Enemy of the state: A state-aware black-box web vulnerability scanner

Adam Doupé, Ludovico Cavedon, Christopher Kruegel, Giovanni Vigna

Research output: Contribution to conferencePaperpeer-review

64 Scopus citations

Abstract

Black-box web vulnerability scanners are a popular choice for finding security vulnerabilities in web applications in an automated fashion. These tools operate in a point-and-shoot manner, testing any web application—regardless of the server-side language—for common security vulnerabilities. Unfortunately, black-box tools suffer from a number of limitations, particularly when interacting with complex applications that have multiple actions that can change the application’s state. If a vulnerability analysis tool does not take into account changes in the web application’s state, it might overlook vulnerabilities or completely miss entire portions of the web application. We propose a novel way of inferring the web application’s internal state machine from the outside—that is, by navigating through the web application, observing differences in output, and incrementally producing a model representing the web application’s state. We utilize the inferred state machine to drive a black-box web application vulnerability scanner. Our scanner traverses a web application’s state machine to find and fuzz user-input vectors and discover security flaws. We implemented our technique in a prototype crawler and linked it to the fuzzing component from an open-source web vulnerability scanner. We show that our state-aware black-box web vulnerability scanner is able to not only exercise more code of the web application, but also discover vulnerabilities that other vulnerability scanners miss.

Original languageEnglish (US)
Pages523-538
Number of pages16
StatePublished - 2012
Externally publishedYes
Event21st USENIX Security Symposium - Bellevue, United States
Duration: Aug 8 2012Aug 10 2012

Conference

Conference21st USENIX Security Symposium
Country/TerritoryUnited States
CityBellevue
Period8/8/128/10/12

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Enemy of the state: A state-aware black-box web vulnerability scanner'. Together they form a unique fingerprint.

Cite this