Abstract:Coverage-guided fuzz testing has received significant attention from the research community, with a strong focus on binary applications, greatly disregarding other targets, such as web applications. The importance of the World Wide Web in everyone's life cannot be overstated, and to this day, many web applications are developed in PHP. In this work, we address the challenges of applying coverage-guided fuzzing to PHP web applications and introduce PHUZZ, a modular fuzzing framework for PHP web applications. PHUZZ uses novel approaches to detect more client-side and server-side vulnerability classes than state-of-the-art related work, including SQL injections, remote command injections, insecure deserialization, path traversal, external entity injection, cross-site scripting, and open redirection. We evaluate PHUZZ on a diverse set of artificial and real-world web applications with known and unknown vulnerabilities, and compare it against a variety of state-of-the-art fuzzers. In order to show PHUZZ' effectiveness, we fuzz over 1,000 API endpoints of the 115 most popular WordPress plugins, resulting in over 20 security issues and 2 new CVE-IDs. Finally, we make the framework publicly available to motivate and encourage further research on web application fuzz testing.

What problem does this paper attempt to address?

### What problems does this paper attempt to solve? This paper aims to solve the problem of vulnerability detection in PHP Web applications, especially by introducing a new coverage - guided fuzzing tool - Phuzz. Specifically, this research focuses on the following aspects: 1. **Limitations of existing fuzzing tools**: - Most existing fuzzing tools (such as AFL, AFL++, Hongfuzz, etc.) are mainly optimized for binary applications and memory corruption vulnerabilities, and are not suitable for modern Web applications (especially Web applications written in high - level interpreted languages such as PHP). - Commercial and open - source Web application fuzzing tools usually adopt the black - box method, which has limited effectiveness in detecting vulnerabilities because they cannot obtain sufficient feedback information from the tested application and rely on predefined attack vectors. 2. **Security challenges of PHP Web applications**: - PHP is the server - side language for more than 75% of websites worldwide, and there may be various security vulnerabilities in its development process, such as SQL injection, remote command execution, insecure deserialization, path traversal, external entity injection, cross - site scripting (XSS), and open redirection. - These vulnerabilities may affect the confidentiality, integrity, and availability of Web applications, so effective automated security testing tools are required to identify and fix these problems. 3. **The proposed new solution - Phuzz**: - Phuzz is a modular fuzzing framework specifically for coverage - guided fuzzing of PHP Web applications. - Phuzz adopts the following innovative methods: - **Crawler - free seed generation**: Provide entry points for fuzzing without the need for a crawler, thereby more finely controlling the test range. - **Instrumentation technology without source code modification**: It can intercept PHP exceptions or errors without modifying the source code of the target application or related components (such as the database), and bypass authentication and authorization functions to collect more code coverage. - **Multi - type vulnerability detection**: It can discover more client - side and server - side vulnerability types than existing work. - **Built - in parallel fuzzing support**: It is suitable for large - scale fuzzing and improves testing efficiency. 4. **Evaluation and verification**: - The researchers conducted extensive evaluations of Phuzz, including testing on a set of artificial and real - world Web applications, and compared it with other state - of - the - art fuzzing tools. - By fuzzing more than 1,000 API endpoints of 115 of the most popular WordPress plugins, more than 20 security issues were discovered, including two new CVE - IDs. ### Summary The main contribution of this paper is to fill the gap of existing fuzzing tools in PHP Web applications, propose an efficient and comprehensive coverage - guided fuzzing framework Phuzz, which can effectively detect multiple types of vulnerabilities, and verify its effectiveness through practical tests.

What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications

sqlFuzz: Directed Fuzzing for SQL Injection Vulnerability

Fuzzing Frameworks for Server-side Web Applications: A Survey

Where URLs Become Weapons: Automated Discovery of SSRF Vulnerabilities in Web Applications

FuzzFactory: domain-specific fuzzing with waypoints

BackREST: A Model-Based Feedback-Driven Greybox Fuzzer for Web Applications

Fuzzing the PHP Interpreter via Dataflow Fusion

Fuzzing: A Survey for Roadmap

Development of a Multi-purpose Fuzzer to Perform Assessment as Input to a Cybersecurity Risk Assessment and Analysis System

HyPFuzz: Formal-Assisted Processor Fuzzing

V-Fuzz: Vulnerability-Oriented Evolutionary Fuzzing

The Art, Science, and Engineering of Fuzzing: A Survey

Fw‐fuzz: A code coverage‐guided fuzzing framework for network protocols on firmware

NESTFUZZ: Enhancing Fuzzing with Comprehensive Understanding of Input Processing Logic

Automated Fuzzing Harness Generation for Library APIs and Binary Protocol Parsers

MicroFuzz: An Efficient Fuzzing Framework for Microservices

FOT: a versatile, configurable, extensible fuzzing framework.

FunFuzz: A Function-oriented Fuzzer for Smart Contract Vulnerability Detection with High Effectiveness and Efficiency

NDFuzz: a non-intrusive coverage-guided fuzzing framework for virtualized network devices

FuzzTheREST: An Intelligent Automated Black-box RESTful API Fuzzer

MultiFuzz: A Coverage-Based Multiparty-Protocol Fuzzer for IoT Publish/Subscribe Protocols