BreachAI : an artificial intelligence approach to enhance automated security testing of web applications
Web application vulnerabilities are uncovered by using a method known as fuzzing, which consists of automatically generating and sending malicious inputs to a chosen web application. Modern day security scanners have helped to make this process simpler by improving the execution time to fuzz a web a...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Final Year Project |
| Language: | English |
| Published: |
2018
|
| Subjects: | |
| Online Access: | http://hdl.handle.net/10356/76168 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | Web application vulnerabilities are uncovered by using a method known as fuzzing, which consists of automatically generating and sending malicious inputs to a chosen web application. Modern day security scanners have helped to make this process simpler by improving the execution time to fuzz a web application. However, therein lies a possibility that a well-hidden vulnerability might be overlooked by these security scanners. Hence, we introduce a method to enhance current security scanners to minimize the amount of overlooked vulnerabilities. BreachAI is a direct result of this project. BreachAI is a black-box Cross-site Scripting fuzzer for web applications. It will work seamlessly with Zed Attack Proxy, an open-sourced web application scanner produced by the Open Web Application Security Project, to enhance some of its Cross-site Scripting Features. Using genetic algorithm and a modified version of the JavaScript grammar, BreachAI can automatically generate malicious inputs and upon analysing the responses of the web application, constantly evolve these malicious inputs to better pick up cross-site scripting vulnerabilities in a web application. The evaluation demonstrates no false positives and higher, if not the same, vulnerability detection rates in the web applications tested as compared to Zed Attack Proxy. |
|---|