License: Creative Commons Attribution 4.0 International license (CC BY 4.0)
When quoting this document, please refer to the following
DOI: 10.4230/LIPIcs.ECOOP.2022.29
URN: urn:nbn:de:0030-drops-162573
Go to the corresponding LIPIcs Volume Portal

Gauthier, François ; Hassanshahi, Behnaz ; Selwyn-Smith, Benjamin ; Mai, Trong Nhan ; Schlüter, Max ; Williams, Micah

Experience: Model-Based, Feedback-Driven, Greybox Web Fuzzing with BackREST

LIPIcs-ECOOP-2022-29.pdf (1 MB)


Following the advent of the American Fuzzy Lop (AFL), fuzzing had a surge in popularity, and modern day fuzzers range from simple blackbox random input generators to complex whitebox concolic frameworks that are capable of deep program introspection. Web application fuzzers, however, did not benefit from the tremendous advancements in fuzzing for binary programs and remain largely blackbox in nature. In this experience paper, we show how techniques like state-aware crawling, type inference, coverage and taint analysis can be integrated with a black-box fuzzer to find more critical vulnerabilities, faster (speedups between 7.4× and 25.9×). Comparing BackREST against three other web fuzzers on five large (>500 KLOC) Node.js applications shows how it consistently achieves comparable coverage while reporting more vulnerabilities than state-of-the-art. Finally, using BackREST, we uncovered eight 0-days, out of which six were not reported by any other fuzzer. All the 0-days have been disclosed and most are now public, including two in the highly popular Sequelize and Mongodb libraries.

BibTeX - Entry

  author =	{Gauthier, Fran\c{c}ois and Hassanshahi, Behnaz and Selwyn-Smith, Benjamin and Mai, Trong Nhan and Schl\"{u}ter, Max and Williams, Micah},
  title =	{{Experience: Model-Based, Feedback-Driven, Greybox Web Fuzzing with BackREST}},
  booktitle =	{36th European Conference on Object-Oriented Programming (ECOOP 2022)},
  pages =	{29:1--29:30},
  series =	{Leibniz International Proceedings in Informatics (LIPIcs)},
  ISBN =	{978-3-95977-225-9},
  ISSN =	{1868-8969},
  year =	{2022},
  volume =	{222},
  editor =	{Ali, Karim and Vitek, Jan},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{},
  URN =		{urn:nbn:de:0030-drops-162573},
  doi =		{10.4230/LIPIcs.ECOOP.2022.29},
  annote =	{Keywords: Taint analysis, fuzzing, crawler, Node.js}

Keywords: Taint analysis, fuzzing, crawler, Node.js
Collection: 36th European Conference on Object-Oriented Programming (ECOOP 2022)
Issue Date: 2022
Date of publication: 23.06.2022
Supplementary Material: Software: archived at:

DROPS-Home | Fulltext Search | Imprint | Privacy Published by LZI