Gray Box Fuzzing for Web Security


Betreuer: Cornelius Aschermann

Beginn: as soon as possible

Dauer: 6 month

Weitere Details:


Recently, guided gray box fuzzing has gained significant traction in binary security. This is mostly due to the incredible number of critical bugs found by American fuzzy lop ( Gray box fuzzing performs significantly better than previous fuzzing approaches and will often generate valid files for unknown file formats ( Yet, there are currently no gray box fuzzing tools for projects that are written in common scripting languages such as Ruby or Python.

The thesis' goal is to develop a gray box fuzzing tool for projects written in a common scripting language, focusing on web applications (e.g. Ruby on Rails).

  • Build a gray box fuzzing tool for a common scripting language
  • Develop a definition of interesting behavior
  • Develop a way for dealing with native functions that cannot be traced
  • Develop a way for dealing with CSRF tokens et al.
  • Evaluating the performance of the approach


  • Experience with a scripting language such as Ruby or Python
  • Experience with some of the bigger web frameworks
  • Interest in Web-Exploitation