OWASP - Piotr Łaskawiec - Fuzzing · Fuzzing is a method of testing software to find security holes and unexpected behavior of an application, using semirandom data. Fuzzing most
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Methods of testing the applicationEnsuring application securityFuzzing – definitionUse of fuzzingTypes of fuzzersFuzzing and SDLCWho uses fuzzers?Examples of fuzzersWeb application fuzzingSummary
3OWASP
Application testing
Popular tests:Unit testingFunctional testingRegression testingPerformance testingUsability tests
Other classification:Whitebox, Graybox, Blackbox
What about security?Security on level of design, implementation, testing
Fuzzing is a method of testing software to find security holes and unexpected behavior of an application, using semirandom data.
Fuzzing most frequently is fully automated process - „run and wait for result”.
6OWASP
Fuzzing – what does it mean in practice?
Fuzzing == Negative testingThe aim of the fuzzer is to send invalid data to
application (too long strings, improper encoding, bad file format, bad sequence of communicates).
We hope that the application will accept the data and an atypical reaction of the program will occur – DoS, error message, fast-growing demand for resources.
Our target is to break the application!
7OWASP
Using fuzzers
Local applicationsWeb applicationsWebServicesNetwork applicationsActiveX controlsFilesLibraries…
8OWASP
Fuzzer's classification
There are many criteria for classificationExamples:
Fuzzers
Mutational Generational Evolutionary
Fuzzers
Manual Semiautomatic/Automatic
Fuzzery
Web applications Protocols ...
9OWASP
Fuzzing process
Setup Data transfer to application Reporting
Monitoring
Environment preparation
Programpreparation
Definition of input data
Input datapreparation
10OWASP
Monitoring
Observation of program behaviorLogsDebuggers (!exploitable...)Files, processes and network monitorsVirtualization (VMWare)Source code modifications (breakpoints)Additional techniques (Valgrind, Guard Malloc)Combined techniques
11OWASP
Process Explorer
12OWASP
Process Monitor
13OWASP
Fuzzing and SDLC
Initial analysis
Design
ImplementationTesting
Maintenance
14OWASP
Fuzzing and SDLC
Fuzzing
Initial analysis
Design
ImplementationTesting
Maintenance
15OWASP
Fuzzing and SDLC
After publication of the new version, application is tested by a previously prepared fuzzer.
Test results are verified by testers. Next, they are sent to programmers.
If any errors occur, programmers must fix the application.
New build once again must pass the fuzzing process.
HTTP communication analysis Webspidering Search engines
Generation of test data Payloads hardcoded in fuzzers Bruteforce Payloads based on patterns
Error identification
21OWASP
Error identification
HTTP response codesAnalysis of website contentComparision of website internal structureTime attacksMultiple requestsAnalysis of unique data identifying website.Logs
22OWASP
Anti-fuzzing
We can't directly defend against fuzzing!Generic defense:
Validation of input dataApplication of good programming practicesEnsuring security through all phases of SDLC
23OWASP
Summary
24OWASP
Fuzzing advantages
Full automatization (in most cases)Fuzzers find real vulnerabilitiesAbility to identify bugs which are hard to find by
manual testingAbility to quickly obtain satisfactory results (first
bug)
25OWASP
Fuzzing disadvantages
Inability to find logical bugsInability to find complex bugsTime required for performing test is very hard to