Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

NeuralFuzz: Neural Networks for Fuzzing Web Apps

Ivan Novikov

This paper has been accepted.

Fuzzing is one of the hardest and simplest things in computer security at the same time. It's really easy to start fuzz something and it's really hard to understand what else you can fuzz after obvious methods like bitflip, walking byte flips, etc, etc, etc. For the complex data formats, it's required to learn hard and drill into this format description like BNF to be able to apply the payload in a right place.

Some times ago genetic (~2012) algorithms were suggested as a new approach for fuzzing. It provides an ability to try most probable vectors first to increase fuzzing speed.

My goal for this work is to create and release a fuzzer for the web apps based on neural networks. This fuzzer uses normal traffic to create a unique trainset for each data field in the HTTP request. Then these data will be used to create a set of payloads. This approach should provide better coverage then classics.

About Ivan Novikov

Ivan Novikov is the CEO and Lead Security Expert of the Wallarm Company. He is the author of numerous research papers in the field of web application security and has been engaged in web applications security research since 2004. He has rewards from various bug-hunting programs, such as Google, Facebook, Nokia, and Yandex. He is also actively engaged in the development of a self-learning web application firewall system.