Due to the complexity of Java Web application business scenarios and high requirements for the structural validity of input data, the existing testing methods and tools have the problem of low efficiency of test cases when testing Java Web. In order to solve the above problems, this paper proposes A grey-box fuzzing method for Java Web applications based on parse trees is proposed. Firstly, a parse tree is created for syntax modeling of the input data packets of Java Web applications, which distinguishes delimiters and data blocks, and hangs for each leaf node in the parse tree Connect a seed pool, isolate a single data block of the test case, and generate input conforming to the Java Web application business format through data packet splicing, thereby improving the efficiency of the test case; In order to retain high-quality data blocks, during the test, according to the test program Execute the feedback information and assign weights to each data block seed separately; in order to break through the depth path, it will learn and extract the data block seed features based on the conditional probability in the corresponding seed pool. This paper implements the gray box fuzzing test of Java Web applications based on the parse tree System PTreeFuzz, the test results show that the system has achieved better test accuracy than existing tools.
Table of contents
1 related work
Fuzz testing is an effective dynamic vulnerability mining method. According to the seed generation strategy, it can be divided into mutation-based fuzz testing and generation-based fuzz testing. This paper classifies the current fuzz testing work as fuzz testing for Java Web applications according to application scenarios. And fuzz testing in non-Java Web scenarios are introduced separately.
At present, the optimization work of fuzz testing for Java Web applications is mainly to analyze the characteristics of Web application systems or vulnerabilities, and optimize test case generation through gray box feedback information. Dos Santos et al. designed a browser plug-in Selenium to drive browsers to realize Java Web fuzzing. For testing, user operations need to be recorded and played back to generate test cases, so the randomness is insufficient, and it is difficult to effectively find system anomalies and vulnerabilities. Zhang Yichen uses white-box fuzzing technology to conduct fuzzing tests on the code property graph analysis of the calling relationship of Web applications, but his Insufficient design of seed mutation strategies in the Web scenario has resulted in a large number of invalid test cases. He Jie et al. combined Web front-end requests and back-end program analysis to optimize seed generation, and used it to mine command injection vulnerabilities. Ni Ping et al. crawled Analyze webpage links, find potential injection points, and use fuzzing to generate Payload to detect reflective XSS vulnerabilities. Van-Thuan Pham designed the gray-box fuzzing tool AFLNET, using the communication traffic between the client and the server as the initial seed, and Optimize seeds through code coverage. WebFuzz and Wfuzz are fuzz testing tools for Web protocols. They both require users to have complete network knowledge and be familiar with the HTTP protocol to analyze network packets, so they cannot meet the needs of automated fuzz testing Java Web applications The generation-based fuzzing tool Peach is a Web fuzzing tool that meets a specific data structure through modeling, but it does not take into account feedback information such as code coverage, and the execution path and code coverage are limited, so it is difficult to find Vulnerability of value.
To sum up, Java Web fuzzing tools mostly focus on analyzing system or vulnerability characteristics to optimize the overall effect of fuzzing, but there is a lack of
relevant research on improving the effectiveness of seed semantics and syntax in Java Web application scenarios, and it is difficult to automate fuzzing testing for network protocols. Test Java Web applications. Ordinary mutation-based fuzz testing is aimed at the highly structured transmission data formats such as XML and JSON that are common in Java Web. It is difficult to generate input that meets the requirements, and it is difficult to ensure the efficiency of input test cases. Some generation-based fuzz testing tools such as Peach lack feedback information such as code coverage to guide fuzz testing, and their testing efficiency is also very low.
2 System Design
The core of the system is divided into two parts, the Fuzzer and the bitmap monitoring module. The client mainly deploys the system’s fuzzer Fuzzer, which is responsible for guiding the mutation of test data through the feedback of the monitoring module. Its functions include: generating a parse tree and sending test data package, calculate the weight, mutate the seed and assemble the seed into a message. The server deploys the bitmap monitoring module of the tested object and the system. The bitmap monitoring module includes bitmap monitoring and a linked list of recording conditional statements to guide the analysis in the Fuzzer For the screening of the seed pool of a single leaf node of the tree, the Fuzzer corrects the seed structure according to the feedback information of the bitmap monitoring module. A small number of seeds can be executed to the deep branch path. When the fuzz test faces the path "blocking" problem, it is necessary to focus on the deep branch path. Analyze the linked list of conditional statements, extract the characteristics of the execution depth branch seeds according to the conditional probability, and optimize the overall efficiency of fuzz testing.