Multidimensional Depth Oriented Fuzzing Method of Java Web Applications
With the popularity of Java language,the security issue of these applications is becoming more and more serious.As an effective vulnerability mining method,fuzzing has been used to detect Java application vulnerabilities.However,due to the huge code scale and complex business logic of Java Web application,existing vulnerability mining tools suffer from high randomness in testing and low depth of code detection,resulting in low accuracy of vulnerability mining.To solve these problems,this paper designed and implemented a multidimensional depth oriented fuzzing method of Java Web applications.This method generated the three address codes of the application bytecode to be tested,and then obtained the corresponding inter function call graph and intra function control flow graph.According to this information,an algorithm was designed to obtain the multidimensional depth of each basic block.Then,according to the multidimensional depth and fuzzing execution time,the fuzzing guidance strategy of the system was designed,and the corresponding input structure analysis strategy,energy allocation strategy and mutation algorithm scheduling strategy were designed to improve the efficiency of fuzzing.Compared with the existing widely used fuzzing tool Peach and Kelinci,it shows that this method can achieve better vulnerability mining effect under the condition of low performance consumption.
NETL
NSTL
万方数据
维普
