BackREST: A Model-Based Feedback-Driven Greybox Fuzzer for Web Applications

TL;DR

BackREST is an automated, model-based web fuzzer that uses feedback-driven techniques to efficiently discover vulnerabilities, outperforming existing fuzzers in speed and vulnerability detection, including zero-day exploits.

Contribution

It introduces a novel, fully automated approach to model web applications via REST inference and combines coverage and taint analysis for effective fuzzing.

Findings

Achieves 7.4x to 25.9x speedups over existing fuzzers.

Detects more vulnerabilities, including six previously unreported zero-days.

Successfully discloses vulnerabilities in popular libraries like Sequelize and Mongodb.

Abstract

Following the advent of the American Fuzzy Lop (AFL), fuzzing had a surge in popularity, and modern day fuzzers range from simple blackbox random input generators to complex whitebox concolic frameworks that are capable of deep program introspection. Web application fuzzers, however, did not benefit from the tremendous advancements in fuzzing for binary programs and remain largely blackbox in nature. This paper introduces BackREST, a fully automated, model-based, coverage- and taint-driven fuzzer that uses its feedback loops to find more critical vulnerabilities, faster (speedups between 7.4x and 25.9x). To model the server-side of web applications, BackREST automatically infers REST specifications through directed state-aware crawling. Comparing BackREST against three other web fuzzers on five large (>500 KLOC) Node.js applications shows how it consistently achieves comparable coverage while reporting more vulnerabilities than state-of-the-art. Finally, using BackREST, we uncovered nine 0-days, out of which six were not reported by any other fuzzer. All the 0-days have been disclosed and most are now public, including two in the highly popular Sequelize and Mongodb libraries.