11 January, 2019

Fuzz Testing

Fuzz Testing
BJ Savage
Author: BJ Savage
Share:
 

If you have a brand new piece of software, a program, a network, or an operating system, you will want to test it for any bugs, coding errors or other potential issues before it goes live. Fuzzing is a great way to do so. It’s also a good method to perform quality checks of your existing products. Fuzzing can help prevent attacks by finding hidden flaws before attackers do. It’s always better to discover these flaws ourselves before they can be exploited by others.

What is Fuzzing, or fuzz testing? It isn’t a quality control check on peaches, but a process that can be described as taking a random or unexpected piece of data, putting it in your input parameter & seeing what happens next. We can see if the system will behave differently, or abnormally. If it does, this is a tell-tale sign that bugs are indeed present. Fuzzing of inputs is relatively straightforward for web applications. This is something you can even try on your own by using an interception proxy (such as Burp Suite or ZAP) and a test application such as Mutildae, DVWA, Juiceshop, or Dojo Basic. All of these are available in the open source project Samurai WTF.

Fuzzing is also useful for discovering commonly found issues such as brute force login vulnerabilities. It can carry out test brute force attacks quickly by flooding the input parameters with numerous possible usernames and passwords. We can even see if the system will crash by putting in massive amounts of data to see how well it responds.

As an admin, you should already have the correct username and password. When using the legitimate username and password, we can compare results and learn a couple different things, such as case sensitivity and various good or bad responses. The results can also be exported to analyze for further issues.

There are different attack types carried out by fuzzers, which are the tool sets used for these tests. Some things that can be used by the fuzzers are different combinations of numbers, urls, user-input text, binary sequences, along with certain values that are known to be commonly unaccepted. All of these can tell us if something is not working as it should. It’s widely accepted that most products will have some kind of bug in it from the get-go, and it is better for its owner to systematically find it sooner than later. If you would like to watch an example of fuzzing in action, please visit this link here: Simple Fuzzing

Join the professionally evil newsletter

Related Resources