ISBN: 978-981-18-7950-0 DOI: 10.18178/wcse.2023.06.006
Enhancing Website Runtime Application Self-Protection by Using Tainting and Fuzzing Test
Abstract—More and more people are depending on web applications in their daily life as a result of the development of big data and cloud computing technologies. A lot of data is processed through web applications, however, security vulnerabilities in web applications provide a continuing threat to people's private data. Traditional black-box scanners and white-box analysis tools struggle to identify vulnerabilities for runtime web applications precisely and effectively in the production environment, and web application firewalls are unable to get the runtime context environment in which they are executed, leading to a large number of false positive reports. In this paper, we propose a novel fuzzing and tainting-based system for web application runtime self-protection, which simultaneously implements web application vulnerability detection and attack protection from adversaries at runtime and generates comprehensive vulnerability reports for website administrators along with potential fix recommendations and patch code. We implemented and evaluated a basic prototype system for XSS vulnerabilities in PHP-based web applications. Our results show that although RASP based on fuzzing and tainting causes about a 30% reduction in website efficiency, it is fully defendable against almost all XSS attacks, while the fuzzer finds new data flow paths that could trigger the same XSS vulnerability and provides corresponding remediation recommendations.
Index Terms—rasp, fuzzing, tainting, website security
Rui Shi
College of Information Science and Engineering, Ocean University of China, CHINA
Gaozhou Wang, Hang Yu
Information and Telecommunications Company, State Grid Shandong Electric Power Company, CHINA
Long Zhang
QI-ANXIN Technology Group Inc., CHINA
Haipeng Qu
College of Information Science and Engineering, Ocean University of China, CHINA
Cite: Rui Shi, Gaozhou Wang, Hang Yu, Long Zhang, Haipeng Qu, "Enhancing Website Runtime Application Self-Protection by Using Tainting and Fuzzing Test" Proceedings of 2023 the 13th International Workshop on Computer Science and Engineering (WCSE 2023), pp. 31-36, June 16-18, 2023.