Fuzzing Frameworks for Server-side Web Applications: A Survey

• URL: http://arxiv.org/abs/2406.03208v1
• Date: Wed, 5 Jun 2024 12:45:02 GMT
• Title: Fuzzing Frameworks for Server-side Web Applications: A Survey
• Authors: I Putu Arya Dharmaadi, Elias Athanasopoulos, Fatih Turkmen,
• Abstract summary: This study reviews the state-of-the-art fuzzing frameworks for testing web applications through web API. We collect papers from seven online repositories of peer-reviewed articles over the last ten years.
• Score: 3.522950356329991
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: There are around 5.3 billion Internet users, amounting to 65.7% of the global population, and web technology is the backbone of the services delivered via the Internet. To ensure web applications are free from security-related bugs, web developers test the server-side web applications before deploying them to production. The tests are commonly conducted through the interfaces (i.e., Web API) that the applications expose since they are the entry points to the application. Fuzzing is one of the most promising automated software testing techniques suitable for this task; however, the research on (server-side) web application fuzzing has been rather limited compared to binary fuzzing which is researched extensively. This study reviews the state-of-the-art fuzzing frameworks for testing web applications through web API, identifies open challenges, and gives potential future research. We collect papers from seven online repositories of peer-reviewed articles over the last ten years. Compared to other similar studies, our review focuses more deeply on revealing prior work strategies in generating valid HTTP requests, utilising feedback from the Web Under Tests (WUTs), and expanding input spaces. The findings of this survey indicate that several crucial challenges need to be solved, such as the ineffectiveness of web instrumentation and the complexity of handling microservice applications. Furthermore, some potential research directions are also provided, such as fuzzing for web client programming. Ultimately, this paper aims to give a good starting point for developing a better web fuzzing framework.

Related papers

• Beyond Browsing: API-Based Web Agents [58.39129004543844]
  API-based agents outperform web browsing agents in experiments on WebArena. Hybrid Agents out-perform both others nearly uniformly across tasks. Results strongly suggest that when APIs are available, they present an attractive alternative to relying on web browsing alone.
  arXiv  Detail & Related papers  (2024-10-21T19:46:06Z)
• No Peer, no Cry: Network Application Fuzzing via Fault Injection [19.345967816562364]
  We propose a fundamentally different approach that relies on fault injection rather than modifying messages. We show that Fuzztruction-Net outperforms other fuzzers in terms of coverage and bugs found. Overall, Fuzztruction-Net uncovered 23 new bugs in well-tested software, such as the web servers Nginx and Apache HTTPd and the OpenSSH client.
  arXiv  Detail & Related papers  (2024-09-02T08:35:55Z)
• FuzzTheREST: An Intelligent Automated Black-box RESTful API Fuzzer [0.0]
  This work introduces a black-box API of fuzzy testing tool that employs Reinforcement Learning (RL) for vulnerability detection. The tool found a total of six unique vulnerabilities and achieved 55% code coverage.
  arXiv  Detail & Related papers  (2024-07-19T14:43:35Z)
• What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications [5.169724825219126]
  We introduce PHUZZ, a modular fuzzing framework for PHP web applications. PHUZZ uses novel approaches to detect more client-side and server-side vulnerability classes than state-of-the-art related work. We fuzz over 1,000 API endpoints of the 115 most popular WordPress plugins, resulting in over 20 security issues and 2 new CVE-IDs.
  arXiv  Detail & Related papers  (2024-06-10T13:43:07Z)
• Artificial Intelligence for Web 3.0: A Comprehensive Survey [76.06151253928171]
  We explore the current development state of Web 3.0 and the application of AI Technology in Web 3.0. Our investigation delves into the major challenges and issues present in each of these layers. We illustrate the crucial role of AI in the foundation and growth of Web 3.0.
  arXiv  Detail & Related papers  (2023-08-17T12:36:01Z)
• A Real-World WebAgent with Planning, Long Context Understanding, and Program Synthesis [69.15016747150868]
  We introduce WebAgent, an agent that learns from self-experience to complete tasks on real websites. WebAgent plans ahead by decomposing instructions into canonical sub-instructions, summarizes long HTML documents into task-relevant snippets, and acts on websites. We empirically demonstrate that our modular recipe improves the success on real websites by over 50%, and that HTML-T5 is the best model to solve various HTML understanding tasks.
  arXiv  Detail & Related papers  (2023-07-24T14:56:30Z)
• Neural Embeddings for Web Testing [49.66745368789056]
  Existing crawlers rely on app-specific, threshold-based, algorithms to assess state equivalence. We propose WEBEMBED, a novel abstraction function based on neural network embeddings and threshold-free classifiers. Our evaluation on nine web apps shows that WEBEMBED outperforms state-of-the-art techniques by detecting near-duplicates more accurately.
  arXiv  Detail & Related papers  (2023-06-12T19:59:36Z)
• EDEFuzz: A Web API Fuzzer for Excessive Data Exposures [3.5061201620029885]
  Excessive Data Exposure (EDE) was the third most significant API vulnerability of 2019. There are few automated tools -- either in research or industry -- to effectively find and remediate such issues. We build the first fuzzing tool -- that we call EDEFuzz -- to systematically detect EDEs.
  arXiv  Detail & Related papers  (2023-01-23T04:05:08Z)
• From Symbols to Embeddings: A Tale of Two Representations in Computational Social Science [77.5409807529667]
  The study of Computational Social Science (CSS) is data-driven and significantly benefits from the availability of online user-generated contents and social networks. To explore the answer, we give a thorough review of data representations in CSS for both text and network. We present the applications of the above representations based on the investigation of more than 400 research articles from 6 top venues involved with CSS.
  arXiv  Detail & Related papers  (2021-06-27T11:04:44Z)
• Towards an ontology of HTTP interactions [0.0]
  HTTP remains at the heart of all Web developments. A proposal for an RDF vocabulary exists. We propose to adapt and extend it for making it more reusable.
  arXiv  Detail & Related papers  (2020-07-20T08:38:36Z)
• Mining Implicit Relevance Feedback from User Behavior for Web Question Answering [92.45607094299181]
  We make the first study to explore the correlation between user behavior and passage relevance. Our approach significantly improves the accuracy of passage ranking without extra human labeled data. In practice, this work has proved effective to substantially reduce the human labeling cost for the QA service in a global commercial search engine.
  arXiv  Detail & Related papers  (2020-06-13T07:02:08Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.