About the Speaker

Coverage-guided fuzz testing has received significant attention from the research community, strongly favoring binary applications over other targets, such as web applications. However, web applications drive large parts of the internet and have become a fundamental part of modern society. Web vulnerabilities continue to be discovered, and data breaches impacting millions of users are frequently reported.

In this talk, we will present PHUZZ—our open-source prototype that brings coverage-guided fuzz testing to PHP web applications. PHUZZ outperforms widely-used web vulnerability scanners, such as BurpSuite Pro, ZAP, and WFuzz, in detecting 7 classes of server-side and client-side vulnerabilities (e.g. SQLi, RCE, XXE, XSS) in artificial and real-world PHP web applications.

We will cover some of the challenges of applying coverage-guided fuzzing to web applications and how PHUZZ's function hooking and vulnerability detection approach allowed us to discover over 20 potential security issues and 2 CVEs in some of the most popular WordPress plugins.

Sebastian Neef (aka @gehaxelt) has been involved in IT security and hacking since his early teens. While others were playing computer games, he was more interested in hacking them. During high school, he discovered bug bounty programs and quickly began to appear in several halls of fame, even reaching the Top 10 of Bugcrowd at the time.

Nowadays, after earning a Master of Science degree in Computer Science, he continues to pursue his PhD at the Technical University of Berlin, at the Chair for Security in Telecommunications, focusing his research on web and network security. He has given presentations at many academic and non-academic conferences, such as AsiaCCS, DIVMA, Nullcon, Troopers, and GPN. In his spare time, he likes to play and organize CTFs as part of ENOFLAG.