Experience: Model-Based, Feedback-Driven, Greybox Web Fuzzing with BackREST

Authors François Gauthier, Behnaz Hassanshahi, Benjamin Selwyn-Smith, Trong Nhan Mai, Max Schlüter, Micah Williams

Thumbnail PDF


  • Filesize: 1.28 MB
  • 30 pages

Document Identifiers

Author Details

François Gauthier
  • Oracle Labs, Brisbane, Australia
Behnaz Hassanshahi
  • Oracle Labs, Brisbane, Australia
Benjamin Selwyn-Smith
  • Oracle Labs, Brisbane, Australia
Trong Nhan Mai
  • Oracle Labs, Brisbane, Australia
Max Schlüter
  • Oracle Labs, Brisbane, Australia
Micah Williams
  • Oracle, Durham, NC, USA

Cite AsGet BibTex

François Gauthier, Behnaz Hassanshahi, Benjamin Selwyn-Smith, Trong Nhan Mai, Max Schlüter, and Micah Williams. Experience: Model-Based, Feedback-Driven, Greybox Web Fuzzing with BackREST. In 36th European Conference on Object-Oriented Programming (ECOOP 2022). Leibniz International Proceedings in Informatics (LIPIcs), Volume 222, pp. 29:1-29:30, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2022)


Following the advent of the American Fuzzy Lop (AFL), fuzzing had a surge in popularity, and modern day fuzzers range from simple blackbox random input generators to complex whitebox concolic frameworks that are capable of deep program introspection. Web application fuzzers, however, did not benefit from the tremendous advancements in fuzzing for binary programs and remain largely blackbox in nature. In this experience paper, we show how techniques like state-aware crawling, type inference, coverage and taint analysis can be integrated with a black-box fuzzer to find more critical vulnerabilities, faster (speedups between 7.4× and 25.9×). Comparing BackREST against three other web fuzzers on five large (>500 KLOC) Node.js applications shows how it consistently achieves comparable coverage while reporting more vulnerabilities than state-of-the-art. Finally, using BackREST, we uncovered eight 0-days, out of which six were not reported by any other fuzzer. All the 0-days have been disclosed and most are now public, including two in the highly popular Sequelize and Mongodb libraries.

Subject Classification

ACM Subject Classification
  • Security and privacy → Web application security
  • Taint analysis
  • fuzzing
  • crawler
  • Node.js


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Arachni. URL: https://www.arachni-scanner.com/.
  2. Burp suite. URL: https://portswigger.net/burp.
  3. Empirical Evaluation Guidelines. URL: https://www.sigplan.org/Resources/EmpiricalEvaluation/.
  4. OWASP Zed Attack Proxy. URL: https://www.zaproxy.org/.
  5. Peach fuzzer community edition. URL: https://www.peach.tech/resources/peachcommunity/.
  6. A python client for swagger enabled rest api. URL: https://github.com/pyopenapi/pyswagger.
  7. w3af. URL: http://w3af.org/.
  8. AngularJS. https://angularjs.org/, 2021. Accessed: 2021-02-1.
  9. React.js. https://reactjs.org/, 2021. Accessed: 2021-02-1.
  10. Stack Overflow Developer Survey. https://insights.stackoverflow.com/survey/2020#technology-web-frameworks, 2021. Accessed: 2021-02-1.
  11. The ElementTree XML library. https://docs.python.org/3/library/xml.etree.elementtree.html, 2021. Accessed: 2021-03-24.
  12. Abeer Alhuzali, Birhanu Eshete, Rigel Gjomemo, and VN Venkatakrishnan. Chainsaw: Chained automated workflow-based exploit generation. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 641-652, 2016. Google Scholar
  13. Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and VN Venkatakrishnan. NAVEX: Precise and scalable exploit generation for dynamic web applications. In 27th USENIX Security Symposium (USENIX Security 18), pages 377-392, 2018. Google Scholar
  14. Nicholas Allen, Padmanabhan Krishnan, and Bernhard Scholz. Combining type-analysis with points-to analysis for analyzing java library source-code. In Proceedings of the 4th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis, pages 13-18. ACM, 2015. Google Scholar
  15. Roberto Amadini, Mak Andrlon, Graeme Gange, Peter Schachte, Harald Søndergaard, and Peter J Stuckey. Constraint programming for dynamic symbolic execution of javascript. In International Conference on Integration of Constraint Programming, Artificial Intelligence, and Operations Research, pages 1-19. Springer, 2019. Google Scholar
  16. Pedram Amini, Aaron Portnoy, and Ryan Sears. Sulley. URL: https://github.com/OpenRCE/sulley.
  17. Krishnan Anantheswaran, Corey Farrell, and contributors. Istanbul: Javascript test coverage made simple. URL: https://istanbul.js.org/.
  18. Anneliese A Andrews, Jeff Offutt, and Roger T Alexander. Testing web applications by modeling with fsms. Software & Systems Modeling, 4(3):326-345, 2005. Google Scholar
  19. Giuliano Antoniol, Massimiliano Di Penta, and Michele Zazzara. Understanding web applications through dynamic analysis. In Proceedings. 12th IEEE International Workshop on Program Comprehension, 2004., pages 120-129. IEEE, 2004. Google Scholar
  20. Shay Artzi, Julian Dolby, Simon Holm Jensen, Anders Møller, and Frank Tip. A Framework for Automated Testing of JavaScript Web Applications. In ICSE, 2011. Google Scholar
  21. Vaggelis Atlidakis, Patrice Godefroid, and Marina Polishchuk. Restler: Stateful rest api fuzzing. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 748-758. IEEE, 2019. Google Scholar
  22. Osbert Bastani, Rahul Sharma, Alex Aiken, and Percy Liang. Synthesizing program input grammars. ACM SIGPLAN Notices, 52(6):95-110, 2017. Google Scholar
  23. Sofia Bekrar, Chaouki Bekrar, Roland Groz, and Laurent Mounier. A taint based approach for smart fuzzing. In 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation, pages 818-825. IEEE, 2012. Google Scholar
  24. Ivan Beschastnikh, Yuriy Brun, Sigurd Schneider, Michael Sloan, and Michael D Ernst. Leveraging existing instrumentation to automatically infer invariant-constrained models. In Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering, pages 267-277, 2011. Google Scholar
  25. Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2329-2344, 2017. Google Scholar
  26. Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. Coverage-based greybox fuzzing as markov chain. IEEE Transactions on Software Engineering, 45(5):489-506, 2017. Google Scholar
  27. Koen Claessen and John Hughes. Quickcheck: a lightweight tool for random testing of haskell programs. In Proceedings of the fifth ACM SIGPLAN international conference on Functional programming, pages 268-279, 2000. Google Scholar
  28. Aldo Cortesi, Maximilian Hils, Thomas Kriechbaumer, and contributors. mitmproxy: A free and open source interactive HTTPS proxy, 2010-. [Version 5.1]. URL: https://mitmproxy.org/.
  29. James Davis, Arun Thekumparampil, and Dongyoon Lee. Node. fz: Fuzzing the server-side event-driven architecture. In Proceedings of the Twelfth European Conference on Computer Systems, pages 145-160, 2017. Google Scholar
  30. Monika Dhok, Murali Krishna Ramanathan, and Nishant Sinha. Type-aware concolic testing of javascript programs. In Proceedings of the 38th International Conference on Software Engineering, pages 168-179, 2016. Google Scholar
  31. Eugenio Di Sciascio, Francesco M Donini, Marina Mongiello, and Giacomo Piscitelli. Anweb: a system for automatic support to web application verification. In Proceedings of the 14th international conference on Software engineering and knowledge engineering, pages 609-616, 2002. Google Scholar
  32. Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. Enemy of the state: A state-aware black-box web vulnerability scanner. In Presented as part of the 21st USENIX Security Symposium (USENIX Security 12), pages 523-538, 2012. Google Scholar
  33. Fabien Duchene, Sanjay Rawat, Jean-Luc Richier, and Roland Groz. Kameleonfuzz: evolutionary fuzzing for black-box xss detection. In Proceedings of the 4th ACM conference on Data and application security and privacy, pages 37-48, 2014. Google Scholar
  34. Benjamin Eriksson, Giancarlo Pellegrino, and Andrei Sabelfeld. Black widow: Blackbox data-driven web scanning. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1125-1142, 2021. Google Scholar
  35. Asger Feldthaus, Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. Efficient construction of approximate call graphs for javascript ide services. In 2013 35th International Conference on Software Engineering (ICSE), pages 752-761. IEEE, 2013. Google Scholar
  36. Shuitao Gan, Chao Zhang, Xiaojun Qin, Xuwen Tu, Kang Li, Zhongyu Pei, and Zuoning Chen. Collafl: Path sensitive fuzzing. In 2018 IEEE Symposium on Security and Privacy (SP), pages 679-696. IEEE, 2018. Google Scholar
  37. Vijay Ganesh, Tim Leek, and Martin Rinard. Taint-based directed whitebox fuzzing. In 2009 IEEE 31st International Conference on Software Engineering, pages 474-484. IEEE, 2009. Google Scholar
  38. Françcois Gauthier. Denial of Service - sequelize. URL: https://www.npmjs.com/advisories/1142.
  39. François Gauthier. Command Injection - marsdb. URL: https://www.npmjs.com/advisories/1122.
  40. François Gauthier. Denial of Service - apostrophe. URL: https://www.npmjs.com/advisories/1183.
  41. François Gauthier, Behnaz Hassanshahi, and Alexander Jordan. Affogato: Runtime Detection of Injection Attacks for Node.js. In Companion Proceedings for the ISSTA/ECOOP 2018 Workshops, pages 94-99. ACM, 2018. Google Scholar
  42. Patrice Godefroid. Fuzzing: hack, art, and science. Communications of the ACM, 63(2):70-76, 2020. Google Scholar
  43. Patrice Godefroid, Adam Kiezun, and Michael Y Levin. Grammar-based whitebox fuzzing. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 206-215, 2008. Google Scholar
  44. Patrice Godefroid, Hila Peleg, and Rishabh Singh. Learn&fuzz: Machine learning for input fuzzing. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, pages 50-59. IEEE Press, 2017. Google Scholar
  45. Brian Hackett and Shu-yu Guo. Fast and precise hybrid type inference for JavaScript. ACM SIGPLAN Notices, 47(6):239-250, 2012. Google Scholar
  46. William GJ Halfond and Alessandro Orso. Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174-183, 2005. Google Scholar
  47. Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, and Herbert Bos. Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pages 49-64, 2013. Google Scholar
  48. HyungSeok Han and Sang Kil Cha. Imf: Inferred model-based fuzzer. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2345-2358, 2017. Google Scholar
  49. Behnaz Hassanshahi. Denial of Service - mongodb. URL: https://www.npmjs.com/advisories/1203.
  50. Behnaz Hassanshahi, Hyunjun Lee, and Paddy Krishnan. Gelato: Feedback-driven and guided security analysis of client-side web applications. In 29th edition of the IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022. Google Scholar
  51. Marijn Haverbeke. A JavaScript code analyzer for deep, cross-editor language support. https://ternjs.net/. Accessed: 17-06-2019.
  52. Christian Holler, Kim Herzig, and Andreas Zeller. Fuzzing with code fragments. In Presented as part of the 21st USENIX Security Symposium (USENIX Security 12), pages 445-458, 2012. Google Scholar
  53. Matthias Höschele and Andreas Zeller. Mining input grammars from dynamic taints. In 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 720-725. IEEE, 2016. Google Scholar
  54. Matthias Höschele and Andreas Zeller. Mining input grammars with autogram. In Proceedings of the 39th International Conference on Software Engineering Companion, pages 31-34. IEEE Press, 2017. Google Scholar
  55. Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th international conference on World Wide Web, pages 40-52, 2004. Google Scholar
  56. Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities. In 2006 IEEE Symposium on Security and Privacy (S&P'06), pages 6-pp. IEEE, 2006. Google Scholar
  57. Rody Kersten, Kasper Søe Luckow, and Corina S. Pasareanu. POSTER: afl-based fuzzing for java with kelinci. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 2511-2513. ACM, 2017. Google Scholar
  58. Adam Kieyzun, Philip J Guo, Karthick Jayaraman, and Michael D Ernst. Automatic creation of sql injection and cross-site scripting attacks. In 2009 IEEE 31st international conference on software engineering, pages 199-209. IEEE, 2009. Google Scholar
  59. KissPeter. APIFuzzer. https://github.com/KissPeter/APIFuzzer. Accessed: 04-07-2019.
  60. Yoonseok Ko, Xavier Rival, and Sukyoung Ryu. Weakly sensitive analysis for javascript object-manipulating programs. Software: Practice and Experience, 49(5):840-884, 2019. Google Scholar
  61. Erik Krogh Kristensen and Anders Møller. Reasonably-most-general clients for JavaScript library analysis. In Proceedings of the 41st International Conference on Software Engineering, pages 83-93. IEEE Press, 2019. Google Scholar
  62. Jonathan Leitschuh. Remote Code Execution - mongo-express. URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10758.
  63. Sebastian Lekies, Ben Stock, and Martin Johns. 25 million flows later: Large-scale detection of dom-based xss. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1193-1204, 2013. Google Scholar
  64. Caroline Lemieux, Rohan Padhye, Koushik Sen, and Dawn Song. Perffuzz: Automatically generating pathological inputs. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 254-265, 2018. Google Scholar
  65. Caroline Lemieux and Koushik Sen. Fairfuzz: A targeted mutation strategy for increasing greybox fuzz testing coverage. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pages 475-485, 2018. Google Scholar
  66. Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. Steelix: program-state based binary fuzzing. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, pages 627-637, 2017. Google Scholar
  67. Guangcheng Liang, Lejian Liao, Xin Xu, Jianguang Du, Guoqiang Li, and Henglong Zhao. Effective fuzzing based on dynamic taint analysis. In 2013 Ninth International Conference on Computational Intelligence and Security, pages 615-619. IEEE, 2013. Google Scholar
  68. V Benjamin Livshits and Monica S Lam. Finding security vulnerabilities in java applications with static analysis. In USENIX Security Symposium, volume 14, pages 18-18, 2005. Google Scholar
  69. Blake Loring, Duncan Mitchell, and Johannes Kinder. Expose: practical symbolic execution of standalone javascript. In Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software, pages 196-199, 2017. Google Scholar
  70. Magnus Madsen, Benjamin Livshits, and Michael Fanning. Practical static analysis of JavaScript applications in the presence of frameworks and libraries. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pages 499-509. ACM, 2013. Google Scholar
  71. Trong Nhan Mai. Denial of Service (DoS) - mongo-express. URL: https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-1085403.
  72. Michael C Martin and Monica S Lam. Automatic generation of xss and sql injection attacks with goal-directed model checking. In USENIX Security symposium, pages 31-44, 2008. Google Scholar
  73. Ali Mesbah, Engin Bozdag, and Arie Van Deursen. Crawling ajax by inferring user interface state changes. In 2008 Eighth International Conference on Web Engineering, pages 122-134. IEEE, 2008. Google Scholar
  74. Amin Milani Fard and Ali Mesbah. Feedback-directed exploration of web applications to derive test models. In ISSRE, 2013. Google Scholar
  75. Benjamin Barslev Nielsen, Behnaz Hassanshahi, and François Gauthier. Nodest: feedback-driven static analysis of node. js applications. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 455-465, 2019. Google Scholar
  76. Andres Ojamaa and Karl Düüna. Assessing the security of node. js platform. In 2012 International Conference for Internet Technology and Secured Transactions, pages 348-355. IEEE, 2012. Google Scholar
  77. Rohan Padhye, Caroline Lemieux, and Koushik Sen. JQF: coverage-guided property-based testing in java. In Dongmei Zhang and Anders Møller, editors, Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2019, Beijing, China, July 15-19, 2019, pages 398-401. ACM, 2019. Google Scholar
  78. Inian Parameshwaran, Enrico Budianto, Shweta Shinde, Hung Dang, Atul Sadhu, and Prateek Saxena. Dexterjs: robust testing platform for dom-based xss vulnerabilities. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pages 946-949, 2015. Google Scholar
  79. Giancarlo Pellegrino, Constantin Tschürtz, Eric Bodden, and Christian Rossow. jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications. In RAID, 2015. Google Scholar
  80. Theofilos Petsios, Jason Zhao, Angelos D Keromytis, and Suman Jana. Slowfuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2155-2168, 2017. Google Scholar
  81. Brian Pfretzschner and Lotfi ben Othmane. Identification of dependency-based attacks on node. js. In Proceedings of the 12th International Conference on Availability, Reliability and Security, pages 1-6, 2017. Google Scholar
  82. Van-Thuan Pham, Marcel Böhme, and Abhik Roychoudhury. Model-based whitebox fuzzing for program binaries. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, pages 543-553, 2016. Google Scholar
  83. Qualys. Web application scanning. https://www.qualys.com/apps/web-app-scanning/. Accessed: 04-07-2019.
  84. Sazzadur Rahaman, Gang Wang, and Danfeng Yao. Security certification in payment card industry: Testbeds, measurements, and recommendations. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 481-498, 2019. Google Scholar
  85. Rapid7. Swagger Utility. https://appspider.help.rapid7.com/docs/swagger-utility. Accessed: 04-07-2019.
  86. Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. Vuzzer: Application-aware evolutionary fuzzing. In NDSS, volume 17, pages 1-14, 2017. Google Scholar
  87. Filippo Ricca and Paolo Tonella. Analysis and testing of web applications. In Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001, pages 25-34. IEEE, 2001. Google Scholar
  88. Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS, 2010. Google Scholar
  89. Max Schlüter. Server crash on POST request. URL: https://github.com/apostrophecms/apostrophe/issues/1683.
  90. Martin Schneider, Jürgen Großmann, Ina Schieferdecker, and Andrej Pietschker. Online model-based behavioral fuzzing. In 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops, pages 469-475. IEEE, 2013. Google Scholar
  91. Martin Schneider, Jürgen Großmann, Nikolay Tcholtchev, Ina Schieferdecker, and Andrej Pietschker. Behavioral fuzzing operators for uml sequence diagrams. In International Workshop on System Analysis and Modeling, pages 88-104. Springer, 2012. Google Scholar
  92. Ben Selwyn-Smith. Remote Code Execution - mongodb-query-parser. URL: https://www.npmjs.com/advisories/1448.
  93. SmartBear. Openapi specification (fka swagger restful api documentation specification). https://swagger.io/specification/v2/. Accessed: 04-07-2019.
  94. Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. Synode: Understanding and automatically preventing injection attacks on node.js. In NDSS, 2018. Google Scholar
  95. Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang, and Anders Møller. Static analysis with demand-driven value refinement. Proceedings of the ACM on Programming Languages, 3(OOPSLA):1-29, 2019. Google Scholar
  96. Zhendong Su and Gary Wassermann. The essence of command injection attacks in web applications. Acm Sigplan Notices, 41(1):372-382, 2006. Google Scholar
  97. Haiyang Sun, Daniele Bonetta, Christian Humer, and Walter Binder. Efficient dynamic analysis for node. js. In Proceedings of the 27th International Conference on Compiler Construction, pages 196-206, 2018. Google Scholar
  98. TeeBytes. TnT-Fuzzer. https://github.com/Teebytes/TnT-Fuzzer. Accessed: 04-07-2019.
  99. Mike Ter Louw and VN Venkatakrishnan. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In 2009 30th IEEE symposium on security and privacy, pages 331-346. IEEE, 2009. Google Scholar
  100. Alexandre Teyar. Swurg. https://github.com/portswigger/openapi-parser. Accessed04-07-2019.
  101. John Toman and Dan Grossman. Concerto: a framework for combined concrete and abstract interpretation. Proceedings of the ACM on Programming Languages, 3(POPL):43, 2019. Google Scholar
  102. Paolo Tonella and Filippo Ricca. Dynamic model extraction and statistical analysis of web applications. In Proceedings. Fourth International Workshop on Web Site Evolution, pages 43-52. IEEE, 2002. Google Scholar
  103. Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. Taintscope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In 2010 IEEE Symposium on Security and Privacy, pages 497-512. IEEE, 2010. Google Scholar
  104. Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. Checksum-aware fuzzing combined with dynamic taint analysis and symbolic execution. ACM Transactions on Information and System Security (TISSEC), 14(2):1-28, 2011. Google Scholar
  105. Gary Wassermann, Dachuan Yu, Ajay Chander, Dinakar Dhurjati, Hiroshi Inamura, and Zhendong Su. Dynamic test input generation for web applications. In Proceedings of the 2008 international symposium on Software testing and analysis, pages 249-260, 2008. Google Scholar
  106. Thomas Würthinger, Christian Wimmer, Andreas Wöß, Lukas Stadler, Gilles Duboscq, Christian Humer, Gregor Richards, Doug Simon, and Mario Wolczko. One vm to rule them all. In Proceedings of the 2013 ACM international symposium on New ideas, new paradigms, and reflections on programming & software, pages 187-204, 2013. Google Scholar
  107. Michal Zalewski. American fuzzy lop. http://lcamtuf.coredump.cx/afl/, 2015.