Coverage-guided fuzz testing has received significant attention from the research community, with a strong focus on binary applications, greatly disregarding other targets, such as web applications. The importance of the World Wide Web in everyone's life cannot be overstated, and to this day, many web applications are developed in PHP. In this work, we address the challenges of applying coverage-guided fuzzing to PHP web applications and introduce PHUZZ, a modular fuzzing framework for PHP web applications. PHUZZ uses novel approaches to detect more client-side and server-side vulnerability classes than state-of-the-art related work, including SQL injections, remote command injections, insecure deserialization, path traversal, external entity injection, cross-site scripting, and open redirection. We evaluate PHUZZ on a diverse set of artificial and real-world web applications with known and unknown vulnerabilities, and compare it against a variety of state-of-the-art fuzzers. In order to show PHUZZ' effectiveness, we fuzz over 1,000 API endpoints of the 115 most popular WordPress plugins, resulting in over 20 security issues and 2 new CVE-IDs. Finally, we make the framework publicly available to motivate and encourage further research on web application fuzz testing.

翻译：覆盖引导式模糊测试已受到研究界的广泛关注，但其重点主要集中在二进制应用程序上，很大程度上忽视了Web应用等其他目标。万维网在人们生活中的重要性不言而喻，而时至今日，仍有大量Web应用采用PHP语言开发。本研究致力于应对将覆盖引导式模糊测试应用于PHP Web应用所面临的挑战，并提出了PHUZZ——一个面向PHP Web应用的模块化模糊测试框架。PHUZZ采用创新方法，能够检测出比现有相关工作更丰富的客户端与服务器端漏洞类型，包括SQL注入、远程命令注入、不安全反序列化、路径遍历、外部实体注入、跨站脚本攻击以及开放重定向漏洞。我们在包含已知与未知漏洞的多样化人工构建及真实Web应用上对PHUZZ进行了评估，并与多种前沿模糊测试工具进行了对比。为验证PHUZZ的有效性，我们对115款最受欢迎的WordPress插件的1000余个API端点进行了模糊测试，发现了超过20个安全问题及2个新的CVE-ID。最后，我们将该框架公开开源，以推动和鼓励Web应用模糊测试领域的进一步研究。