2013 International Conference on Information Technology and Applications
The Appilication of Fuzzing in Web software security vulnerabilities Test
1st Li Liˈ2nd Qiu Dongˈ4th Dan Liu
Changchun University of Science and Technology
Changchun, China
869402720@qq.com
Abstract—Web applications need for extensive testing
before deployment and use, for early detecting security
vulnerabilities to improve the quality of the safety of the
software, the purpose of this paper is to research the fuzzing
applications in security vulnerabilities. This article first
introduces the common Web software security vulnerabilities,
and then provide a comprehensive overview of the fuzzing
technology, and using fuzzing tools Webfuzz to execute a
software vulnerability testing , test whether there is a software
security hole. Test results prove that fuzzing is suitable for
software security vulnerabilities testing, but this methodology
applies only to security research field, and in the aspect of
software security vulnerabilities detection is still insufficient.
Keywords—Web software security vulnerabilities; Fuzzing;
Webfuzz
I. INTRODUCTION
With the rapid development of Internet technology and
the wide application of electronic commerce, Web-based
software applications gradually become one of the mainstream
software developments. Due to the extensive WEB software
applications, making WEB security issues also gradually
exposed, that exist in the software of software security
vulnerabilities exist that make WEB software is vulnerable to
various attacks, resulting in information disclosure or system
damage, causing huge losses [1]. The cause of WEB software
security vulnerabilities on the one hand is inexperienced
developers, not enough focus on software security problem;
On the other hand is the lack of a comprehensive and
complete security test.
Defines a fuzzy test found that synthesis method, this
method to discover product key vulnerabilities that could not
be found with audit methods are effective. The process of
Fuzzing is intentionally enter invalid data to the product in the
purpose to trigger error conditions or the cause of software or
product failure. In this paper, combine with fuzzing tool
webfuzz, fuzzy on the WEB software, testing whether there are
security vulnerabilities or not.
II. WEB SOFTWARE SECURITY VULNERABILITIES
Vulnerability refers to functional or safety logic defects
existing in computer system, including all the factors can lead
to threaten or damage to computer system security, is defects
and deficiencies in a computer system that in the specific
implementation of hardware, software, protocols, or in the
security policy. The existing of software security
vulnerabilities make software vulnerable to illegal intrusion
and attacks brought enormous threat to information security.
978-1-4799-2876-7/13 $31.00 © 2013 IEEE
DOI 10.1109/ITA.2013.36
3rd Leilei Zhu
Changchun Vocational Institute of Technology
Changchun, China
xiaozhu4439@163.com
Here are some common types of vulnerability [2].
A. Directory traversal vulnerability
Directory traversal vulnerability can also be called non-
authorized file inclusion vulnerability, it is that the program
doesn't filter directory jump operators input from the user like ..
/ and. / , leading to malicious users can unauthorized access or
get some sensitive data, such as web site configuration file and
core file, which resulted in a risk of leak. Directory traversal
vulnerability is typically found in the place that need to submit
file name through the parameter, such as file reading , picture
display ,etc. Therefore need to filter interactive data better.
If the site administrator does not shut down the web server's
automatically directory service or redirect such requests to the
default resource (such as named index.html pages), then it is
easy to get a complete list of documents used in web server
directory . Adding a backslash (/) after enter the address in the
browser URL bar, then it can display all the contents of this
directory.When IIS open the file, if the file name contains
characters as Unicode, it will decode it, if the user provides
some special code, it will result IIs incorrect open or perform
some files outside the web root directory.
B. SQL Injection Vulnerability
A SQL injection is that insert SQL commands including
particular purposes into a Web form or the place enter domain
name or query string of page request through key variables,
ultimately deceive the server to execute malicious SQL
commands. The vulnerability, due to the user insert SQL
statement into the input data, changing SQL statement
structure that the software dynamically generated, resulting in
software execution error, is called SQL injection vulnerability.
The reasons that cause the SQL vulnerability, on one hand, is
the rapid growth of the dynamic web page under the help of a
relational database, on the other hand, is the unsafe SQL
coding practices that most of the textbooks telling about . The
existing of SQL injection vulnerabilities can cause the
database information leakage, websites are hung horse,
spreading of malware, server be remote control, hard disk data
destroyed, etc..
The key to solve the problem of SQL injection is to carry
on a strict examination for all possible data from the user input,
use the principle of least privilege for the database
configuration. All queries using the parameterized query
interface provided by database, to the special characters (' "\
Angle brackets & *etc.)that access the database take converse
processing or coding conversion, the data length should be
rules , strictly limited database operation privileges of web
user, before the site released, it is recommended to use
130
professional SQL injection testing tool for testing , timely
repair these SQL injection vulnerabilities.
C. Cross-site scripting (XSS) vulnerability
XSS is also called CSS (Cross Site Script) , Cross Site
scripting attacks, it refers to a malicious attacker inserts
malicious Html code into the Web page, when users browse
the page, the Html code embedded in Web will be executed,
which would allow an attacker to control the display contents
of a Web page, or on behalf of the attacker to perform certain
actions, it can be used for stealing privacy, fishing and other
malicious attacks. The technology that XSS attack used is
mainly HTML and Javascript.
XSS attacks mainly divided into two categories: one is the
internal attacks, mainly refers to the use of their own
vulnerability in the Web application itself, submit special string,
so as to make the cross site page directly to exist in the attack
on the site, the string is called cross-site statements. Another
category is coming from external attacks, mainly refers to
construct their own vulnerability XSS Cross Site pages or find
a web page with cross-site vulnerabilities outside of the target .
III. FUZZING
Fuzzing is a kind of method by offering unexpected input
to the target system and monitor abnormal results to discover
software vulnerabilities. Fuzzing is generally an automatic or
semi-automatic process, the process involves repeated
manipulate target software and provide processing data for it ,
the main application of Fuzzing are lookup file formats,
network protocols and WEB software security vulnerabilities.
A. Fuzzing process
Fuzzing process can be divided into identifying targetˈ
recognizing input, generating fuzzing data, performing fuzzing
data, monitoring abnormalities, determining availability six
stages[3].As Table 1 shown.
In recognition of the target application, testers need to
investigate the security vulnerabilities of the developers which
were found related to history, it helps to further find more
security vulnerabilities, after choosing the target application, it
also need to select specific object file or library from the
application ; Any input is sent to the target application from
TABLE 1 FUZZING PROCESS
No. Stage name Stage task
Select the target application, see what kind of
1 Identify target
vulnerabilities exists
Recognize program input vector, including
2 Recognize input
headers, environment variables, etc.
According to the target application choose the
Generate fuzzing
3
data
appropriate method to insert fuzzy variables,
generate data
Send data packets to the target application,
4
Perform fuzzing
open a file or launch a goal process, this
data
process should be automated
5
Monitor
Record abnormal or faulty test
abnormality
Manual process, determine whether the
Determine
6 detected exceptions or failures can be further
availability
used
131
client should be considered as input vector, it possible be fuzzy
test variables ; In the generation process of fuzzy test data, how
to use a predetermined value, how the variation of existing data
or how to dynamically generate the data, these decisions will
depend on the target application and its data format;
Monitoring can take various forms and should not rely on the
target application and the choice of fuzzy test type.
Regardless of what type of fuzzing, all the stage shown as
Table 1 should be considered. Only the stage of determine
availability may be exceptions, the various stages of the order
and focus can be changed in accordance with the objectives of
the researchers.
B. Fuzzing methods
Method of Fuzzing to discover software vulnerabilities,
one important part is to generate the fuzzy test cases, this
involves using fuzzer. There are two types of fuzzer existed:
fuzzer based on variation and fuzzer based on generation,
these two types of fuzzer can be further divided into the
following five categories.
x Pre-generate test cases. This approach begins with
studying the data structure supported by and the
acceptable range of values for each data structure, by
testing boundary values or forcing regulars violate to
create the test cases. Using this method to generate test
cases has good reusability, but no automatic generation
mechanism is introduced.
x Random method. Random method is to use simple
method of generating numbers of pseudo-random data
back to the software to be detected, observe the test
results. This method can be used for rapid safety
estimation of target software, disadvantage is difficult
to reverse search software exception causes when the
server crashes [4].
x Protocol variation manual test. This method does not
require introduction of automated fuzzer. After the
target program is loaded, the tester input data not
conform to expectation directly , observe whether there
is a breakdown or unexpected behavior. The tester can
create effective test cases according to their own
experience.
x Mandatory variable test. Mandatory variable refers to
obtain a valid agreement or data format sample later,
fuzzer disrupts files for each byte, word, double word or
strings constantly. Test is able to complete the whole
process of test data generation and transmission
automatically, disadvantage is not efficient enough.
x Automatic generate agreement test. The method
belongs to a kind of more advanced mandatory testing
methods, testers create a grammar to describe the
working process of the protocol regular. Packets are
divided into static and dynamic parts, which is the fuzzy
variable, fuzzer generate test cases to test by analyzing
grammar. This method can improve the effectiveness of
fuzzing, but need to spend some time on preparatory
study of grammar or data format.
C. Fuzzing tool Compre-h
SPI fuzzer C# Yes General Bad
Currently, there are several kinds of prevalent Fuzzing ensive
tools used in the commercial Web application, the SPI fuzzer Compre-
Webfuzz C# Yes General Bad
and Webfuzz developed by the company of SPI Dynamics for hensive
example. The SPI fuzzer enables users to completely control WebScarab Java Yes Single General Bad
the original Http requests used by the Fuzzing. In comparison, 
the Webfuzz provides a frame which could create an effective
analysis to test Web software. Besides, the OWASP developed
by WebScarab, could assign directly fuzzy values to the Web
application parameters. As Table 2 shown.
Fig.2. Result in Responses
In this paper, we chose the Webfuzz as the tool of fuzz
testing, Webfuzz development inspired by the tools of
commercial SPI fuzzy detector, it is not a tool easy to use and
completely used for the safety, it's just a tool process work
automated which previously done manually . The final user
can use the tools to develop effective test and analysis of test
results. The tool should be regarded as a research starting Fig.3. Request Headers information
point, not the final solution.
IV. EXPERIMENTS SHOW
When we carry Fuzzing for Web software with Webfuzz,
a HTTP request need to be sent. A tester, as the finial user,
should be allowed to fuzz any detail information of the Fig.4. SQL injection test results
original request. A basic Webfuzz request includes some The test results, line 0 status code 200 represents a
fields: target host, TCP port, timeout, request header. Fuzzy success connection to the server; Line 1 status code 404,
variable is detailed information fuzzed in a request, it can be represents not find xxx.aspx files; Line 3 status code 403,
added directly in the original request, and through the variable represents a prohibited access; line 2 Status code
name in square brackets ([SQL], for example) to identify. The 200 ,represents find the xxx.aspx file that does not exist in the
response captured by the Webfuzz is always saved with system , so we can see the presence of directory traversal
original format so that users could display the response vulnerabilities in this web site.
flexible in several different ways and view the HTML in a
B. SQL injection vulnerability test
Web browser.
Set the IP address of the host to 192.168.99.155, port
A. Directory traversal vulnerability test number is 8081, in Login. aspx file ,there is a piece of code
This vulnerability test to select their simulation of a that exist SQL injection vulnerabilities:
simple ASP.NET login procedure, released to the local area string userID = this.UserIdTxt.Text.ToString();
network using IIS, set the IP address of the host to string Pwd = this.PwdTxt.Text.ToString();
192.168.99.155, port number is 8081, name the login page string sqlStr = String.Format("select count(*) from
login.aspx, call the default method of Get in Webfuzz, instead UserInfo where UserId='{0}' and Pwd='{1}'", userID, Pwd);
the Login.aspx with a fuzzy variable xxx.aspx that not actual In the code above, text box which is used to get the user
existed in website file, and add fuzzy variable [Traversal] in name and user password did not carry out any input
the request header starting line, so the Request Headers is processing, the input string accessed was returned to the
shown as Fig.1. parameters directly, then use these unprocessed parameters to
Click the Request button, these requests will be sent to query in the database.
the web page, Webfuzz tests the Web page automatic, then we Firstly, using the LiveHTTPHeaders plugined in FireFox
could get the responses as shown in Fig.2. to get the Post request when login in, and insert the fuzzy
variables, change UserIdTxt=wja&PwdTxt=wja to
UserIdTxt=[SQL]&PwdTxt= , as the data for Fuzzing.
Secondly, change the Url Web table submitted by the Get
method of Request Headers. As shown in Fig.3.
Click the Request button, these requests will be sent to
Fig.1. Request Headers information the web page, Webfuzz tests the Web page automatic, then we
could get the responses as shown in Fig.4.
TABLE 2 WEB APPLICATION FUZZING TOOLS CONTRAST EXPANDABLITY
In the figure above, line 18 status code 200,means that
Degree conditions in '1' = '1' can successfully submit the fuzzy data,
Develop- Vulner- Expand-
Visuali- of
Name ment
zation
ability
automa- line 19 status code 400, means that conditions in '1' = '2'
language Type ablity
tion appears access errors, combined with the principle of SQL

132
injection can find the site have SQL injection vulnerabilities,
line 20 status code 200 can fully proves this point.
C. The XSS vulnerability test
A common method of testing in the presence of XSS
vulnerability is input a simple JavaScript code fragment and
an alarm function, the alarm function will result in a pop-up
window. However, this is not a practical vulnerability
detection mechanism, because it requires the tester
observations. And WebFuzz advantage is the automatic
operation, therefore the tester can leave the machine to wait
for test results. Testers need to add an appropriate fuzzy
variable to the WebFuzz, add a new variable is very simple,
and do not need to recompile the application again.
XSS vulnerability test environment is as follows:
The host name:
http://xss.killsec.com/?m=user&a=login˗
The port number: 80
Modify Request Headers in the request message,
inserting fuzzy variables, generate fuzzing data, the Request
Header is GET/?m=[XSS] HTTP/1.1, then click the Request
button, the results shown in Fig.5.
Line 4 status code Error represents access error; Line 1-3
status code 200 represents fuzzy data submitted successfully;
it also pop up an alert box, prove the existence of XSS
vulnerability in the site.
Fig.5. Result of the XSS vulnerability test
133
V. SUMMARY AND OUTLOOK
Fuzzing goal is to detect the presence of some types of
software vulnerabilities, but fuzzing itself still exist limitations
for some vulnerabilities. For the applications supporting
multiple users and needing Hierarchical authority, fuzzer
cannot comprehend the logic of it and may lead to some
access control mechanism is ignored; At the same time we can
also see that fuzzer is not the best tool used to identify the
poor logic design; For a fuzzy controller, if be restricted or do
not know about the target application's configuration
information, then its back door looks like does not have any
difference with any other target application logic, unless the
information given to fuzzy control group to make it a
successful recognition landing, it is no way by using a hard-
coded password to identify a successful login attempt. If the
target application is good enough to block out some memory
corruption problems, simple fuzzer can’t find them; Fuzzing is
suitable for identification of single vulnerability defect, for
vulnerabilities composed with small defects can't better
recognition.
Although fuzzing has appeared and developed a period
of time, this method has not be focused on by users who out of
the field of security, at the same time a large number of
fuzzing cases also reduces the test efficiency, researchers need
to do further research.
REFERENCES
[1] CNNIC. China Internet development statistics report (January 2012)
[R/OL]. (2012-01-16) HTTP://WWW. Cnnic.net.cn/hlfzyj/hlwxzbg/
201201/P020120709345264469680. PDF.
[2] Jingnong Du, Web-based application security vulnerability testing
method.. Huazhong University of Science &Technology,2010.
[3] Michael Sutton,Adam Greene,Pedram Amini.Fuzzing 㧦 Brute Force
Vulnerability Discovery 㨇 M 㨉 㧚 Long Huang 㧘 Lili Yu 㧘 Hu Li 㧘
translated㧚China Machine Press㧘2008.
[4] Xu Cao, Yining Zhang. 2009. Based on the technology of reverse
engineering and Fuzzing Adobe Readervulnerability exploiting
technology research [J]. Journal of information engineering university,
2010 .
[5] Lili Yu, Mengshan Du, Ping Zhang, Lingli Ji. Web security testing
technology overview. Application Research of Computers, 2012.
[6] Ling Xu. WebFuzz for Web software vulnerability testing software
GUIDE • Educational Technology, 2012 .