Research On Fuzzing Technology For Web Interface Of Embedded Devices

With the concept of "Internet of Everything" gradually gaining popularity,Internet of Things related technologies are gradually being used in people’s daily lives.The realization and application of Internet of Things technology mostly use embedded devices as the main carrier,and the security research of devices has also been in recent years.Important research direction coming.Fuzzing technology has become the most widely used method of vulnerability mining due to its high efficiency.The use of fuzzing technology for security testing of embedded devices is one of the important research directions in the field of network security at present,and it is of great significance for protecting user privacy.This paper takes the embedded device as the research object,takes the fuzzing test technology as the main research method,and uses the web interface of the embedded device as the entrance of the fuzzing test to study the fuzzing test method for the embedded device.The main work is as follows:A method for fuzzing XSS vulnerabilities of embedded devices based on adaptive mutation is proposed,and a prototype system is designed and implemented according to this method.Aiming at the current lack of effective embedded device XSS vulnerability detection methods,low quality of embedded device test case generation,and the lack of adaptability of fuzzing seed mutations that reduce test efficiency,this method first automatically generates tests through the embedded device Web interface Use cases,and use "attack probes" to detect in advance,determine the direction of seed mutation,enhance seed adaptability,expand the test space,and improve the quality and efficiency of fuzz testing.Experiments show that comparing the prototype system with the mainstream protocol fuzzing tool Boofuzz ??and the web vulnerability scanning tool Wfuzz,it can find 7 known XSS vulnerabilities in 9 locations among the experimental subjects,and the detection efficiency is about 10% higher than that of Boofuzz.Wfuzz increased by about 5%.A fuzzing test method for embedded devices based on dynamic instrumentation feedback is proposed,and a prototype system is implemented according to this method.If the fuzzing test of embedded devices does not have certain prior knowledge,the test cases may not reach the deeper code logic of the firmware program,and most of the existing fuzzing test methods for embedded devices are mainly black box testing,which cannot be accurately positioned The location of possible vulnerabilities.In order to solve the above problems,this paper proposes a fuzzing test method that takes the embedded device Web interface as the entrance and guides the test process through dynamic instrumentation feedback.This method first constructs a priori knowledge base,sends the test cases combined with the prior knowledge of the firmware program to the embedded device,and adjusts the fuzzing test strategy according to the feedback information of the dynamic instrumentation,thereby improving the quality and efficiency of the fuzzing test.Through an experimental comparison with the protocol fuzzing tool Boofuzz ??and the web vulnerability scanning tool Xray,the prototype system of this article has increased the fuzzing efficiency by about 40% compared to Boofuzz,and the basic block coverage has increased by about 30%,and it is mined in QNAP NAS To an undisclosed command execution vulnerability.