TY - CONF
T1 - Enemy of the state
T2 - 21st USENIX Security Symposium
AU - Doupé, Adam
AU - Cavedon, Ludovico
AU - Kruegel, Christopher
AU - Vigna, Giovanni
N1 - Funding Information:
This work was supported by the Office of Naval Research (ONR) under Grant N000141210165, the National Science Foundation (NSF) under grant CNS-1116967, and by Secure Business Austria.
Funding Information:
This work was supported by the Office of Naval flesearch (ONfl) under Grant N000141210165, the National Science Foundation (NSF) under grant CNS-1116967, and by Secure Business Austria.
Publisher Copyright:
Copyright © 2019 21st USENIX Security Symposium. All rights reserved.
PY - 2012
Y1 - 2012
N2 - Black-box web vulnerability scanners are a popular choice for finding security vulnerabilities in web applications in an automated fashion. These tools operate in a point-and-shoot manner, testing any web application—regardless of the server-side language—for common security vulnerabilities. Unfortunately, black-box tools suffer from a number of limitations, particularly when interacting with complex applications that have multiple actions that can change the application’s state. If a vulnerability analysis tool does not take into account changes in the web application’s state, it might overlook vulnerabilities or completely miss entire portions of the web application. We propose a novel way of inferring the web application’s internal state machine from the outside—that is, by navigating through the web application, observing differences in output, and incrementally producing a model representing the web application’s state. We utilize the inferred state machine to drive a black-box web application vulnerability scanner. Our scanner traverses a web application’s state machine to find and fuzz user-input vectors and discover security flaws. We implemented our technique in a prototype crawler and linked it to the fuzzing component from an open-source web vulnerability scanner. We show that our state-aware black-box web vulnerability scanner is able to not only exercise more code of the web application, but also discover vulnerabilities that other vulnerability scanners miss.
AB - Black-box web vulnerability scanners are a popular choice for finding security vulnerabilities in web applications in an automated fashion. These tools operate in a point-and-shoot manner, testing any web application—regardless of the server-side language—for common security vulnerabilities. Unfortunately, black-box tools suffer from a number of limitations, particularly when interacting with complex applications that have multiple actions that can change the application’s state. If a vulnerability analysis tool does not take into account changes in the web application’s state, it might overlook vulnerabilities or completely miss entire portions of the web application. We propose a novel way of inferring the web application’s internal state machine from the outside—that is, by navigating through the web application, observing differences in output, and incrementally producing a model representing the web application’s state. We utilize the inferred state machine to drive a black-box web application vulnerability scanner. Our scanner traverses a web application’s state machine to find and fuzz user-input vectors and discover security flaws. We implemented our technique in a prototype crawler and linked it to the fuzzing component from an open-source web vulnerability scanner. We show that our state-aware black-box web vulnerability scanner is able to not only exercise more code of the web application, but also discover vulnerabilities that other vulnerability scanners miss.
UR - http://www.scopus.com/inward/record.url?scp=84881265992&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84881265992&partnerID=8YFLogxK
M3 - Paper
AN - SCOPUS:84881265992
SP - 523
EP - 538
Y2 - 8 August 2012 through 10 August 2012
ER -