A grey-box fuzzer for web applications. Only PHP web applications are supported.
- Instrument your web application using ast-instrumentor.
- Make sure your instrumented web application now works fine.
Let
<webapp-path>
be that the path to the root of this web application. Let<webapp-url>
be the url to the index page of the web application. - Install the python dependencies:
pip3 install --upgrade -r web_fuzzer/requirements.txt
- Download the version of geckodriver that matches your browser version.
Let
<gecko-path>
be that the path to this driver in the rest of the document.
Please use the following versions to make sure webFuzz works:
- Linux OS (Tested on Arch Linux)
- Python version 3 (Tested on 3.12)
- Firefox browser (Tested on 125.0.3)
- Java version 9 or 11 (due to browsermob-proxy dependency)
Run the fuzzer using webFuzz.py
.
Example run:
./webFuzz.py -vv
--driver <gecko-path>
-m <webapp-path>/instr.meta
-w 8
-b 'wp-login|action|logout|'
-b 'settings|||POST
-p -s
-r simple
<webapp-url>
A paper that discusses the internals of webFuzz can be found at: ESORICS 2021
@inproceedings{rooij2021webfuzz,
title={webFuzz: Grey-Box Fuzzing for Web Applications},
author={Rooij, Orpheas van and Charalambous, Marcos Antonios and Kaizer, Demetris and Papaevripides, Michalis and Athanasopoulos, Elias},
booktitle={European Symposium on Research in Computer Security},
pages={152--172},
year={2021},
organization={Springer}
}
- OSCommerce CE-Phoenix - 8 Zero day XSS bugs - GitHub Issue
- WordPress 5.7 - 1 Zero Day Reflective XSS bug - HackerOne Report (Report will be publicly available as soon as a bug fix is released)
- Orpheas van Rooij - orpheas.vanrooij@outlook.com
- Marcos Antonios Charalambous - mchara01@cs.ucy.ac.cy
- Demetris Kaizer - dkaize01@cs.ucy.ac.cy
- Michalis Papaevripides - mpapae04@cs.ucy.ac.cy
- Elias Athanasopoulos - eliasathan@cs.ucy.ac.cy
All authors are with the University of Cyprus and members of the SREC group.