PHP is still the dominant programming language on the web; Three-quarters of all websites are based on the scripting language as they use PHP-based content management systems like WordPress, Drupal or Joomla. Vulnerabilities in plugins and themes can give attackers access to sensitive data. Sébastien Neef, PhD student sitting on chair Security in Telecommunications at TU BerlinPresented at the 38th Chaos Communications Congress (38C3) “Fuzz” – a coverage-directed fuzzing framework specifically targeted for PHP web applications. Its purpose is to help both developers and security researchers find and fix vulnerabilities quickly.
Advertisement
Security researchers use “fuzzing” as a technique to uncover vulnerabilities at an early stage: automatically testing programs with large numbers of random inputs to discover unexpected behavior and thus potential security risks. goes. These are famous examples OSS Fuzz is developed by Google Also for testing open source software American Fuzzy Lop (AFL) And its branch AFL++. Unlike these tools that focus primarily on binary applications, Fuzz is specifically designed to meet the needs of modern web applications.
Overview of the “fuzz” framework architecture
(Image: Sebastian Neef et al., TU Berlin)
“Coverage-guided” approach optimizes the fuzzing process
According to Neef, the special thing about fuzz is the so-called “coverage-guided” approach: the framework analyzes which code areas the test inputs reach and optimizes further tests accordingly. According to the developer, compared to other tools like Webfuzz, Cephuzz, Witcher or Atropos, the source code of the tested application does not have to be changed.
Fuzz is designed to detect seven different types of vulnerabilities: SQL injection, command injection, external entity injection, path traversal, insecure deserialization, cross-site scripting, and open redirection. The framework uses the open source extensions uopz, pcov, and xdebug for instrumentation. By supporting multi-instance parallel fuzzing, Fuzz detects more server-side vulnerabilities than traditional “black box fuzzers,” Neef said.
More successful than “black box fuzzer” in PHP
In testing 183 popular WordPress plugins with over 300,000 active installations, Fuzz identified 1,019 API endpoints and discovered several previously unknown vulnerabilities, including two confirmed “zero-days” in the Popup Builder plugin (CSRF vulnerability). Vulnerabilities and another plug-in (local) are included. file inclusion).
Currently Fuzz can only handle multi-step and stateful actions to a limited extent and cannot integrate with UOPZ into PHP expressions (like eval, includePerformance can also be optimized compared to binary fuzzing. Neef presents the Fuzz Framework as Dockerized, modular open source software Available on GitHub And invites you to join.
More details about how it works can be found here Research work published under open access and this 38C3 Lecture recording,
(VJA)
