PROJECT REPORT

On
FUZ/Z
BACHELOR OF TECHNOLOGY
(Information Technology)

Submitted by
Hemanthraju B (20134007)

Name of the Team Member(s)

Karunakaran K (20134013)
Venkatraman M (20134020)
Praveen K (20134006)

Submitted to

Dr. Saranya S
Assistant Professor
IT Department, HITS

IV SEMESTER
DESIGN PROJECT(ITB4243)
DEPARTMENT OF INFORMATION TECHNOLOGY
HINDUSTAN INSTITUTE OF TECHNOLOGY AND SCIENCE
CHENNAI – 603 103
MAY 2022
BONAFIDE CERTIFICATE:

Certified that this Design project report “FUZ/Z” is the bonafide work of ___________Team
members____________ who carried out the Design project work under my supervision during the
academic year 2021-2022.

SIGNATURE

Supervisor

Dr. Saranya S

Assistant Professor

IT Department, HITS

INTERNAL EXAMINER EXTERNAL EXAMINER

Name: Name:

Designation: Designation:

Project Viva-Voce conducted on __________________________

ACKNOWLEDGEMENT:

At first, we would like to thank Almighty God for the idea and opportunity to work on this project. We
thank Dr. S. Saranya Assistant Professor, Department of Information Technology for their strong
support and encouragement for the project “FUZ/Z”.

We thank all the faculty members and technical staff of the Department for their support and
suggestions of the design project development.

Our Team Members:

 TABLE OF CONTENTS

SI.NO. TITLE PAGE NO.

1 Abstract 5

2 Introduction 2

3 Problem Statement 4

4 Literature Survey 5

5 Proposed System 7

6 Objectives & Scope 8

7 Requirement Specification 9

8 System Design and Methodology 13

9 System Implementation 15

10 Results and Performance Analysis 16

11 Conclusion and Future Work 17

12 References 23
 1. ABSTRACT

Web applications need for extensive testing before deployment and use, for early detecting security vul-

nerabilities to improve the quality of the safety of the software, the purpose of this paper is to research

the fuzzing applications in security vulnerabilities. This research first introduces the common Web soft-

ware security vulnerabilities, and then provide a comprehensive overview of the fuzzing technology, and

using fuzzing tools Web fuzz to execute a software vulnerability testing, test whether there is a software

security hole. Test results prove that fuzzing is suitable for software security vulnerabilities testing, but

this methodology applies only to security research field, and in the aspect of software security vulnerabil-

ities detection is still insufficient. Fuzzing is done under the premise that every programme has bugs that

are just waiting to be found. As a result, a methodical technique ought to locate them eventually. Due of

its non-human approach, fuzzing might provide a different perspective to traditional software testing pro-

cedures (manual code inspection, debugging). Due to the minimal effort required to set up the technique,

it serves as a reasonable complement rather than a replacement for them. Fuzz testing, often known as

fuzzing, is an automated software testing approach used in programming and software development that

includes feeding random, erroneous, or invalid data into a computer programme. Following that, the ap-

plication is checked for errors like crashes, failed in-built code assertions, or dangerous memory leaks.

Fuzzers are typically used to evaluate programmes that accept structured inputs. This structure separates

valid input from invalid input and is stated, for example, in a file format or protocol. Effective fuzzers

provide semi-valid inputs that are "valid enough" to cause unexpected behaviours deeper in the pro-

gramme but are "invalid enough" to reveal corner cases that have not been adequately addressed. They
are not immediately rejected by the parser. There are many different kinds of fuzzing, each optimized for

testing a specific type of application. Web application fuzzing is the field of fuzzing web applications to

expose common web vulnerabilities, like injection issues, XSS, and more.

pg. 5
 2. INTRODUCTION

Using automation, fuzzing is a technique for finding bugs. It entails feeding a variety of erroneous and
unexpected input into a programme, then checking the programme for errors. The false information used
to "fuzz" an application may be purposefully created or produced at random. The objective is to cause
unexpected behaviour in a programme (such as crashes and memory leaks) and determine if it results in a
bug that may be exploited. On the other hand, automated testing is far more effective in quickly finding a
huge number of bugs. In actuality, fuzzing-discovered problems currently make up the majority of new
CVE submissions.

2.1 Fuzzing web applications:

Fuzzing can take many various forms, each of which is tailored for testing a particular application type.
The practise of fuzzing web applications to reveal common web vulnerabilities, such as injection prob-
lems, XSS, and others, is known as web application fuzzing. A fuzzer would try combinations of attacks
on:

 numbers (signed/unsigned integers/float…)

 chars (urls, command-line inputs)
 metadata : user-input text (id3 tag)
 pure binary sequences

2.2 Application fuzzing

Whatever the fuzzed system is, the attack vectors are within it’s I/O. For a desktop app:

 the UI (testing all the buttons sequences / text inputs)

 the command-line options
 the import/export capabilities (see file format fuzzing below)

pg. 6
2.3 Protocol fuzzing

A protocol fuzzer sends forged packets to the tested application, or eventually acts as a proxy, modifying
requests on the fly and replaying them.

3. PROBLEM STATEMENT
pg. 7
Fuzzing can take many various forms, each of which is tailored for testing a particular application type.
The practise of fuzzing web applications to reveal common web vulnerabilities, such as injection
problems, XSS, and others, is known as web application fuzzing. Fuzzing is done under the premise that
every programme has bugs that are just waiting to be found. As a result, a methodical technique ought to
locate them eventually. Due of its non-human approach, fuzzing might provide a different perspective to
traditional software testing procedures (manual code inspection, debugging). Due to the minimal effort
required to set up the technique, it serves as a reasonable complement rather than a replacement for them.
Fuzz testing, often known as fuzzing, is an automated software testing approach used in programming
and software development that includes feeding random, erroneous, or invalid data into a computer
programme. Following that, the application is checked for errors like crashes, failed in-built code
assertions, or dangerous memory leaks. The objective is to cause unexpected behaviour in a programme
(such as crashes and memory leaks) and determine if it results in a bug that may be exploited. On the
other hand, automated testing is far more effective in quickly finding a huge number of bugs. Effective
fuzzers provide semi-valid inputs that are "valid enough" to cause unexpected behaviours deeper in the
programme but are "invalid enough" to reveal corner cases that have not been adequately addressed.

4. LITERATURE SURVEY

pg. 8
AUTHOR JOURNAL TITLE YEAR LIMITATIONS
OBJECTIVE
NAME TYPE

Web application
Couldn’t find
fuzz Testing
Andrianto 09 Automated Entry Point
Liem M.M, February Web App
Asnar.Y.D.W, IEEE 2021 Scanner

The Application of
Lil.L.Dong,
Fuzzing In Web
Liu.D, Software Security
Vulnerability Test
Zhu.L, IEEE 04 January Multi-Lang Used Third Party
2021 code Service

23

Hao Zhang, Detection of Web November Design Model No MultiThread

Weiyu dong, Vulnerabilities via 2019 processing
Jiang IEEE Fuzzing

Zhou.X, Web Application 03 Very Slow

Vulnerability

Wu.B Fuzzing Based on December Scanner Scanner

Improved Genetic 2015
Algorithm
IEEE

pg. 9
Stefan Kals, A Web Could not find
Engin Kirda, Vulnerability Web Scanner parameters of a
May 23
Christopher IEEE Scanner given website for
2016
Kruegel, and advance method
Nenad of attacks
Jovanovic

Using Web Security

Marco Vieira, IEEE Scanners to Detect July 2 Security & Detecting more
Vulnerabilities in
Nuno Antunes, 2019 Networking false positive
Web Services
and Henrique result to the user.
Madeira

Smita Patil IEEE Design of Efficient August Scanner It cannot find on

Web Vulnerability
Prof. Nilesh 2016 all web
Scanner
Marathe Prof. application except
Puja Padiya php.

Balume IEEE Evaluation of Web December Web Scanner Basic Benchmark

Benchmark
Mburano, Vulnerability 26 2018 testing.It does not
Weisheng Si Scanners Based on scan the web
OWASP pages.
Benchmark

pg. 10
 4.1 NEED FOR THE PROJECT

To prevent potential hackers from getting unauthorised access to corporate information and data,
organisations need a web scanner scanner to detect security issues on web-based applications. Although
corporations leave nothing to be embedded in network security and better-known anti-virus solutions,
web applications reveal to be a weak link in the security of companies as a whole. Cyber criminals
began to utilise Web apps as a platform for accessing corporate data as soon as the usage of this function
became harmful, which is why regular use of a web browser scanner is critical. To prevent cross-site
writing and SQL injection, web applications are at risk. This online scanner will help you complete your
pentest faster.For the best results and performance, the settings have already been set and changed.
Simply begin scanning and wait for the results. Vulnerabilities in your application's security should be
investigated. If you own a web development company, you can use this report to show your clients that
you've taken proper security precautions when creating their website. This tool was created specifically
to detect cross-site scripting and SQL injection vulnerabilities. Python flask is used to create this utility.
It assists the organisation in defending their websites against attackers by detecting them before they
compromise the web application.

5. PROPOSED SYSTEM

The web-based security risk software software tool is similar to risk scanners, and can detect
vulnerabilities within web-based applications with web-based risks.Vuln scanners is tool that help
capture various online issues, such as sensitive files. Therefore, they ensure the security of the web
application by testing and capturing these is one of the most exploited weaknesses in web use and one
of the most widely studied.As any full protection against any system errors or interruptions may be
difficult to achieve. Good editing processes, libraries, and browsers are designed to protect against
webserver. Error-based SQL injection attack is an In-band injection method where we use an error in the
website to control the data within the site.The Error-based SQL injection strategy forces the site to
generate an error, provide the attacker or tester information. where they refine their injection.

pg. 11
 6. OBJECTIVES

● Our aim in this activity is to identify potential risks.

● Fuzzer identify systems and software that contain known security threats.
● Fuzzer finds systems and software that have known security vulnerabilities, but this
information is only useful to IT security teams when it is used as the first part of a four-
part vulnerability management process.
● Identify vulnerabilities before cyber criminals.
● Save time and money.
● Make the most of vulnerability scanning.
● Define the level of risk on your web application.
● Identify false positive results at an acceptably low rate.
● Ability to analyze different Web technologies, such as PHP, ASP.NET, ASP, etc.

6.1 EXISTING WORK

Current research aims to improve detection quality by using AI. It could be knowledge of current
browser/ application bugs. Machine learning can also be used on the application to determine how
outputs are influenced by inputs. A handful of these methods are described in more detail below.
Model inference and evolutionary fuzzing were used to create a new method for detecting parameter,
sensitive files. To create a crawler, this method merely used a heuristic-driven substring-matching
algorithm. They presented a method for forming an attack language by inferring models of online
applications. Slices are created by the attack grammar, which narrows the search space. The harmful
inputs that are delivered to the programme are then scheduled using genetic algorithms. As appealing
as the concept was, it presupposed the ability to return the application to its original node, which could
not always be possible. Furthermore, the framework assumed that an XSS is caused by a single fuzzed
value.

Isatou and colleagues devised a three-component solution that use a genetic algorithm-based approach for
detecting and removing sensitive files, in online applications. Converting the application's source codes to
control flow graphs is the first component. The parameter, is detected in the second component. Its
eradication is the focus of the third component. The method failed to detect content since their pathways
are not defined in the OWASP Enterprise Security Application Programming Interfaces standards. As a
result, XSS and SQLI flaws that aren't defined in the ESAPI are completely overlooked.
pg. 12
In order to detect the presence of vulnerabilities, Huang et al. used a variety of software testing
approaches such as black-box testing, fault injection, and web application activity monitoring. User
experience modelling as black-box testing and user behaviour simulation are combined in this technique.
The method failed to provide immediate web application security, and it also failed to ensure the
identification of all problems.

7. SYSTEM REQUIREMENTS

7.1 SOFTWARE REQUIREMENTS

One of the most difficult tasks is selecting software, once the system requirement is find out then we have
to determine whether a particular software package fits for those system requirements. This section
summarizes the application requirement

SOFTWARE SPECIFICATIONS

Operating System : Linux , Windows , osX

Languages Used : Python , Flask

Development Environment : Visual Studio Code

Web Browser : Chrome , Firefox , Safari

Fig:3 Vs Code 1.66

Fig:4-Linux

pg. 13
.

Fig:5 Flask

7.2 HARDWARE REQUIREMENTS

The selection of hardware is very important in the existence and proper working of any
software. When selecting hardware, the size and capacity requirements are also important.

HARDWARE SPECIFICATIONS

Hard Disk : 40 GB SSD

RAM : 8 GB RAM
Processor : intel 5 3rd gen
Mouse : Optical Scroll Mouse

pg. 14
 7.3 TECHNOLOGY USED

7.3.1 Flask micro web frame work

Flask is a micro web framework written in Python. It is classified as a microframework

because it does not require particular tools or libraries. It has no database abstraction layer,
form validation, or any other components where pre-existing third-party libraries provide
common functions. However, Flask supports extensions that can add application features as if
they were implemented in Flask itself. Extensions exist for object-relational mappers, form
validation, upload handling, various open authentication technologies and several common
framework related tools.

7.3.2 Funct tool

Higher-order functions, or functions that act on or return other functions, are handled by the
functools module. For the purposes of this module, any callable object can be considered as a
function.

7.3.3 Models

A model is a Python class that is descended from Model. The model class describes a new
datastore entity Kind and the properties that it should have. The instantiated class name that
inherits from db determines the Kind name.

7.3.4 Flask_mail

The Flask-Mail extension provides a simple interface to set up SMTP with your Flask
application and to send messages from your views and scripts.

7.3.5 Threading
A thread is a separate execution flow. This indicates that two things will be happening at the
same time in your software. However, the different threads do not actually execute at the
same time in most Python 3 implementations; they just appear to.

pg. 15
7.3.6 Beautiful soup

Beautiful Soup is a Python library that is used for web scraping purposes to pull the data out
of HTML and XML files. It creates a parse tree from page source code that can be used to
extract data in a hierarchical and more readable manner.

7.3.7 Bcrypt

Bcrypt helps in preventing the brute-force search attacks by increasing the iteration count
(rounds). The computation cost of the algorithm depends on parameterized rounds, so it can
be increased as computers get faster. It uses a salt to protect against rainbow table attacks, as
well.

7.3.8 Mongo

MongoDB stores data in JSON-like documents, which makes the database very flexible and
scalable.

7.3.9 Blocking scheduler

Blocking Scheduler is the simplest possible scheduler. It runs in the foreground, so when you
call start(), the call never returns.

Fig:6 Python

pg. 16
8. SYSTEM DESIGN & METHODOLOGY

pg. 17
Fig:7 Flow chart

pg. 18
In this project the application scan for XSS and SQLI. The user can access the programme by
registering or logging in if they already have an account, and scanning for the website of their
organisation using the provided user input form. Using the beautifulsoup python module, the
engine scans for the url and searches for the available parameter in the webpage.If it finds
difficulty in finding the available parameter then the process will repeat from the first till it
finds an available parameter or shows difficulty in finding. After finding the parameter, the
payload from the payload.txt file is bruteforced into the parameter value. If any of the
payloads are triggered, the vuln scanner displays the vulnerable url as well as the
vulnerability that was discovered against that website.

8.1 Use Case Diagram

FIG:8 Use Case Diagram

The project is built on a web application, as shown in the use case diagram above. The web
application in this project collects user input and checks for vulnerabilities in the user's
input.The attacks are launched using the available payload indicated in the payload txt.
It shows the outcome of the given user input.

pg. 19
9. SYSTEM IMPLEMENTATION

Fig:7 source code 1

Fig:8 source code 2

pg. 20
10. RESULT

Fig:9 Front end

Fig:10 Scanned Result

pg. 21
10.1 PERFORMANCE ANALYSIS

FIG:11 Performance Analysis of the project

pg. 22
 11. CONCLUSION

Naturally, fuzzing is not a foolproof method for finding every bug. The ability to hack web apps via
fuzzing has some restrictions.The server's rate limiting is one of these restrictions. You might not be able
to send the application a lot of payloads during a remote, black-box interaction without being discovered
by the server or exceeding some sort of rate-limit. This can result in testing taking longer, or it might
possibly get you kicked off the service. Being unable to access the code and only receiving a small sample
of the application's behaviour makes it challenging to appropriately assess the effect of a bug when
fuzzing during black-box testing. This indicates that additional manual testing is frequently required to
categorise the validity and importance of the bug. Fuzzing can be compared to a metal detector because it
only alerts you to potential threats. Finally, you should look more closely to determine if you have
discovered anything worthwhile. The types of flaws that can be found by fuzzing a web application are
another restriction. Fuzzing can occasionally help in the discovery of novel issue types and is effective at
identifying some simple vulnerabilities like XSS and SQLi, but it is less effective at identifying business
logic errors and bugs that require numerous steps to exploit. These intricate problems still need to be
painstakingly dug out and represent a significant source of future threats.

11.1 FUTURE WORK

We aim to integrate more attack plug-ins into the future (e.g., to assess the risk of directory traversal).
In addition, the functionality and functionality of the tool can be improved. We are also working on
setting up a website where the use of vuln scanner-of-concept can be downloaded. While we know that
vuln scanners may be used for malicious purposes, we feel they can assist web application developers in
assessing the safety of their system
 12. REFERENCE

[1] Abdulkader A. Alfantookh. An automated universal server level solution for SQL injection security flaw.

International Conference on Electrical, Electronic and Computer Engineering, pages 131–135, September
2021.

[2] CERT. Advisory CA-2000-02: malicious HTML tags embedded in client web
requests. http://www.cert.org/advisories/CA-2000-02.html,2022.

[3] W3C World Wide Web Consortium. HTTP -Hypertext Transfer

Protocol. http://www.w3.org/Protocols/, 2019.

[4] Microsoft Corporation. Architecture and Design Review for Security.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnets%ec/
html/THCMCh05.asp,2015.

[5] Microsoft Corporation. ISAPI Server Extensions and Filters.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore%98/
HTML/_core_isapi_server_extensions_and_filters.asp,2015.

[6] Microsoft Corporation. Microsoft .NET Framework Development

Center. http://msdn.microsoft.com/netframework/, 2017.

[7] Microsoft Corporation. System.Reflection Namespace.

http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/cpref/%html/frlrfsystemreflection.asp, 2015.

[8] David Cruwys. C Sharp/VB - Automated WebSpider/ WebRobot.

http://www.codeproject.com/ csharp/DavWebSpider.asp,March 2014.

[9] David Endler. The Evolution of Cross Site Scripting Attacks. Technical report, iDEFENSE Labs, 2012.

[10] Carlo Ghezzi, Mehdi Jazayeri, and Dino Mandrioli.Fundamentals of Software Engineering. Prentice-
Hall International, 2019.
[11] Yao-Wen Huang, Fang Yu andChristian Hang,Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo.Securing
web application code by static analysis and runtime protection. In 13th ACM International World Wide Web
Conference, 2014.

[12] Yao-Wen Huang, Shih-Kun Huang, and Tsung-Po Lin.Web Application Security Assessment by Fault
Injection and Behavior Monitoring. 12th ACM International World Wide Web Conference, May 2013.

[13] Insecure.org. NMap Network Scanner.

http://www.insecure.org/nmap/, 2015.

[14] Rachael Lininger and Russell D. Vines. Phishing.Wiley Publishing Inc., May 2015.

[15] Acunetix Ltd. Acunetix Web Vulnerability

Scanner. http://www.acunetix.com/, 2015.

[16] Ken Moody and Marco Palomino. SharpSpider:Spidering the Web through Web Services. First
Latin American Web Congress (LA-WEB), 2020.

[17] Information Technology Industry Council NCITS.SQL-92 standard.

[18] Nikto. Web Server Scanner.

http://www.cirt.net/code/nikto.shtml, 2019.

[19] RSnake. XSS cheatsheet.

http://sec.drorshalev.com/dev/xss/xssTricks.htm

[20] David Scott and Richard Sharp. Abstracting application-level Web security. 11th ACM International
World Wide Web Conference, Hawaii, USA, 2012.

[21] SelfHtml. JavaScript Tutorial.

[22] Tenable Network SecurityTM. Nessus Open Source Vulnerability Scanner Project.
http://www.nessus.org/, 2018.
[23] Paolo Tonella and Filippo Ricca. A 2-Layer Model for the White-Box Testing of Web Applications. In IEEE
International Workshop on Web Site Evolution (WSE), 2014.

[24] Xprobe. Xprobe: active os fingerprinting tool.

http://xprobe.sourceforge.net/