modernization, 2021, 0(04): 8-14.
[13]	XU Sheng-chao. Using Genetic Algorithm for Virtual Machine Placement Optimization [J]. Computer and Modernization, 2020, 0(12): 25-31.
[14]	WU Hai-wei, WANG Xiao-zhong, ZHU Fa-shun, . A Scheduling Method of Smart Grid Based on Genetic Algorithm [J]. Computer and Modernization, 2020, 0(09): 122-126.
[15]	ZHANG Zhi-wei, GAN Gang. Service Vulnerability Mining of Android System Based on Genetic Algorithm [J]. Computer and Modernization, 2020, 0(08): 114-121.