Fuzz Testing (Fuzzing) Tutorial

Fuzz testing was originally developed by Barton Miller at the University of Wisconsin in 1989. Fuzz testing or fuzzing is a Software testing technique, and it is a type of Security Testing.

Why to do Fuzz Testing?

• Usually, Fuzzy testing finds the most serious security fault or defect.
• Fuzz testing gives more effective result when used with Black Box Testing, Beta Testing, and other debugging methods.
• Fuzz testing is used to check the Vulnerability of software. It is very cost effective testing techniques.
• Fuzz testing is one of the black box testing technique. Fuzzing is one of the most common method hackers used to find vulnerability of the system.

How to do Fuzz Testing

The steps for fuzzy testing include the basic testing steps-

Step 1) Identify the target system

Step 2) Identify inputs

Step 3) Generate Fuzzed data

Step 4) Execute the test using fuzzy data

Step 5) Monitor system behavior

Step 6) Log defects

Examples of Fuzzers

• Mutation-Based Fuzzers alter existing data samples to create new test data. This is the very simple and straightforward approach, this starts with valid samples of protocol and keeps mangling every byte or file.
• Generation-Based Fuzzers define new data based on the input of the model. It starts generating input from the scratch based on the specification.
• PROTOCOL-BASED-fuzzer, the most successful fuzzer is to have detailed knowledge of protocol format being tested. The understanding depends on the specification. It involves writing an array of the specification into the tool then by using model-based test generation technique go through the specification and add irregularity in the data contents, sequence, etc. This is also known as syntax testing, grammar testing, robustness testing, etc. Fuzzer can generate test cases from an existing one, or they can use valid or invalid inputs.

There are two limitations of protocol-based fuzzing:

1. Testing cannot proceed until the specification is mature.
2. Many useful protocols are an extension of published protocols. If fuzz testing is based on published specifications, Test coverage for new protocols will be limited.

The simplest form of fuzzing technique is sending random input to the software either as protocol packets or as an event. This technique of passing random input is very powerful to find bugs in many applications and services. Other techniques are also available, and it is very easy to implement. To implement these techniques we just need to change the existing inputs. We can change input just by interchanging the bits of input.

Types of bugs detected by Fuzz Testing

• Assertion failures and memory leaks this methodology is widely used for large applications where bugs are affecting the safety of memory, which is a severe vulnerability.
• Invalid input In fuzz testing, fuzzers are used to generate an invalid input which is used for testing error-handling routines, and this is important for the software which does not control its input. Simple fuzzing can be known as a way to automate negative testing.
• Correctness bugs Fuzzing can also be used to detect some types of “correctness” bugs. Such as a corrupted database, poor search results, etc.

Fuzz Testing Tools

Tools which are used in web security can widely be used in fuzz testing such as Burp Suite, Peach Fuzzer, etc.

• Peach Fuzzer: Peach Fuzzer provides more robust and security coverage than a scanner. Other testing tools can search only for known threads whereas Peach Fuzzer enable users to find known and unknown threads.
• Spike Proxy: It is a professional-grade tool looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it’s completely open Python infrastructure. SPIKE Proxy is available for Linux and Windows.
• Webscarab: Webscarab is written in Java thus portable to many platforms. For analyzing application Webscarab framework is used that communicate using HTTP and HTTPS protocols.Ex: Webscarab works as an intercepting proxy, it allows the operator to review and modify request created by the browser before they are received by the server. And allow to review and update response generated by the server before received by the browser. In this way, if web scarab finds any loophole, it will make the list of the reported issues.
• OWASP WSFuzzer: WSFuzzer is a GPL’d program that written in Python. GPL’d a program currently targets Web Services. In the current version of OWASPWSFuzzer HTTP based SOAP services are the main target.

Advantages of Fuzz Testing

• Fuzz testing improves software Security Testing.
• Bugs found in fuzzing are sometimes severe and most of the time used by hackers including crashes, memory leak, unhandled exception, etc.
• If any of the bugs fail to get noticed by the testers due to the limitation of time and resources those bugs are also found in Fuzz testing.

Disadvantages of Fuzz Testing

• Fuzz testing alone cannot provide a complete picture of an overall security threat or bugs.
• Fuzz testing is less effective for dealing with security threats that do not cause program crashes, such as some viruses, worms, Trojan, etc.
• Fuzz testing can detect only simple faults or threats.
• To perform effectively, it will require significant time.
• Setting a boundary value condition with random inputs is very problematic but now using deterministic algorithms based on users inputs most of the testers solve this problem.

Summary:

In Software Engineering, Fuzz testing shows the presence of bugs in an application. Fuzzing cannot guarantee detection of bugs completely in an application. But by using Fuzz technique, it ensures that the application is robust and secure, as this technique helps to expose most of the common vulnerabilities.