A Framework for Fuzzing Website using Finite State Machine Based Pattern Generator
Date Issued
2016
Date
2016
Author(s)
Wang, Han-Chi
Abstract
Web security has become a significant issue for web service providers and users due to the rapid development of web technologies. Recently, HTML5 and HTTP/2 have been widely used in establishing modern websites; however, there are still few applications or tools for detecting potential vulnerabilities of these websites. In this paper, we design a fuzzing framework to investigate possible vulnerabilities in newly defined input types in HTML5. Our framework traverses all accessible web pages in websites, and analyzes each page to find entries for injecting our attacking test cases. We design a finite state machine based algorithms to generate test cases for fuzzing. We treat the finite state machines as graphs and extract path among them to generate test patterns. This method could be used on not only HTML5 but any input data which could be represented as regular expressions. Additionally, we propose a fuzzing tool for HTTP/2 protocol which test target server by modifying the HEADERS packet in HTTP/2 communication. For both fuzzers, we present a result aggregation algorithm to offload the effort of examining results. From our implementation, we are able to test architecture of a website and scan its vulnerabilities before its official operation.
Subjects
fuzz testing
web testing
finite state machine
test case generation
Type
thesis
File(s)![Thumbnail Image]()
Loading...
Name
ntu-105-R03921042-1.pdf
Size
23.32 KB
Format
Adobe PDF
Checksum
(MD5):9a4a76360c5fa94a61f36f90987e03cf