Analysis of HTTP Protocol Implementation in Smart Card Embedded Web Server

The latest generation of smart card embeds an HTTP web server which facilitates the integration of smart card into the existing networks and provides more services and custom interfaces. It also helps the developers to simplify the use of new programming model (servlets). However, due to the sensitive information stored and the resource constraints with which the technology is running, it is necessary to test it deeply. Our aim is to detect bugs and vulnerabilities and non-compliance of the HTTP embedded web server. For that purpose, we used the fuzzing technique which consists of injecting invalid or random data on various inputs of the software to be tested. Our fuzzing tool, Smart-Fuzz is based on the Peach framework customised to our needs. Moreover, working in black box, we created the PyHAT application to collect maximum information of the target features. Thus, we can reduce the amount of protocol functionalities to be analysed. The results generated in the log files are finally analyzed to understand the behaviour of the application and to detect if some fuzzed data has succeeded to take up the vulnerabilities.