What The PHUZZ?! Finding 0-Days In PHP Apps wt Coverage-guided Fuzzing - Sebastian
Nullcon Goa 2025 · Main Stage
This talk, "What The PHUZZ?! Finding 0-Days In PHP Apps wt Coverage-guided Fuzzing," by Sebastian, delves into the development and application of **PHUZZ**, a novel coverage-guided fuzzer specifically designed for PHP web applications. Sebastian, a PhD student at TU Berlin and an IT security freelancer, presented this work, which was a collaborative effort with Lawrence and Jean Pier, and previously published at an academic conference. The presentation aims to educate the audience on how to leverage advanced fuzzing techniques to uncover critical vulnerabilities, including zero-days, in real-world web applications.
AI review
Legitimate research with real zero-days and a genuinely useful tool, but the contribution is evolutionary rather than groundbreaking — coverage-guided fuzzing applied to PHP is a well-understood problem space, and the novel pieces (uopz hooking, HAR-based endpoint discovery) are incremental improvements rather than paradigm shifts. A competent academic paper that translates to a competent conference talk.