Software Testing
Test Plan Template: Sample Document with Web Application Example
What is test plan template? TEST PLAN TEMPLATE is a detailed document that describes the test...
Fuzz Testing or Fuzzing is a software testing technique of putting invalid or random data called FUZZ into software system to discover coding errors and security loopholes. The purpose of fuzz testing is inserting data using automated or semi-automated techniques and testing the system for various exceptions like system crashing or failure of built-in code, etc.
Fuzz testing was originally developed by Barton Miller at the University of Wisconsin in 1989. Fuzz testing or fuzzing is a Software testing technique, and it is a type of Security Testing.
The steps for fuzzy testing include the basic testing steps-
Step 1) Identify the target system
Step 2) Identify inputs
Step 3) Generate Fuzzed data
Step 4) Execute the test using fuzzy data
Step 5) Monitor system behavior
Step 6) Log defects
Mutation-Based Fuzzers alter existing data samples to create new test data. This is the very simple and straightforward approach, this starts with valid samples of protocol and keeps mangling every byte or file.
Generation-Based Fuzzers define new data based on the input of the model. It starts generating input from the scratch based on the specification.
PROTOCOL-BASED-fuzzer, the most successful fuzzer is to have detailed knowledge of protocol format being tested. The understanding depends on the specification. It involves writing an array of the specification into the tool then by using model-based test generation technique go through the specification and add irregularity in the data contents, sequence, etc. This is also known as syntax testing, grammar testing, robustness testing, etc. Fuzzer can generate test cases from an existing one, or they can use valid or invalid inputs.
There are two limitations of protocol-based fuzzing:
The simplest form of fuzzing technique is sending random input to the software either as protocol packets or as an event. This technique of passing random input is very powerful to find bugs in many applications and services. Other techniques are also available, and it is very easy to implement. To implement these techniques we just need to change the existing inputs. We can change input just by interchanging the bits of input.
Assertion failures and memory leaks this methodology is widely used for large applications where bugs are affecting the safety of memory, which is a severe vulnerability.
In fuzz testing, fuzzers are used to generate an invalid input which is used for testing error-handling routines, and this is important for the software which does not control its input. Simple fuzzing can be known as a way to automate negative testing.
Fuzzing can also be used to detect some types of "correctness" bugs. Such as a corrupted database, poor search results, etc.
Tools which are used in web security can widely be used in fuzz testing such as Burp Suite, Peach Fuzzer, etc.
Peach Fuzzer provides more robust and security coverage than a scanner. Other testing tools can search only for known threads whereas Peach Fuzzer enable users to find known and unknown threads.
It is a professional-grade tool looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it's completely open Python infrastructure. SPIKE Proxy is available for Linux and Windows.
Webscarab is written in Java thus portable to many platforms. For analyzing application Webscarab framework is used that communicate using HTTP and HTTPS protocols.
Ex: Webscarab works as an intercepting proxy, it allows the operator to review and modify request created by the browser before they are received by the server. And allow to review and update response generated by the server before received by the browser. In this way, if web scarab finds any loophole, it will make the list of the reported issues.
WSFuzzer is a GPL'd program that written in Python. GPL'd a program currently targets Web Services. In the current version of OWASPWSFuzzer HTTP based SOAP services are the main target.
Summary:
In Software Engineering, Fuzz testing shows the presence of bugs in an application. Fuzzing cannot guarantee detection of bugs completely in an application. But by using Fuzz technique, it ensures that the application is robust and secure, as this technique helps to expose most of the common vulnerabilities.
This article is contributed by Priyanka Kothe
What is test plan template? TEST PLAN TEMPLATE is a detailed document that describes the test...
$20.20 $9.99 for today 4.6 (120 ratings) Key Highlights of Software Testing Tutorial PDF: 363+...
Before we learn compatibility testing, let's understand- What is Compatibility? Compatibility is nothing...
In this tutorial, you will learn- What is Design Validation? What is Design Verification?...
Code coverage testing is an important measure that quantifies the degree to which the source code...
Penetration Testing Penetration Testing or Pen Testing is a type of Security Testing used to...