Chinese Journal of Network and Information Security ›› 2016, Vol. 2 ›› Issue (2): 75-86.doi: 10.11959/j.issn.2096-109x.2016.00022

• Papers • Previous Articles    

Research and implementation of fuzzing testing based on HTTP proxy

Xin SUN1,Yi-yang YAO2,Xin-dai LU1,Xue-jiao LIU3,Yong-han WU3   

  1. 1 Electric Power Research Institute of State Grid,Zhejiang Electric Power Company,Hangzhou 310014,China
    2 Information and Communication Branch,Zhejiang Electric Power Company,Hangzhou 310014,China
    3 School of Information Science and Engineering,Hangzhou Normal University,Hangzhou 311121,China
  • Revised:2016-01-25 Online:2016-02-15 Published:2020-03-26
  • Supported by:
    Science and Technology Program of State Grid Zhejiang Electric Power Company(5211XT14009G);The National Natural Science Foundation of China(61502134);Zhejiang Provincial Science and Technology Innovation Program(2013TD03)

Abstract:

Most of the security testing tools lack of optimization of testing,configured strategy and intelligent analysis of testing results.These problems lead to the status that these tools can’t be used in Web application testing well.A fuzzing testing method towards Web application security based on HTTP proxy was proposed.The high-performance communication between HTTP proxy server and browser through the mechanism of asynchronous monitoring was realized.Configured strategy of testing cases based on pseudo code could help to do flexible and automatic tests.By using multi-dimensional ways to parse the packet,intelligent analysis of testing results was achieved.Experiments show that the tool supports mainstream Web application vulnerabilities detection and configured strategy of testing.It can detect the vulnerabilities such as directory traversal,SQL injection,cross-site scripting.

Key words: fuzzing, HTTP, proxy, Web application, security vulnerability, strategy

CLC Number: 

No Suggested Reading articles found!