Finding 0-Days in PHP Apps with Coverage-guided Fuzzing - What The PHUZZ?!

In this 38-minute conference talk from nullcon Goa 2025, Sebastian introduces PHUZZ, an open-source prototype that applies coverage-guided fuzz testing to PHP web applications. Learn how this innovative tool outperforms established web vulnerability scanners like BurpSuite Pro, ZAP, and WFuzz in detecting seven classes of vulnerabilities including SQLi, RCE, XXE, and XSS in both artificial and real-world PHP applications. Explore the technical challenges of implementing coverage-guided fuzzing for web applications and discover how PHUZZ's function hooking and vulnerability detection mechanisms led to the discovery of over 20 potential security issues and 2 CVEs in popular WordPress plugins. This presentation provides valuable insights for security professionals interested in advanced PHP application testing methodologies.