WebFuzzAuto: An Automated Fuzz Testing Tool Integrating Reinforcement Learning and Large Language Models for Web Security

WebFuzzAuto: An Automated Fuzz Testing Tool Integrating Reinforcement Learning and Large Language Models for Web Security

연구 분야: Analysis

학회: 2024 12th International Conference on Information Systems and Computing Technology (ISCTech)

This paper proposes a novel, fully automated fuzz testing tool for web applications that integrates reinforcement learning and large model techniques to enhance the intelligence of vulnerability detection and code coverage. By designing a reinforcement learning environment, the testing agent can intelligently explore complex web applications and continuously adjust strategies to discover more vulnerabilities. The tool employs dynamic adjusters and curriculum learning strategies to gradually optimize key parameters, enhancing the stability and convergence speed of the model. Additionally, it integrates a vulnerability detection module and a feedback manager. After each testing step, it calculates rewards and adjusts expert feedback based on the detection results, further optimizing the model’s learning path. Furthermore, it leverages natural language processing techniques from large language models for deep analysis, formulating testing strategies and guiding the behavior of the testing agent. Experimental results demonstrate that this tool outperforms the traditional OWASP ZAP tool in terms of code coverage and vulnerability detection rates on three major web applications: OWASP Juice Shop, phpMyAdmin, and WordPress, verifying its effectiveness and advantages in complex web applications.