Fuzzing


Fuzzing or fuzz testing is “a Black Box software testing technique”[1] which aims to find “implementation bugs using malformed/semi-malformed data injection in an automated fashion.”[1]

What is “malformed data”?

Consider a trivial question which expects integer input that is either “1”, “2”, or “3”. It works perfectly if the the input is 1, 2, or 3. But what about an input of 0 or -1 or 99?
These input values, which are logically acceptable (as they integers) , but not what the system is “expecting” are considered to be “malformed data” for that scenario.

If the default switch case hasn’t been implemented securely while coding, the program may crash and lead to the (unfortunately) common software security issues: “buffer overflows, DoS, etc” [1]

Example-

select case (int question_input)

{

case 1: “You are First!”; break;

case 2: “You are Second!”; break;

case 3: “You are Third!”; break;

case else: “Wrong input – try again!”; break; //default case

}

How does a fuzzer work?

A fuzzer works by automatically injecting semi-random data into the program or an executing stack.
“Generators” handle the data-generation logic, and are they usually use combinations of “static fuzzing vectors (known-to-be-dangerous values)”[1], or completely random data.

New generation fuzzers use “genetic algorithms to link injected data and observed impact.” [1].

Types of fuzzing

Some of the common ones are-

1. GUI-fuzzing: fuzzy input on Graphical User Interface elements like textboxes, drop-down boxes etc.

2. Command-line fuzzing: pushing fuzzy input as command line arguments while executing the application through the DOS prompt

3. File format fuzzing: Feeding as input random files of differing file types (if an application is expecting a text file as input, how will it handle a Javascript  (JS) file or a Word macro file, that is fed in?)

4. Protocol fuzzing – sending “forged packets to the tested application”[1], acting a proxy, modifying “requests on the fly and replaying them.” [1]

Open-source fuzzers

JBroFuzz: a web application fuzzer [2]
WSFuzzer: real-world manual SOAP pen testing tool [3]
References-
1. Fuzzing. (n.d.). Retrieved from https://www.owasp.org/index.php/Fuzzing
2. JBroFuzz. (n.d.). Retrieved from https://www.owasp.org/index.php/JBroFuzz