Fuzz Testing Tutorial: Fuzzing Strategy & Tools

What is Fuzz Testing?

Fuzz Testing is a type of testing where automated or semi-automated testing techniques are used to discover coding errors and security loopholes in software, operating systems, or networks by inputting invalid or random data called FUZZ to the system. After which the system is monitored for various exceptions, such as crashing down of the system or failing built-in code, etc.

Fuzz testing was originally developed by Barton Miller at the University of Wisconsin in 1989. Fuzz testing or fuzzing is a Software testing technique, and it is a type of Security Testing.

Why to do Fuzz Testing?

• Usually, Fuzz testing finds the most serious security fault or defect.
• Fuzz testing gives more effective result when used with Black Box Testing, Beta Testing, and other debugging methods.
• Fuzz testing is used to check the Vulnerability of software. It is very cost effective testing techniques.
• Fuzz testing is one of the black box testing technique. Fuzzing is one of the most common method hackers used to find vulnerability of the system.

Fuzz Testing Strategy

The steps for fuzz testing include the basic testing steps-

Step 1) Identify the target system

Step 2) Identify inputs

Step 3) Generate Fuzzed data

Step 4) Execute the test using fuzz data

Step 5) Monitor system behavior

Step 6) Log defects

Testing strategy for fuzz testing

• Mutation-Based Fuzzers alter existing data samples to create new test data. This is very simple and straight forward approach, this starts with valid samples of protocol and keep mangling every byte or file.

• Generation-Based Fuzzers define new data based on the input of the model. It starts generating input from the scratch based on the specification.

• PROTOCOL-BASED-FUZZER, the most successful fuzzer is to have detailed knowledge of protocol format being tested. The understanding depends on the specification. It involves writing an array of the specification into the tool then by using model-based test generation technique go through the specification and add irregularity in the data contents, sequence, etc. This is also known as syntax testing, grammar testing, robustness testing, etc. Fuzzer can generate test cases from existing one, or they can use valid or invalid inputs.

There are two limitations of protocol-based fuzzing:

1. Testing cannot proceed until the specification is mature.
2. Many useful protocols are an extension of published protocols. If fuzz testing is based on published specifications, Test coverage for new protocols will be limited.

• The simplest form of fuzzing technique is sending random input to the software either as protocol packets or as an event. This technique of passing random input is very powerful to find bugs in many applications and services.
• Other techniques are also available, and it is very easy to implement. To implement these techniques we just need to change the existing inputs. We can change input just by interchanging the bits of input.

  Types of bugs detected by Fuzz Testing

• Assertion failures and memory leaksThis methodology is widely used for large applications where bugs are affecting the safety of memory, which is a severe vulnerability.

• Invalid input

  In fuzz testing, fuzzers are used to generate an invalid input which is used for testing error-handling routines, and this is important for the software which does not control its input. Simple fuzzing can be known as a way to automate negative testing.

• Correctness bugs

  Fuzzing can also be used to detect some types of "correctness" bugs. Such as a corrupted database, poor search results, etc.

  Fuzz Testing Tools

  Tools which are used in web security can widely be used in fuzz testing such as Burp Suite, Peach Fuzzer, etc.

• Peach Fuzzera

  Peach Fuzzer provides more robust and security coverage than a scanner. Other testing tools can search only for known threads whereas Peach Fuzzer enable users to find known and unknown threads.

• Spike Proxy

  It is a professional-grade tool looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it's completely open Python infrastructure. SPIKE Proxy is available for Linux and Windows.

• Webscarab

  Webscarab is written in Java thus portable to many platforms. For analyzing application Webscarab framework is used that communicate using HTTP and HTTPS protocols.

  Ex: Webscarab works as an intercepting proxy, it allows the operator to review and modify request created by the browser before they are received by the server. And allow to review and update response generated by the server before received by the browser. In this way, if web scarab finds any loophole, it will make the list of the reported issues.

• Burp

  Burp used as a security tool for java web application. Burp is used to process attacks against applications which include testing for web application vulnerabilities such as buffer overflow, cross-site scripting, SQL injection, etc.
• OWASP WSFuzzer

  WSFuzzer is a GPL'd program that written in Python. GPL'd program currently targets Web Services. In the current version of OWASPWSFuzzer HTTP based SOAP services are the main target.

• AppScan

  AppScan scans and tests for all common web application vulnerabilities such as SQL-Injection, Cross-Site Scripting, and Buffer Overflow.

Advantages and Disadvantages of Fuzz Testing

Advantages

• Fuzz testing improves software Security Testing.
• Bugs found in fuzzing are sometimes severe and most of the time used by hackers including crashes, memory leak, unhandled exception, etc.
• If any of the bugs fails to get noticed by the testers due to the limitation of time and resources those bugs are also found in Fuzz testing.

Disadvantages

• Fuzz testing alone cannot provide a complete picture of an overall security threat or bugs.
• Fuzz testing is less effective for dealing with security threats that do not cause program crashes, such as some viruses, worms, Trojan, etc.
• Fuzz testing can detect only simple faults or threats.
• To perform effectively, it will require significant time.
• Setting a boundary value condition with random inputs is very problematic but now using deterministic algorithms based on users inputs most of the testers solve this problem.

Summary:

Fuzz testing shows the presence of bugs in an application. Fuzzing cannot guarantee detection of bugs completely in an application. But by using Fuzz technique, it ensures that the application is robust and secure, as this technique helps to expose most of the common vulnerabilities.

This article is contributed by Priyanka Kothe