Experience: Model-Based, Feedback-Driven, Greybox Web Fuzzing with BackREST

Experience: Model-Based, Feedback-Driven, Greybox Web Fuzzing with BackREST

Francois Gauthier, Behnaz Hassanshahi, , Trong Nhan Mai, Max Schlueter, Micah Williams

05 June 2022

Following the advent of the American Fuzzy Lop (AFL), fuzzing had a surge in popularity, and modern day fuzzers range from simple blackbox random input generators to complex whitebox concolic frameworks that are capable of deep program introspection. Web application fuzzers, however, did not benefit from the tremendous advancements in fuzzing for binary programs and remain largely blackbox in nature. In this experience paper, we show how techniques like state-aware crawling, type inference, coverage and taint analysis can be integrated with a black-box fuzzer to find more critical vulnerabilities, faster (speedups between 7.4x and 25.9x). Comparing BackREST against three other web fuzzers on five large ($>$500 KLOC) Node.js applications shows how it consistently achieves comparable coverage while reporting more vulnerabilities than state-of-the-art. Finally, using BackREST, we uncovered eight 0-days, out of which six were not reported by any other fuzzer. All the 0-days have been disclosed and most are now public, including two in the highly popular Sequelize and Mongodb libraries.


Venue : European Conference on Object-Oriented Programming (ECOOP)