Security
What the PHUZZ?! Finding 0-days in Web Applications with Coverage-guided Fuzzing
PHUZZ is a framework for Coverage-Guided Fuzzing of PHP Web Applications
Fuzz testing is an automated approach to vulnerability discovery. Coverage-guided fuzz testing has been extensively researched in binary applications and the domain of memory corruption vulnerabilities.
However, many web vulnerability scanners still rely on black-box fuzzing (e.g., predefined sets of payloads or basic heuristics), which severely limits their vulnerability detection capabilities.
In this talk, we present our academic fuzzing framework, "PHUZZ," and the challenges we faced in bringing coverage-guided fuzzing to PHP web applications. Our experiments show that PHUZZ outperforms related works and state-of-the-art vulnerability scanners in discovering seven different vulnerability classes.
Additionally, we demonstrate how PHUZZ uncovered over 20 potential security issues and two 0-day vulnerabilities in a large-scale fuzzing campaign of the most popular WordPress plugins.
The World Wide Web has become a fundamental part of modern society, providing crucial services such as social networks, online shopping, and other web applications. To this day, web vulnerabilities continue to be discovered, and data breaches are reported, even on high-profile websites. While several viable methods exist to detect web vulnerabilities, such as penetration tests, source code reviews, and bug bounty programs, these approaches are typically costly and time-intensive. Therefore, discovering web vulnerabilities in an automated and cost-effective fashion is desirable.
One method to approach this problem is coverage-guided "fuzzing", which has been successfully used to identify memory corruption bugs in binary applications, but has seen limited application to web applications. Our academic research has resulted in an open-source prototype called "PHUZZ," which outperforms classic black-box vulnerability scanners in detecting web vulnerabilities with its fuzzing approach.
This talk will first introduce the concept of coverage-guided fuzzing and the differences from black-box web fuzzing performed by vulnerability scanners. After diving into the challenges of applying coverage-guided fuzzing to web applications, we will introduce PHUZZ and explain how its approach allows the detection of a wide variety of web vulnerabilities, including SQLi, RCE, XSS, XXE, open redirection, insecure deserialization, and path traversal in PHP web applications.
Our comparison of PHUZZ with state-of-the-art black-box vulnerability scanners, using a diverse set of artificial and real-world web applications containing known and unknown vulnerabilities, showed surprising results. Not only does PHUZZ outperform the other vulnerability scanners in the number of discovered vulnerabilities, but it also discovers over a dozen new potential vulnerabilities and two 0-days, which we will discuss in our talk. Finally, we will motivate the use of PHUZZ [1] and coverage-guided fuzzing methods to discover web vulnerabilities.
This presentation is based on our academic publication "What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications" [0].
[0] https://dl.acm.org/doi/10.1145/3634737.3661137
[1] https://github.com/gehaxelt/phuzz
Additional information
| Live Stream | https://streaming.media.ccc.de/38c3/zigzag |
|---|---|
| Type | Talk |
| Language | English |
More sessions
| 12/27/24 |
With the iPhone 15 & iPhone 15 Pro, Apple switched their iPhone to USB-C and introduced a new USB-C controller: The ACE3, a powerful, very custom, TI manufactured chip. But the ACE3 does more than just handle USB power delivery: It's a full microcontroller running a full USB stack connected to some of the internal busses of the device, and is responsible for providing access to JTAG of the application processor, the internal SPMI bus, etc. We start by investigating the previous variant of the ...
|
| 12/27/24 |
In wenigen Wochen werden die Gesundheitsdaten von rund 73 Millionen in Deutschland Krankenversicherten ohne deren Zutun über Praxis- und Krankenhausgrenzen hinweg zentral in einer Akte zusammengeführt - in der [„elektronischen Patientenakte für alle“](https://www.bundesgesundheitsministerium.de/themen/digitalisierung/elektronische-patientenakte/epa-fuer-alle.html). Fortsetzung von 36C3 - [„Hacker hin oder her“: Die elektronische Patientenakte ...
|
| 12/27/24 |
We present fatal security flaws in the HALFLOOP-24 encryption algorithm, which is used by the US military and NATO. HALFLOOP-24 was meant to safeguard the automatic link establishment protocol in high frequency radio, but our research demonstrates that merely two hours of intercepted radio traffic are sufficient to recover the secret key. In the talk, we start with the fundamentals of symmetric key cryptography before going into the details of high frequency radio, HALFLOOP-24, and the ...
|
| 12/27/24 |
The Chipolo ONE is a Bluetooth tracker built around the Dialog (now Renesas) DA14580 chip. This talk will present the research made on this device, from extracting the firmware from the locked down chip using fault injection up to getting remote code execution over Bluetooth. The talk will also present the disclosure process and how the vendor reacted to an unpatchable vulnerability on their product.
|
| 12/27/24 |
Digital identity solutions, such as proposed through the EU's eIDAS regulation, are reshaping the way users authenticate online. In this talk, we will review the currently proposed technical designs, the impact such systems will have, and provide an outlook on how techniques from modern cryptography can help to improve security and privacy.
|
| 12/27/24 |
Bewegungsdaten von 800.000 E-Autos sowie Kontaktinformationen zu den Besitzern standen ungeschützt im Netz. Sichtbar war, wer wann zu Hause parkt, beim BND oder vor dem Bordell.
|
| 12/27/24 |
Raspberry Pi's RP2350 microcontroller introduced a multitude of new hardware security features over the RP2040, and included a Hacking Challenge which began at DEF CON to encourage researchers to find bugs. The challenge has been defeated and the chip is indeed vulnerable (in at least one way). This talk will cover the process of discovering this vulnerability, the method of exploiting it, and avenues for deducing more about the relevant low-level hardware behavior.
|
