Netinfo Security ›› 2024, Vol. 24 ›› Issue (10): 1544-1552.doi: 10.3969/j.issn.1671-1122.2024.10.008

Previous Articles     Next Articles

The Research on Efficient Web Fuzzing Technology Based on Graph Isomorphic Network

ZHANG Zhanpeng1,2, WANG Juan1,2(), ZHANG Chong1,2, WANG Jie1,2, HU Yuyi1,2   

  1. 1. School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
    2. Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, Wuhan University, Wuhan 430072, China
  • Received:2024-05-08 Online:2024-10-10 Published:2024-09-27

Abstract:

Existing Web fuzzing methods mainly include dictionary-based black-box testing methods and borrow gray-box testing methods from binary fuzzing. These methods have the disadvantages of high randomness and low efficiency. In response to the above issues, the article proposed an efficient Web fuzzing method based on graph isomorphism network. Firstly, leveraging the powerful capabilities of graph isomorphism network in graph representation and structure learning, the semantic and structural features of vulnerabilities were learnt on the control flow graph of the code, and the probabilities of basic block vulnerabilities were predicted. Then, based on the vulnerability prediction results, a Web application fuzzing guidance strategy with dual guidance of vulnerability probability that consider both vulnerability probability and coverage. It prioritized the exploration of program locations with higher vulnerability possibilities without compromising coverage, effectively addressing the issues of high randomness and low efficiency in existing Web application fuzzing tools. Finally, based on the above methods, a prototype system was implemented and experimentally evaluated. The experimental results show that the efficiency of the system has increased by 40%, and the coverage has expanded by 5%.

Key words: fuzzing, Web vulnerability, graph isomorphism network, vulnerability discovery

CLC Number: