Multidimensional Depth Oriented Fuzzing Method of Java Web Applications

doi:10.3969/j.issn.1671-1122.2024.02.011

Abstract

Abstract:

With the popularity of Java language, the security issue of these applications is becoming more and more serious. As an effective vulnerability mining method, fuzzing has been used to detect Java application vulnerabilities. However, due to the huge code scale and complex business logic of Java Web application, existing vulnerability mining tools suffer from high randomness in testing and low depth of code detection, resulting in low accuracy of vulnerability mining. To solve these problems, this paper designed and implemented a multidimensional depth oriented fuzzing method of Java Web applications. This method generated the three address codes of the application bytecode to be tested, and then obtained the corresponding inter function call graph and intra function control flow graph. According to this information, an algorithm was designed to obtain the multidimensional depth of each basic block. Then, according to the multidimensional depth and fuzzing execution time, the fuzzing guidance strategy of the system was designed, and the corresponding input structure analysis strategy, energy allocation strategy and mutation algorithm scheduling strategy were designed to improve the efficiency of fuzzing. Compared with the existing widely used fuzzing tool Peach and Kelinci, it shows that this method can achieve better vulnerability mining effect under the condition of low performance consumption.

Key words: fuzzing, Java Web, vulnerability mining

CLC Number:

TP309

WANG Juan, GONG Jiaxin, LIN Ziqing, ZHANG Xiaojuan. Multidimensional Depth Oriented Fuzzing Method of Java Web Applications[J]. Netinfo Security, 2024, 24(2): 282-292.

Figures/Tables 8

References 21

[1]	COWARD D, YOSHIDA Y. Java Servlet Specification Version 2.3[EB/OL]. (2001-09-17)[2023-01-15]. https://jcp.org/aboutJava/communityprocess/first/jsr053/servlet23_PFD.pdf.
[2]	HUANG Junyong. Research and Design Based on Spring Framework[J]. Computer Knowledge and Technology, 2018, 14(3): 116-117, 120.
	黄俊勇. 基于Spring框架的研究与设计[J]. 电脑知识与技术, 2018, 14(3): 116-117, 120.
[3]	QIU Ruonan, HU Anqi, PENG Guojun, et al. Java Web Framework Vulnerability Universal Detection and Location Scheme Based on RASP Technology[J]. Journal of Wuhan University (Science Edition), 2020, 66(3): 285-296.
	邱若男, 胡岸琪, 彭国军, 等. 基于RASP技术的Java Web框架漏洞通用检测与定位方案[J]. 武汉大学学报(理学版), 2020, 66(3): 285-296.
[4]	National Internet Emergency Center. Analysis Report on China’s Internet Network Security Monitoring Data in the First Half of 2021[EB/OL]. (2021-07-31)[2023-01-15]. https://www.cert.org.cn/publish/main/upload/File/first-half%20%20year%20cyberseurity%20report%202021.pdf.
	国家互联网应急中心. 2021年上半年我国互联网网络安全监测数据分析报告[EB/OL]. (2021-07-31)[2023-01-15]. https://www.cert.org.cn/publish/main/upload/File/first-half%20%20year%20cyberseurity%20report%202021.pdf.
[5]	TU Ling, MA Yue, CHENG Cheng, et al. Web Security Fuzzy Testing and Utility Evaluation Method Based on Protocol Hybrid Deformation[J]. Computer Science, 2017, 44(5): 141-145. doi: 10.11896/j.issn.1002-137X.2017.05.025
	涂玲, 马跃, 程诚, 等. 基于协议混合变形的Web安全模糊测试与效用评估方法[J]. 计算机科学, 2017, 44(5): 141-145. doi: 10.11896/j.issn.1002-137X.2017.05.025
[6]	MILLER B P, FREDRIKSEN L, SO B. An Empirical Study of the Reliability of UNIX Utilities[J]. Communications of the ACM, 1990, 33(12): 32-44. doi: 10.1145/96267.96279 URL
[7]	Google. American Fuzzy Lop[EB/OL]. (2020-07-05)[2023-01-15]. http://lcamtuf.coredump.cx/afl/.
[8]	BÖHME M, PHAM V H, NGUYEN M D, et al. Directed Greybox Fuzzing[C]// ACM. 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 2329-2344.
[9]	CHEN Hongxu, XUE Yinxing, LI Yuekang, et al. Hawkeye: Towards a Desired Directed Grey-Box Fuzzer[C]// ACM. 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018: 2095-2108.
[10]	GWANGMU L, WOOCHUL S, BYOUNGYOUNG L. Constraint-Guided Directed Greybox Fuzzing[C]// USENIX. The 30th USENIX Security Symposium. Berkley: USENIX, 2021: 3559-3576.
[11]	JAYARAMAN K, HARVISON D, GANESH V, et al. JFuzz: A Concolic Whitebox Fuzzer for Java[EB/OL]. (2009-04-01)[2023-01-15]. https://people.csail.mit.edu/akiezun/jfuzz/jFuzz.pdf.
[12]	ZHU Hong. JFuzz: A Tool for Automated Java Unit Testing Based on Data Mutation and Metamorphic Testing Methods[C]// IEEE. 2015 Second International Conference on Trustworthy Systems and Their Applications. New York: IEEE, 2015: 8-15.
[13]	KERSTEN R, FIELD M, LUCKOW K, et al. POSTER: AFL-Based Fuzzing for Java with Kelinci[C]// ACM. 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 2511-2513.
[14]	PADHYE R. JQF: A Feedback-Directed Fuzz Testing Platform for Java[EB/OL]. (2019-07-10)[2023-01-15]. https://github.com/rohanpadhye/jqf.
[15]	SHAWN R, JENS D. A Hybrid Analysis to Detect Java Serialisation Vulnerabilities[C]// IEEE. 2020 35th IEEE International Conference on Automated Software Engineering. New York: IEEE, 2020: 21-25.
[16]	YU Xintian, MA Enze, NIE Pengbo, et al. Approxi Fuzzer: Fuzzing towards Deep Code Snippets in Java Programs[C]// IEEE. 2021 IEEE 45th Annual Computers, Software, and Applications Conference. New York: IEEE, 2021: 1149-1156.
[17]	Peach Tech. Peach Software Official Website[EB/OL]. (2020-06-01)[2023-01-15]. http://www.peachfuzzer.com.
[18]	LU Ziguang. Research on Web Vulnerability Mining Algorithm Based on Improved Fuzzy Testing[D]. Nanning: Guangxi University, 2018.
	陆紫光. 基于改进模糊测试的Web漏洞挖掘算法研究[D]. 南宁: 广西大学, 2018.
[19]	ZHOU Xinshi. Research and Implementation of Web Vulnerability Mining Technology Based on Fuzzy Testing[D]. Beijing: Beijing University of Posts and Telecommunications, 2020.
	周心实. 基于模糊测试的Web漏洞挖掘技术研究与实现[D]. 北京: 北京邮电大学, 2020.
[20]	Sable. Soot: A Java Optimization Framework[EB/OL]. (2012-01-22)[2023-01-15]. https://www.sable.mcgill.ca/soot/.
[21]	LI Yuanling, CHEN Hua, LIU Li. Java Program Control Flow Analysis and Graphic Output of Soot[J]. Computer System Application, 2009, 18(10): 88-92.
	李远玲, 陈华, 刘丽. Soot的Java程序控制流分析及图形化输出[J]. 计算机系统应用, 2009, 18(10): 88-92.

分支条件	权值
= =	1
>=、 <=、 >、 <	2
!=	3

测试对象	测试工具	异常数量/个
VBlog	Kelinci	2
	Peach	5
	本文方法	11
Nacos	Kelinci	0
	Peach	1
	本文方法	2
Vhr	Kelinci	3
	Peach	7
	本文方法	17
Guns	Kelinci	0
	Peach	0
	本文方法	3

漏洞类型	测试对象	Kelinci触发的异常数量 /个	Peach触发的异常数量/个	本文方法触发的异常数量/个
数据库异常	VBlog	1	1	1
	Nacos	0	0	0
	Vhr	0	2	2
	Guns	0	0	0
未授权访问	VBlog	0	0	1
	Nacos	0	1	1
	Vhr	0	0	0
	Guns	0	0	0
实例未初始化	VBlog	1	4	9
	Nacos	0	0	1
	Vhr	3	5	14
	Guns	0	0	1
XSS注入	VBlog	0	0	0
	Nacos	0	0	0
	Vhr	0	0	1
	Guns	0	0	1
类型混淆	VBlog	0	0	0
	Nacos	0	0	0
	Vhr	0	0	0
	Guns	0	0	1