Enemy of the state: A state-aware black-box web vulnerability scanner

Adam Doupé, Ludovico Cavedon, Christopher Kruegel, Giovanni Vigna

Research output: Contribution to conferencePaperpeer-review

101 Scopus citations


Black-box web vulnerability scanners are a popular choice for finding security vulnerabilities in web applications in an automated fashion. These tools operate in a point-and-shoot manner, testing any web application—regardless of the server-side language—for common security vulnerabilities. Unfortunately, black-box tools suffer from a number of limitations, particularly when interacting with complex applications that have multiple actions that can change the application’s state. If a vulnerability analysis tool does not take into account changes in the web application’s state, it might overlook vulnerabilities or completely miss entire portions of the web application. We propose a novel way of inferring the web application’s internal state machine from the outside—that is, by navigating through the web application, observing differences in output, and incrementally producing a model representing the web application’s state. We utilize the inferred state machine to drive a black-box web application vulnerability scanner. Our scanner traverses a web application’s state machine to find and fuzz user-input vectors and discover security flaws. We implemented our technique in a prototype crawler and linked it to the fuzzing component from an open-source web vulnerability scanner. We show that our state-aware black-box web vulnerability scanner is able to not only exercise more code of the web application, but also discover vulnerabilities that other vulnerability scanners miss.

Original languageEnglish (US)
Number of pages16
StatePublished - 2012
Externally publishedYes
Event21st USENIX Security Symposium - Bellevue, United States
Duration: Aug 8 2012Aug 10 2012


Conference21st USENIX Security Symposium
Country/TerritoryUnited States

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'Enemy of the state: A state-aware black-box web vulnerability scanner'. Together they form a unique fingerprint.

Cite this