Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities

Authors: 

Emre Güler and Sergej Schumilo, Ruhr University Bochum; Moritz Schloegel, Nils Bars, Philipp Görz, and Xinyi Xu, CISPA Helmholtz Center for Information Security; Cemal Kaygusuz, Ruhr University Bochum; Thorsten Holz, CISPA Helmholtz Center for Information Security

Abstract: 

Server-side web applications are still predominantly implemented in the PHP programming language. Even nowadays, PHP-based web applications are plagued by many different types of security vulnerabilities, ranging from SQL injection to file inclusion and remote code execution. Automated security testing methods typically focus on static analysis and taint analysis. These methods are highly dependent on accurate modeling of the PHP language and often suffer from (potentially many) false positive alerts. Interestingly, dynamic testing techniques such as fuzzing have not gained acceptance in web applications testing, even though they avoid these common pitfalls and were rapidly adopted in other domains, e. g., for testing native applications written in C/C++.

In this paper, we present ATROPOS, a snapshot-based, feedback-driven fuzzing method tailored for PHP-based web applications. Our approach considers the challenges associated with web applications, such as maintaining session state and generating highly structured inputs. Moreover, we propose a feedback mechanism to automatically infer the key-value structure used by web applications. Combined with eight new bug oracles, each covering a common class of vulnerabilities in server-side web applications, ATROPOS is the first approach to fuzz web applications effectively and efficiently. Our evaluation shows that ATROPOS significantly outperforms the current state of the art in web application testing. In particular, it finds, on average, at least 32% more bugs, while not reporting a single false positive on different test suites. When analyzing real-world web applications, we identify seven previously unknown vulnerabilities that can be exploited even by unauthenticated users.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {294506,
author = {Emre G{\"u}ler and Sergej Schumilo and Moritz Schloegel and Nils Bars and Philipp G{\"o}rz and Xinyi Xu and Cemal Kaygusuz and Thorsten Holz},
title = {Atropos: Effective Fuzzing of Web Applications for {Server-Side} Vulnerabilities},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {4765--4782},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/g{\"u}ler},
publisher = {USENIX Association},
month = aug
}

Presentation Video