Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications

Sebastian Neef, Lorenz Kleissner, Jean-Pierre Seifert

TL;DR

This work tackles the challenge of applying coverage-guided fuzz testing to PHP web applications by introducing PHUZZ, a modular framework that instruments PHP at runtime via function hooking and uses HAR-derived endpoint seeds to perform parallel, greybox fuzzing. PHUZZ supports a broad set of server-side (SQLi, RCE, PaTr, IDes, XXE) and client-side (XSS, OpRe) vulnerabilities, leveraging a novel instrumentation approach that avoids modifying application code or databases. The evaluation shows PHUZZ discovers more vulnerabilities than state-of-the-art black-box fuzzers and identifies zero-day issues in authenticated WordPress plugins, including two CVEs, while remaining non-invasive to fuzzed targets. The authors release PHUZZ as open-source, enabling reproducibility and further research into scalable, coverage-guided fuzzing for modern PHP web applications. Overall, PHUZZ advances web application fuzzing by combining interpreter-level instrumentation, robust vulnerability detection, and scalable parallel fuzzing, with practical impact demonstrated on real-world WordPress plugins.

Abstract

Coverage-guided fuzz testing has received significant attention from the research community, with a strong focus on binary applications, greatly disregarding other targets, such as web applications. The importance of the World Wide Web in everyone's life cannot be overstated, and to this day, many web applications are developed in PHP. In this work, we address the challenges of applying coverage-guided fuzzing to PHP web applications and introduce PHUZZ, a modular fuzzing framework for PHP web applications. PHUZZ uses novel approaches to detect more client-side and server-side vulnerability classes than state-of-the-art related work, including SQL injections, remote command injections, insecure deserialization, path traversal, external entity injection, cross-site scripting, and open redirection. We evaluate PHUZZ on a diverse set of artificial and real-world web applications with known and unknown vulnerabilities, and compare it against a variety of state-of-the-art fuzzers. In order to show PHUZZ' effectiveness, we fuzz over 1,000 API endpoints of the 115 most popular WordPress plugins, resulting in over 20 security issues and 2 new CVE-IDs. Finally, we make the framework publicly available to motivate and encourage further research on web application fuzz testing.

What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications

TL;DR

This work tackles the challenge of applying coverage-guided fuzz testing to PHP web applications by introducing PHUZZ, a modular framework that instruments PHP at runtime via function hooking and uses HAR-derived endpoint seeds to perform parallel, greybox fuzzing. PHUZZ supports a broad set of server-side (SQLi, RCE, PaTr, IDes, XXE) and client-side (XSS, OpRe) vulnerabilities, leveraging a novel instrumentation approach that avoids modifying application code or databases. The evaluation shows PHUZZ discovers more vulnerabilities than state-of-the-art black-box fuzzers and identifies zero-day issues in authenticated WordPress plugins, including two CVEs, while remaining non-invasive to fuzzed targets. The authors release PHUZZ as open-source, enabling reproducibility and further research into scalable, coverage-guided fuzzing for modern PHP web applications. Overall, PHUZZ advances web application fuzzing by combining interpreter-level instrumentation, robust vulnerability detection, and scalable parallel fuzzing, with practical impact demonstrated on real-world WordPress plugins.

Abstract

Coverage-guided fuzz testing has received significant attention from the research community, with a strong focus on binary applications, greatly disregarding other targets, such as web applications. The importance of the World Wide Web in everyone's life cannot be overstated, and to this day, many web applications are developed in PHP. In this work, we address the challenges of applying coverage-guided fuzzing to PHP web applications and introduce PHUZZ, a modular fuzzing framework for PHP web applications. PHUZZ uses novel approaches to detect more client-side and server-side vulnerability classes than state-of-the-art related work, including SQL injections, remote command injections, insecure deserialization, path traversal, external entity injection, cross-site scripting, and open redirection. We evaluate PHUZZ on a diverse set of artificial and real-world web applications with known and unknown vulnerabilities, and compare it against a variety of state-of-the-art fuzzers. In order to show PHUZZ' effectiveness, we fuzz over 1,000 API endpoints of the 115 most popular WordPress plugins, resulting in over 20 security issues and 2 new CVE-IDs. Finally, we make the framework publicly available to motivate and encourage further research on web application fuzz testing.
Paper Structure (67 sections, 3 figures, 10 tables)

This paper contains 67 sections, 3 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Web Vulnerabilities
  4. Server-side vulnerabilities
  5. Client-side vulnerabilities
  6. Fuzzing
  7. Motivation
  8. Challenges
  9. Instrumentation
  10. Vulnerability detection
  11. Test case generation
  12. Phuzz
  13. Components
  14. Browser & Crawler
  15. HARgen
  16. ...and 52 more sections

Figures (3)

  • Figure 1: A brief overview of the web application fuzzing setup with the web server between the fuzzer and the PHP application.
  • Figure 2: Overview of components involved in the Phuzz framework.
  • Figure 3: Phuzz continuously finds new coverage and eventually the vulnerability in our custom DVWA fuzz SQLi level. WFuzz only reaches the same coverage accidentally by having the right keyword in its wordlist, but does not identify the vulnerability.