Fuzzing is one of the hardest and simplest things in computer security at the same time. It’s really easy to start fuzz something and it’s really hard to understand what else you can fuzz after obvious methods like bitflip, walking byte flips, etc, etc, etc. For the complex data formats, it’s required to learn hard and drill into this format description like BNF to be able to apply the payload in a right place.
Some times ago genetic (~2012) algorithms were suggested as a new approach for fuzzing. It provides an ability to try most probable vectors first to increase fuzzing speed.
My goal for this work is to create and release a fuzzer for the web apps based on neural networks. This fuzzer uses normal traffic to create a unique trainset for each data field in the HTTP request. Then these data will be used to create a set of payloads. This approach should provide better coverage then classics.
